Project

General

Profile

Actions

Bug #16646

closed

missing selinux label

Added by Florian Heigl almost 5 years ago. Updated over 4 years ago.

Status:
Rejected
Priority:
N/A
Assignee:
-
Category:
Packaging
Target version:
Severity:
Minor - inconvenience | misleading | easy workaround
UX impact:
User visibility:
First impressions of Rudder
Effort required:
Priority:
78
Name check:
To do
Fix check:
To do
Regression:

Description

Problem

Rudder 6.0.2 master on Centos7 with SELinux enabled will not be able to send its own inventory.

E| error Inventory inventory Could not retrieve the UUID of the policy server. Please check that the defined Policy Server exists, and that this Node IP address is in the Allowed Networks of its policy server.

[root@cfgmgmtcamp-ruddermaster ~]# /opt/rudder/bin/curl --tlsv1.2 --location --insecure --fail --proxy '' --output "/var/rudder/cfengine-community/rudder-server-uuid.txt" https://127.0.0.1/uuid
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (22) The requested URL returned error: 403 Forbidden

definitive error message to identify this problem:

[Wed Jan 29 20:20:39.696083 2020] [core:error] [pid 15281] (13)Permission denied: [client 127.0.0.1:41182] AH00035: access to /uuid denied (filesystem path '/opt/rudder/etc/uuid.hive') because search permissions are missing on a component of the path

solution:
chcon -t httpd_sys_content_t /opt/rudder/etc/uuid.hive

might be provoked by having separate filesystems
/dev/mapper/vgdata-lvvarrudder 10G 155M 9.9G 2% /var/rudder
/dev/mapper/vgdata-lvvarpgsql 10G 77M 10G 1% /var/lib/pgsql
/dev/mapper/vgdata-lvoptrudder 5.0G 207M 4.8G 5% /opt/rudder
/dev/mapper/vgdata-lvvarlogrudder 10G 33M 10G 1% /var/log/rudder
/dev/mapper/vgdata-lvvarldap 10G 33M 10G 1% /var/rudder/ldap

Actions #1

Updated by Florian Heigl almost 5 years ago

also need these two:

chcon -R -t httpd_sys_rw_content_t /var/rudder/inventories/accepted-nodes-updates/
chcon -R -t httpd_sys_rw_content_t /var/rudder/inventories/incoming/

Actions #2

Updated by Alexis Mousset almost 5 years ago

What does semodule -l | grep -E "ncf|rudder" give on this server?

Actions #3

Updated by Vincent MEMBRÉ almost 5 years ago

  • Target version changed from 6.0.3 to 6.0.4
Actions #4

Updated by François ARMAND over 4 years ago

Testing on 6.0.3, I'm not able to reproduce in CentOS 7.6.1810. I don't think we chaged anything in SELinux between 6.0.2 and 6.0.3. What was the centos 7 verison ?

Or perhaps there was something that prevented postinst to run.

[root@server vagrant]# /opt/rudder/bin/curl --tlsv1.2 --location --insecure --fail --proxy '' --output "/var/rudder/cfengine-community/rudder-server-uuid.txt" https://127.0.0.1/uuid
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100     5  100     5    0     0    185      0 --:--:-- --:--:-- --:--:--   208
[root@server vagrant]#
Actions #5

Updated by Vincent MEMBRÉ over 4 years ago

  • Target version changed from 6.0.4 to 6.0.5
Actions #6

Updated by Vincent MEMBRÉ over 4 years ago

  • Target version changed from 6.0.5 to 6.0.6
  • Priority changed from 80 to 78
Actions #7

Updated by Alexis Mousset over 4 years ago

We (= Nicolas CHARLES) saw a similar case solved by upgrading SELinux. It may be linked to packaging problems on SELinux side (the components installed as Rudder dependcy do not match other SELinux tools version).

If it happens again, please reopen

Actions #8

Updated by Alexis Mousset over 4 years ago

  • Status changed from New to Rejected
Actions

Also available in: Atom PDF