Project

General

Profile

Actions

Bug #18078

open

SELinux error for relayd search access on krb5 on centos 8

Added by François ARMAND over 4 years ago. Updated almost 3 years ago.

Status:
New
Priority:
N/A
Assignee:
-
Category:
Relay server or API
Target version:
Severity:
Trivial - no functional impact | cosmetic
UX impact:
User visibility:
Infrequent - complex configurations | third party integrations
Effort required:
Priority:
15
Name check:
To do
Fix check:
To do
Regression:

Description

Jul 31 06:05:44 server setroubleshoot[12830]: SELinux is preventing /opt/rudder/bin/rudder-relayd from search access on the directory krb5. For complete SELinux messages run: sealert -l 07e5b566-8a9d-4635-965f-22c336cc3c99
Jul 31 06:05:44 server platform-python[12830]: SELinux is preventing /opt/rudder/bin/rudder-relayd from search access on the directory krb5.
                                               *****  Plugin catchall (100. confidence) suggests   **************************
                                               If you believe that rudder-relayd should be allowed search access on the krb5 directory by default.
                                               Then you should report this as a bug.
                                               You can generate a local policy module to allow this access.
                                               Do
                                               allow this access for now by executing:
                                               # ausearch -c 'r2d2-worker-1' --raw | audit2allow -M my-r2d2worker1
                                               # semodule -X 300 -i my-r2d2worker1.pp

Files

journal-centos8.txt (283 KB) journal-centos8.txt François ARMAND, 2020-07-31 08:27

Related issues 2 (0 open2 closed)

Related to Rudder - Bug #18070: Broken relay postinst due to missing shared-folderReleasedBenoît PECCATTEActions
Related to Rudder - Bug #17518: postgresl client in relayd tries to read krb confReleasedBenoît PECCATTEActions
Actions #1

Updated by François ARMAND over 4 years ago

  • Target version set to 6.1.2
Actions #2

Updated by Vincent MEMBRÉ about 4 years ago

  • Parent task deleted (#18070)
Actions #3

Updated by Vincent MEMBRÉ about 4 years ago

  • Related to Bug #18070: Broken relay postinst due to missing shared-folder added
Actions #4

Updated by Alexis Mousset almost 4 years ago

This one should have been fixed by #17518

Actions #5

Updated by Alexis Mousset almost 4 years ago

  • Related to Bug #17518: postgresl client in relayd tries to read krb conf added
Actions #6

Updated by Benoît PECCATTE almost 3 years ago

  • Category set to Relay server or API
Actions #7

Updated by Alexis Mousset almost 3 years ago

Reproducible on root server on CentOS8 with 7.0:

type=AVC msg=audit(1643129873.676:3886): avc:  denied  { search } for  pid=20078 comm="r2d2-worker-2" name="krb5" dev="dm-0" ino=101155011 scontext=system_u:system_r:rudder_relayd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0
Actions #8

Updated by Alexis Mousset almost 3 years ago

  • Severity set to Trivial - no functional impact | cosmetic
  • User visibility set to Infrequent - complex configurations | third party integrations
  • Priority changed from 0 to 15
Actions

Also available in: Atom PDF