Bug #16646
closed
missing selinux label
Description
Problem¶
Rudder 6.0.2 master on Centos7 with SELinux enabled will not be able to send its own inventory.
E| error Inventory inventory Could not retrieve the UUID of the policy server. Please check that the defined Policy Server exists, and that this Node IP address is in the Allowed Networks of its policy server.
[root@cfgmgmtcamp-ruddermaster ~]# /opt/rudder/bin/curl --tlsv1.2 --location --insecure --fail --proxy '' --output "/var/rudder/cfengine-community/rudder-server-uuid.txt" https://127.0.0.1/uuid
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (22) The requested URL returned error: 403 Forbidden
definitive error message to identify this problem:¶
[Wed Jan 29 20:20:39.696083 2020] [core:error] [pid 15281] (13)Permission denied: [client 127.0.0.1:41182] AH00035: access to /uuid denied (filesystem path '/opt/rudder/etc/uuid.hive') because search permissions are missing on a component of the path
solution:
chcon -t httpd_sys_content_t /opt/rudder/etc/uuid.hive
¶
might be provoked by having separate filesystems/dev/mapper/vgdata-lvvarrudder 10G 155M 9.9G 2% /var/rudder
/dev/mapper/vgdata-lvvarpgsql 10G 77M 10G 1% /var/lib/pgsql
/dev/mapper/vgdata-lvoptrudder 5.0G 207M 4.8G 5% /opt/rudder
/dev/mapper/vgdata-lvvarlogrudder 10G 33M 10G 1% /var/log/rudder
/dev/mapper/vgdata-lvvarldap 10G 33M 10G 1% /var/rudder/ldap
Updated by Florian Heigl almost 5 years ago
also need these two:
chcon -R -t httpd_sys_rw_content_t /var/rudder/inventories/accepted-nodes-updates/
chcon -R -t httpd_sys_rw_content_t /var/rudder/inventories/incoming/
Updated by Alexis Mousset almost 5 years ago
What does semodule -l | grep -E "ncf|rudder" give on this server?
Updated by Vincent MEMBRÉ almost 5 years ago
- Target version changed from 6.0.3 to 6.0.4
Updated by François ARMAND over 4 years ago
Testing on 6.0.3, I'm not able to reproduce in CentOS 7.6.1810. I don't think we chaged anything in SELinux between 6.0.2 and 6.0.3. What was the centos 7 verison ?
Or perhaps there was something that prevented postinst to run.
[root@server vagrant]# /opt/rudder/bin/curl --tlsv1.2 --location --insecure --fail --proxy '' --output "/var/rudder/cfengine-community/rudder-server-uuid.txt" https://127.0.0.1/uuid
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 5 100 5 0 0 185 0 --:--:-- --:--:-- --:--:-- 208
[root@server vagrant]#
Updated by Vincent MEMBRÉ over 4 years ago
- Target version changed from 6.0.4 to 6.0.5
Updated by Vincent MEMBRÉ over 4 years ago
- Target version changed from 6.0.5 to 6.0.6
- Priority changed from 80 to 78
Updated by Alexis Mousset over 4 years ago
We (= Nicolas CHARLES) saw a similar case solved by upgrading SELinux. It may be linked to packaging problems on SELinux side (the components installed as Rudder dependcy do not match other SELinux tools version).
If it happens again, please reopen