Project

General

Profile

Actions
Copy link

Bug #16421

closed

On centos8, SELinux prevents cf-serverd to start and policy generation are red

Added by François ARMAND almost 5 years ago. Updated almost 5 years ago.

Status:
Rejected
Priority:
N/A
Assignee:
-
Category:
Security
Target version:
6.0.2
Pull Request:
Severity:
Major - prevents use of part of Rudder | no simple workaround
UX impact:
User visibility:
Getting started - demo | first install | Technique editor and level 1 Techniques
Effort required:
Priority:
70
Name check:
To do
Fix check:
To do
Regression:

Description

Diagnostic:

After intall, policy generation (top right) is red. When clicking on details, you can see:

⇨  Exit code=1 for hook: '/opt/rudder/etc/hooks.d/policy-generation-finished/50-reload-policy-file-server'.
 stdout: 
 stderr: 'rudder-cf-serverd.service is not active, cannot reload.
'

If you try to start that service by hand (systemctl start rudder-cf-serverd.service), it fails and you can see in journald:

Dec 17 13:11:50 server setroubleshoot[21591]: SELinux is preventing /usr/lib/systemd/systemd from execute access on the file cf-serverd. For complete SE>
Dec 17 13:11:51 server platform-python[21591]: SELinux is preventing /usr/lib/systemd/systemd from execute access on the file cf-serverd.

                                               *****  Plugin catchall (100. confidence) suggests   **************************

                                               If you believe that systemd should be allowed execute access on the cf-serverd file by default.
                                               Then you should report this as a bug.
                                               You can generate a local policy module to allow this access.
                                               Do
                                               allow this access for now by executing:
                                               # ausearch -c '(-serverd)' --raw | audit2allow -M my-serverd
                                               # semodule -X 300 -i my-serverd.pp

WORKAROUND:

Disable selinux: setenforce 0

Related issues 2 (0 open2 closed)

Related to Rudder - Bug #16459: Use binaries from /opt/rudder/bin in systemd servicesReleasedBenoît PECCATTEActions
Has duplicate Rudder - Bug #16440: First policy generation after install fails on 6.0 centos8RejectedVincent MEMBRÉActions
Actions
Copy link
 #1

Updated by Vincent MEMBRÉ almost 5 years ago

  • Target version changed from 6.0.1 to 6.0.2
Actions
Copy link
 #2

Updated by Nicolas CHARLES almost 5 years ago

  • Has duplicate Bug #16440: First policy generation after install fails on 6.0 centos8 added
Actions
Copy link
 #3

Updated by Alexis Mousset almost 5 years ago

  • Subject changed from On centos0, SELinux prevents cf-serverd to start and policy generation are red to On centos8, SELinux prevents cf-serverd to start and policy generation are red
  • Status changed from New to Rejected
Actions
Copy link
 #4

Updated by Alexis Mousset almost 5 years ago

  • Related to Bug #16459: Use binaries from /opt/rudder/bin in systemd services added
Actions
Copy link

Also available in: Atom PDF