Project

General

Profile

Actions
Copy link

Bug #16646

closed

missing selinux label

Added by Florian Heigl about 4 years ago. Updated almost 4 years ago.

Status:
Rejected
Priority:
N/A
Assignee:
-
Category:
Packaging
Target version:
6.0.6
Pull Request:
Severity:
Minor - inconvenience | misleading | easy workaround
UX impact:
User visibility:
First impressions of Rudder
Effort required:
Priority:
78
Name check:
To do
Fix check:
To do
Regression:

Description

Problem

Rudder 6.0.2 master on Centos7 with SELinux enabled will not be able to send its own inventory.

E| error Inventory inventory Could not retrieve the UUID of the policy server. Please check that the defined Policy Server exists, and that this Node IP address is in the Allowed Networks of its policy server.

[root@cfgmgmtcamp-ruddermaster ~]# /opt/rudder/bin/curl --tlsv1.2 --location --insecure --fail --proxy '' --output "/var/rudder/cfengine-community/rudder-server-uuid.txt" https://127.0.0.1/uuid
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (22) The requested URL returned error: 403 Forbidden

definitive error message to identify this problem:

[Wed Jan 29 20:20:39.696083 2020] [core:error] [pid 15281] (13)Permission denied: [client 127.0.0.1:41182] AH00035: access to /uuid denied (filesystem path '/opt/rudder/etc/uuid.hive') because search permissions are missing on a component of the path

solution:
chcon -t httpd_sys_content_t /opt/rudder/etc/uuid.hive

might be provoked by having separate filesystems
/dev/mapper/vgdata-lvvarrudder 10G 155M 9.9G 2% /var/rudder
/dev/mapper/vgdata-lvvarpgsql 10G 77M 10G 1% /var/lib/pgsql
/dev/mapper/vgdata-lvoptrudder 5.0G 207M 4.8G 5% /opt/rudder
/dev/mapper/vgdata-lvvarlogrudder 10G 33M 10G 1% /var/log/rudder
/dev/mapper/vgdata-lvvarldap 10G 33M 10G 1% /var/rudder/ldap

Actions
Copy link
 #1

Updated by Florian Heigl about 4 years ago

also need these two:

chcon -R -t httpd_sys_rw_content_t /var/rudder/inventories/accepted-nodes-updates/
chcon -R -t httpd_sys_rw_content_t /var/rudder/inventories/incoming/

Actions
Copy link
 #2

Updated by Alexis Mousset about 4 years ago

What does semodule -l | grep -E "ncf|rudder" give on this server?

Actions
Copy link
 #3

Updated by Vincent MEMBRÉ about 4 years ago

  • Target version changed from 6.0.3 to 6.0.4
Actions
Copy link
 #4

Updated by François ARMAND about 4 years ago

Testing on 6.0.3, I'm not able to reproduce in CentOS 7.6.1810. I don't think we chaged anything in SELinux between 6.0.2 and 6.0.3. What was the centos 7 verison ?

Or perhaps there was something that prevented postinst to run.

[root@server vagrant]# /opt/rudder/bin/curl --tlsv1.2 --location --insecure --fail --proxy '' --output "/var/rudder/cfengine-community/rudder-server-uuid.txt" https://127.0.0.1/uuid
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100     5  100     5    0     0    185      0 --:--:-- --:--:-- --:--:--   208
[root@server vagrant]#
Actions
Copy link
 #5

Updated by Vincent MEMBRÉ about 4 years ago

  • Target version changed from 6.0.4 to 6.0.5
Actions
Copy link
 #6

Updated by Vincent MEMBRÉ almost 4 years ago

  • Target version changed from 6.0.5 to 6.0.6
  • Priority changed from 80 to 78
Actions
Copy link
 #7

Updated by Alexis Mousset almost 4 years ago

We (= Nicolas CHARLES) saw a similar case solved by upgrading SELinux. It may be linked to packaging problems on SELinux side (the components installed as Rudder dependcy do not match other SELinux tools version).

If it happens again, please reopen

Actions
Copy link
 #8

Updated by Alexis Mousset almost 4 years ago

  • Status changed from New to Rejected
Actions
Copy link

Also available in: Atom PDF