Actions
Bug #16421
closedOn centos8, SELinux prevents cf-serverd to start and policy generation are red
Pull Request:
Severity:
Major - prevents use of part of Rudder | no simple workaround
UX impact:
User visibility:
Getting started - demo | first install | Technique editor and level 1 Techniques
Effort required:
Priority:
70
Name check:
To do
Fix check:
To do
Regression:
Description
Diagnostic:
After intall, policy generation (top right) is red. When clicking on details, you can see:
⇨ Exit code=1 for hook: '/opt/rudder/etc/hooks.d/policy-generation-finished/50-reload-policy-file-server'. stdout: stderr: 'rudder-cf-serverd.service is not active, cannot reload. '
If you try to start that service by hand (systemctl start rudder-cf-serverd.service
), it fails and you can see in journald
:
Dec 17 13:11:50 server setroubleshoot[21591]: SELinux is preventing /usr/lib/systemd/systemd from execute access on the file cf-serverd. For complete SE> Dec 17 13:11:51 server platform-python[21591]: SELinux is preventing /usr/lib/systemd/systemd from execute access on the file cf-serverd. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd should be allowed execute access on the cf-serverd file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '(-serverd)' --raw | audit2allow -M my-serverd # semodule -X 300 -i my-serverd.pp
WORKAROUND:
Disable selinux: setenforce 0
Updated by Vincent MEMBRÉ about 5 years ago
- Target version changed from 6.0.1 to 6.0.2
Updated by Nicolas CHARLES almost 5 years ago
- Has duplicate Bug #16440: First policy generation after install fails on 6.0 centos8 added
Updated by Alexis Mousset almost 5 years ago
- Subject changed from On centos0, SELinux prevents cf-serverd to start and policy generation are red to On centos8, SELinux prevents cf-serverd to start and policy generation are red
- Status changed from New to Rejected
Updated by Alexis Mousset almost 5 years ago
- Related to Bug #16459: Use binaries from /opt/rudder/bin in systemd services added
Actions