Project

General

Profile

Bug #16646

missing selinux label

Added by Florian Heigl 7 months ago. Updated 4 months ago.

Status:
Rejected
Priority:
N/A
Assignee:
-
Category:
Packaging
Target version:
Pull Request:
Severity:
Minor - inconvenience | misleading | easy workaround
User visibility:
First impressions of Rudder
Effort required:
Priority:
78
Tags:

Description

Problem

Rudder 6.0.2 master on Centos7 with SELinux enabled will not be able to send its own inventory.

E| error Inventory inventory Could not retrieve the UUID of the policy server. Please check that the defined Policy Server exists, and that this Node IP address is in the Allowed Networks of its policy server.

[root@cfgmgmtcamp-ruddermaster ~]# /opt/rudder/bin/curl --tlsv1.2 --location --insecure --fail --proxy '' --output "/var/rudder/cfengine-community/rudder-server-uuid.txt" https://127.0.0.1/uuid
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (22) The requested URL returned error: 403 Forbidden

definitive error message to identify this problem:

[Wed Jan 29 20:20:39.696083 2020] [core:error] [pid 15281] (13)Permission denied: [client 127.0.0.1:41182] AH00035: access to /uuid denied (filesystem path '/opt/rudder/etc/uuid.hive') because search permissions are missing on a component of the path

solution:
chcon -t httpd_sys_content_t /opt/rudder/etc/uuid.hive

might be provoked by having separate filesystems
/dev/mapper/vgdata-lvvarrudder 10G 155M 9.9G 2% /var/rudder
/dev/mapper/vgdata-lvvarpgsql 10G 77M 10G 1% /var/lib/pgsql
/dev/mapper/vgdata-lvoptrudder 5.0G 207M 4.8G 5% /opt/rudder
/dev/mapper/vgdata-lvvarlogrudder 10G 33M 10G 1% /var/log/rudder
/dev/mapper/vgdata-lvvarldap 10G 33M 10G 1% /var/rudder/ldap

#1

Updated by Florian Heigl 7 months ago

also need these two:

chcon -R -t httpd_sys_rw_content_t /var/rudder/inventories/accepted-nodes-updates/
chcon -R -t httpd_sys_rw_content_t /var/rudder/inventories/incoming/

#2

Updated by Alexis MOUSSET 7 months ago

What does semodule -l | grep -E "ncf|rudder" give on this server?

#3

Updated by Vincent MEMBRÉ 6 months ago

  • Target version changed from 6.0.3 to 6.0.4
#4

Updated by François ARMAND 6 months ago

Testing on 6.0.3, I'm not able to reproduce in CentOS 7.6.1810. I don't think we chaged anything in SELinux between 6.0.2 and 6.0.3. What was the centos 7 verison ?

Or perhaps there was something that prevented postinst to run.

[root@server vagrant]# /opt/rudder/bin/curl --tlsv1.2 --location --insecure --fail --proxy '' --output "/var/rudder/cfengine-community/rudder-server-uuid.txt" https://127.0.0.1/uuid
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100     5  100     5    0     0    185      0 --:--:-- --:--:-- --:--:--   208
[root@server vagrant]#
#5

Updated by Vincent MEMBRÉ 6 months ago

  • Target version changed from 6.0.4 to 6.0.5
#6

Updated by Vincent MEMBRÉ 4 months ago

  • Target version changed from 6.0.5 to 6.0.6
  • Priority changed from 80 to 78
#7

Updated by Alexis MOUSSET 4 months ago

We (= Nicolas CHARLES) saw a similar case solved by upgrading SELinux. It may be linked to packaging problems on SELinux side (the components installed as Rudder dependcy do not match other SELinux tools version).

If it happens again, please reopen

#8

Updated by Alexis MOUSSET 4 months ago

  • Status changed from New to Rejected

Also available in: Atom PDF