Project

General

Profile

Actions

Bug #16421

closed

On centos8, SELinux prevents cf-serverd to start and policy generation are red

Added by François ARMAND almost 5 years ago. Updated almost 5 years ago.

Status:
Rejected
Priority:
N/A
Assignee:
-
Category:
Security
Target version:
Severity:
Major - prevents use of part of Rudder | no simple workaround
UX impact:
User visibility:
Getting started - demo | first install | Technique editor and level 1 Techniques
Effort required:
Priority:
70
Name check:
To do
Fix check:
To do
Regression:

Description

Diagnostic:

After intall, policy generation (top right) is red. When clicking on details, you can see:

⇨  Exit code=1 for hook: '/opt/rudder/etc/hooks.d/policy-generation-finished/50-reload-policy-file-server'.
 stdout: 
 stderr: 'rudder-cf-serverd.service is not active, cannot reload.
'

If you try to start that service by hand (systemctl start rudder-cf-serverd.service), it fails and you can see in journald:

Dec 17 13:11:50 server setroubleshoot[21591]: SELinux is preventing /usr/lib/systemd/systemd from execute access on the file cf-serverd. For complete SE>
Dec 17 13:11:51 server platform-python[21591]: SELinux is preventing /usr/lib/systemd/systemd from execute access on the file cf-serverd.

                                               *****  Plugin catchall (100. confidence) suggests   **************************

                                               If you believe that systemd should be allowed execute access on the cf-serverd file by default.
                                               Then you should report this as a bug.
                                               You can generate a local policy module to allow this access.
                                               Do
                                               allow this access for now by executing:
                                               # ausearch -c '(-serverd)' --raw | audit2allow -M my-serverd
                                               # semodule -X 300 -i my-serverd.pp

WORKAROUND:

Disable selinux: setenforce 0


Related issues 2 (0 open2 closed)

Related to Rudder - Bug #16459: Use binaries from /opt/rudder/bin in systemd servicesReleasedBenoît PECCATTEActions
Has duplicate Rudder - Bug #16440: First policy generation after install fails on 6.0 centos8RejectedVincent MEMBRÉActions
Actions

Also available in: Atom PDF