Bug #16393: Technique are lost when a new one is created because of selinux (centos 7 and 8) - Rudder - Issue Tracker

Custom queries

8.1 beta
Bugs triage
CS - by priority
CS - to review
My TR
Need technical review
Open bugs (all)
Open bugs (UI - UX)
Open UX defects (all)
Opened by users

Actions

Copy link

Bug #16393

closed

Technique are lost when a new one is created because of selinux (centos 7 and 8)

Added by Félix DALLIDET almost 5 years ago. Updated almost 5 years ago.

Status:

Released

Priority:

N/A

Assignee:

Alexis Mousset

Category:

Web - Technique editor

Target version:

6.0.1

Pull Request:

https://github.com/Normation/rudder-p...

Severity:

Critical - prevents main use of Rudder | no workaround | data loss | security

UX impact:

User visibility:

First impressions of Rudder

Effort required:

Priority:

124

Name check:

To do

Fix check:

Error - Fixed

Regression:

Description

In a 6.0 if I create a technique via the technique editor, save it, when quitting and then reload the technique editor, all my techniques will be gone.
And I will not be able to modify them except the latest created one.

This prevents Rudder to be used for almost anything

Also, starting from 6.0 I can not found any files from techniques generated by the technique editor under /var/rudder/configuration-repository/ncf/50_techniques but only in /var/rudder/configuration-repository/techniques/ncf_techniques is this normal?

Subtasks 1 (0 open — 1 closed)

Bug #16435: Technique are lost during migration or when a new one is created in centos7

Released

Nicolas CHARLES

Actions

Related issues 1 (0 open — 1 closed)

Related to Rudder - Bug #16445: Technique are lost during migration on centos 7

Resolved

Actions

Issue # Delay: days Cancel

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Nicolas CHARLES almost 5 years ago

I lost my techniques while upgrading from 5.0.15 to 6.0 nightly
I have a commit

commit 086b16824f12e41943aee0c874a7309562635c2f
Author: root user (CLI) <root@localhost>
Date:   Thu Dec 12 10:22:18 2019 +0000

    Commit ncf Technique "technique" in Rudder

at upgrade time, which created /var/rudder/configuration-repository/ncf/50_techniques/technique/technique.cf (no version)

Actions

Copy link

Updated by Nicolas CHARLES almost 5 years ago

when creating a new technique, and comming back, I get the error

An Error occured! Could not parse Technique 'technique'
Details:

 caused by : An error occured while parsing technique '/var/rudder/configuration-repository/techniques/ncf_techniques/sdfsqdf/1.0/technique.cf'
 caused by : No JSON object could be decoded

file contains

# @name sdfsqdf
# @description sqfsf
# @version 1.0

bundle agent sdfsqdf
{
  vars:
    "resources_dir" string => "${this.promise_dirname}/resources";
  methods:
    "Command execution_${report_data.directive_id}_0" usebundle => _method_reporting_context("Command execution", "/bin/true"),
                                                             if => concat("any");
    "Command execution_${report_data.directive_id}_0" usebundle => command_execution("/bin/true"),
                                                             if => concat("any");

Actions

Copy link

Updated by Nicolas CHARLES almost 5 years ago

I have the following error in log, preventing cf-promises from running

Dec 12 13:42:39 server cf-promises[1408]: CFEngine(common)  Unable to set ownership on '/var/lib/ncf-api-venv/.cfagent' to '995.48'. (chown: Permission denied)
Dec 12 13:42:39 server cf-promises[1408]: CFEngine(common)  Unable to open database lock file '/var/lib/ncf-api-venv/.cfagent/state/cf_state.lmdb.lock'. (flock: Permission denied)

but perms look correct

# ls -alh /var/lib/ncf-api-venv
total 4.0K
drwxr-xr-x.  3 ncf-api-venv ncf-api-venv   22 Dec 12 00:38 .
drwxr-xr-x. 33 root         root         4.0K Dec 12 10:23 ..
drwxr-xr-x. 11 ncf-api-venv ncf-api-venv  146 Dec 12 10:22 .cfagent

Actions

Copy link

Updated by Nicolas CHARLES almost 5 years ago

setenforce 0 solves the issue

audit log says

type=AVC msg=audit(1576155634.673:2108): avc:  denied  { setattr } for  pid=25236 comm="cf-promises" name=".cfagent" dev="dm-0" ino=101464345 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_
lib_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1576155634.673:2108): arch=c000003e syscall=92 success=no exit=-13 a0=5641a81f0ec0 a1=3e3 a2=30 a3=5641a914254c items=0 ppid=20677 pid=25236 auid=4294967295 uid=995 gid=48 euid=995 suid=99
5 fsuid=995 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="cf-promises" exe="/opt/rudder/bin/cf-promises" subj=system_u:system_r:httpd_t:s0 key=(null)
type=PROCTITLE msg=audit(1576155634.673:2108): proctitle=2F6F70742F7275646465722F62696E2F63662D70726F6D69736573002D706A736F6E002D66002F7661722F7275646465722F636F6E66696775726174696F6E2D7265706F7369746F72792F7465
63686E69717565732F6E63665F746563686E69717565732F736466737164662F312E302F746563686E697175652E6366
type=AVC msg=audit(1576155634.673:2109): avc:  denied  { write } for  pid=25236 comm="cf-promises" name="cf_state.lmdb.lock" dev="dm-0" ino=68446766 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object
_r:var_lib_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1576155634.673:2109): arch=c000003e syscall=2 success=no exit=-13 a0=5641a9169370 a1=42 a2=1b6 a3=732f746e65676166 items=0 ppid=20677 pid=25236 auid=4294967295 uid=995 gid=48 euid=995 suid
=995 fsuid=995 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="cf-promises" exe="/opt/rudder/bin/cf-promises" subj=system_u:system_r:httpd_t:s0 key=(null)
type=PROCTITLE msg=audit(1576155634.673:2109): proctitle=2F6F70742F7275646465722F62696E2F63662D70726F6D69736573002D706A736F6E002D66002F7661722F7275646465722F636F6E66696775726174696F6E2D7265706F7369746F72792F7465
63686E69717565732F6E63665F746563686E69717565732F736466737164662F312E302F746563686E697175652E6366
type=AVC msg=audit(1576155634.673:2110): avc:  denied  { setattr } for  pid=25236 comm="cf-promises" name="randseed" dev="dm-0" ino=101464370 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_
lib_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1576155634.673:2110): arch=c000003e syscall=90 success=no exit=-13 a0=7ffc69b0a450 a1=180 a2=7ffc69b0a477 a3=ffffffff items=0 ppid=20677 pid=25236 auid=4294967295 uid=995 gid=48 euid=995 s
uid=995 fsuid=995 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="cf-promises" exe="/opt/rudder/bin/cf-promises" subj=system_u:system_r:httpd_t:s0 key=(null)
type=PROCTITLE msg=audit(1576155634.673:2110): proctitle=2F6F70742F7275646465722F62696E2F63662D70726F6D69736573002D706A736F6E002D66002F7661722F7275646465722F636F6E66696775726174696F6E2D7265706F7369746F72792F7465
63686E69717565732F6E63665F746563686E69717565732F736466737164662F312E302F746563686E697175652E6366

Actions

Copy link

Updated by Vincent MEMBRÉ almost 5 years ago

Status changed from New to In progress
Assignee set to Vincent MEMBRÉ

Actions

Copy link

Updated by Vincent MEMBRÉ almost 5 years ago

Status changed from In progress to Pending technical review
Assignee changed from Vincent MEMBRÉ to Alexis Mousset
Pull Request set to https://github.com/Normation/rudder-packages/pull/2167

PR https://github.com/Normation/rudder-packages/pull/2167

Actions

Copy link

Updated by Vincent MEMBRÉ almost 5 years ago

Status changed from Pending technical review to Pending release

Applied in changeset rudder-packages|2f974351e01355b818aa549794f0da874956469b.

Actions

Copy link

Updated by François ARMAND almost 5 years ago

Subject changed from Techniques via technique editor are then lost to Technique are lost during migration or when a new one is created

Actions

Copy link

Updated by François ARMAND almost 5 years ago

Fix check changed from To do to Error - Blocking

Actions

Copy link

#10

Updated by François ARMAND almost 5 years ago

Subject changed from Technique are lost during migration or when a new one is created to Technique are lost when a new one is created because of selinux (centos 7 and 8)
Fix check changed from Error - Blocking to Error - Fixed

Actually, I thing there is a problem on migration different from SELinux. Given the big number of problem with migration, I will open an other ticket for that part. The selinux for centos7 is corrected.

Actions

Copy link

#11