Actions
Bug #20035
closed
SELinux error when upgrading from 6.2 to 7.0 on centos8
Pull Request:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
To do
Regression:
Description
Transaction Summary
===================================================================================================================
Install 1 Package
Upgrade 5 Packages
Total download size: 173 M
Is this ok [y/N]: y
Downloading Packages:
(1/6): rudder-server-root-7.0.0.beta2.git202110010224-1.EL.8.noarch.rpm 108 kB/s | 10 kB 00:00
(2/6): rudder-api-client-7.0.0.beta2.git202110010224-1.EL.8.x86_64.rpm 154 kB/s | 16 kB 00:00
(3/6): rudder-reports-7.0.0.beta2.git202110010224-1.EL.8.noarch.rpm 148 kB/s | 15 kB 00:00
(4/6): rudder-agent-7.0.0.beta2.git202110010224-1.EL.8.x86_64.rpm 12 MB/s | 5.6 MB 00:00
(5/6): rudder-server-relay-7.0.0.beta2.git202110010224-1.EL.8.x86_64.rpm 8.0 MB/s | 4.7 MB 00:00
(6/6): rudder-webapp-7.0.0.beta2.git202110010224-1.EL.8.x86_64.rpm 15 MB/s | 163 MB 00:10
-------------------------------------------------------------------------------------------------------------------
Total 16 MB/s | 173 MB 00:10
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Running scriptlet: rudder-webapp-1398866025:7.0.0.beta2.git202110010224-1.EL.8.x86_64 1/1
Running scriptlet: rudder-server-root-1398866025:7.0.0.beta2.git202110010224-1.EL.8.noarch 1/1
Preparing : 1/1
Running scriptlet: rudder-agent-1398866025:7.0.0.beta2.git202110010224-1.EL.8.x86_64 1/1
Running scriptlet: rudder-agent-1398866025:7.0.0.beta2.git202110010224-1.EL.8.x86_64 1/11
Upgrading : rudder-agent-1398866025:7.0.0.beta2.git202110010224-1.EL.8.x86_64 1/11
warning: /etc/cron.d/rudder-agent saved as /etc/cron.d/rudder-agent.rpmsave
Running scriptlet: rudder-agent-1398866025:7.0.0.beta2.git202110010224-1.EL.8.x86_64 1/11
Upgrading : rudder-reports-1398866025:7.0.0.beta2.git202110010224-1.EL.8.noarch 2/11
Running scriptlet: rudder-reports-1398866025:7.0.0.beta2.git202110010224-1.EL.8.noarch 2/11
Upgrading : rudder-server-relay-1398866025:7.0.0.beta2.git202110010224-1.EL.8.x86_64 3/11
warning: /opt/rudder/etc/relayd/main.conf created as /opt/rudder/etc/relayd/main.conf.rpmnew
Running scriptlet: rudder-server-relay-1398866025:7.0.0.beta2.git202110010224-1.EL.8.x86_64 3/11
mv: cannot move '/opt/rudder/etc/ssl/rudder.crt' to '/var/backups/rudder//rudder-20211001.crt': No such file or directory
warning: %post(rudder-server-relay-1398866025:7.0.0.beta2.git202110010224-1.EL.8.x86_64) scriptlet failed, exit status 1
Error in POSTIN scriptlet in rpm package rudder-server-relay
Installing : rudder-api-client-7.0.0.beta2.git202110010224-1.EL.8.x86_64 4/11
Running scriptlet: rudder-webapp-1398866025:7.0.0.beta2.git202110010224-1.EL.8.x86_64 5/11
Upgrading : rudder-webapp-1398866025:7.0.0.beta2.git202110010224-1.EL.8.x86_64 5/11
warning: /opt/rudder/etc/rudder-web.properties created as /opt/rudder/etc/rudder-web.properties.rpmnew
Running scriptlet: rudder-webapp-1398866025:7.0.0.beta2.git202110010224-1.EL.8.x86_64 5/11
Job for httpd.service failed because the control process exited with error code.
See "systemctl status httpd.service" and "journalctl -xe" for details.
**************************************************************************************
ERROR: rudder-webapp postinstall script failed !
Trying to recover the problem, you should check that your instance is properly working
You should also try to manually execute: /opt/rudder/bin/rudder-upgrade
Such errors should not happen, please open an issue for this problem on
https://issues.rudder.io/projects/rudder/issues/new
**************************************************************************************
Running scriptlet: rudder-server-root-1398866025:7.0.0.beta2.git202110010224-1.EL.8.noarch 6/11
Upgrading : rudder-server-root-1398866025:7.0.0.beta2.git202110010224-1.EL.8.noarch 6/11
Running scriptlet: rudder-server-root-1398866025:7.0.0.beta2.git202110010224-1.EL.8.noarch 6/11
Cleanup : rudder-server-root-1398866025:6.2.11.rc1.git202110010122-1.EL.8.noarch 7/11
Running scriptlet: rudder-server-root-1398866025:6.2.11.rc1.git202110010122-1.EL.8.noarch 7/11
Running scriptlet: rudder-webapp-1398866025:6.2.11.rc1.git202110010122-1.EL.8.x86_64 8/11
Cleanup : rudder-webapp-1398866025:6.2.11.rc1.git202110010122-1.EL.8.x86_64 8/11
Running scriptlet: rudder-webapp-1398866025:6.2.11.rc1.git202110010122-1.EL.8.x86_64 8/11
Running scriptlet: rudder-server-relay-1398866025:6.2.11.rc1.git202110010122-1.EL.8.x86_64 9/11
Cleanup : rudder-server-relay-1398866025:6.2.11.rc1.git202110010122-1.EL.8.x86_64 9/11
Running scriptlet: rudder-server-relay-1398866025:6.2.11.rc1.git202110010122-1.EL.8.x86_64 9/11
Running scriptlet: rudder-agent-1398866025:6.2.11.rc1.git202110010122-1.EL.8.x86_64 10/11
INFO: A back up copy of the /opt/rudder/etc/uuid.hive has been created in /var/backups/rudder
INFO: A back up copy of the /var/rudder/cfengine-community/policy_server.dat has been created in /var/backups/rudder
INFO: A back up copy of the /var/rudder/cfengine-community/ppkeys has been created in /var/backups/rudder
INFO: A back up copy of the /opt/rudder/etc/ssl/agent.cert has been created in /var/backups/rudder
Cleanup : rudder-agent-1398866025:6.2.11.rc1.git202110010122-1.EL.8.x86_64 10/11
Running scriptlet: rudder-agent-1398866025:6.2.11.rc1.git202110010122-1.EL.8.x86_64 10/11
Cleanup : rudder-reports-1398866025:6.2.11.rc1.git202110010122-1.EL.8.noarch 11/11
Running scriptlet: rudder-webapp-1398866025:7.0.0.beta2.git202110010224-1.EL.8.x86_64 11/11
Job for rudder-jetty.service failed because the control process exited with error code.
See "systemctl status rudder-jetty.service" and "journalctl -xe" for details.
warning: %posttrans(rudder-webapp-1398866025:7.0.0.beta2.git202110010224-1.EL.8.x86_64) scriptlet failed, exit status 1
Error in POSTTRANS scriptlet in rpm package rudder-webapp
Running scriptlet: rudder-reports-1398866025:6.2.11.rc1.git202110010122-1.EL.8.noarch 11/11
Verifying : rudder-api-client-7.0.0.beta2.git202110010224-1.EL.8.x86_64 1/11
Verifying : rudder-reports-1398866025:7.0.0.beta2.git202110010224-1.EL.8.noarch 2/11
Verifying : rudder-reports-1398866025:6.2.11.rc1.git202110010122-1.EL.8.noarch 3/11
Verifying : rudder-server-root-1398866025:7.0.0.beta2.git202110010224-1.EL.8.noarch 4/11
Verifying : rudder-server-root-1398866025:6.2.11.rc1.git202110010122-1.EL.8.noarch 5/11
Verifying : rudder-agent-1398866025:7.0.0.beta2.git202110010224-1.EL.8.x86_64 6/11
Verifying : rudder-agent-1398866025:6.2.11.rc1.git202110010122-1.EL.8.x86_64 7/11
Verifying : rudder-server-relay-1398866025:7.0.0.beta2.git202110010224-1.EL.8.x86_64 8/11
Verifying : rudder-server-relay-1398866025:6.2.11.rc1.git202110010122-1.EL.8.x86_64 9/11
Verifying : rudder-webapp-1398866025:7.0.0.beta2.git202110010224-1.EL.8.x86_64 10/11
Verifying : rudder-webapp-1398866025:6.2.11.rc1.git202110010122-1.EL.8.x86_64 11/11
Upgraded:
rudder-agent-1398866025:7.0.0.beta2.git202110010224-1.EL.8.x86_64
rudder-reports-1398866025:7.0.0.beta2.git202110010224-1.EL.8.noarch
rudder-server-relay-1398866025:7.0.0.beta2.git202110010224-1.EL.8.x86_64
rudder-server-root-1398866025:7.0.0.beta2.git202110010224-1.EL.8.noarch
rudder-webapp-1398866025:7.0.0.beta2.git202110010224-1.EL.8.x86_64
Installed:
rudder-api-client-7.0.0.beta2.git202110010224-1.EL.8.x86_64
Complete!
[root@server vagrant]#
Updated by Nicolas CHARLES over 2 years ago
/var/log/rudder/install has 0 logs about this error
Updated by Nicolas CHARLES over 2 years ago
i have the following messages in journalctl
Oct 01 14:09:47 server /SetroubleshootPrivileged.py[22075]: failed to retrieve rpm info for /var/lib/selinux/targeted/active/modules/400/rudder-relay
Oct 01 14:09:47 server setroubleshoot[22047]: SELinux is preventing /opt/rudder/bin/rudder-relayd from search access on the directory krb5. For complete SELinux messages run: sealert -l 07df21af-5cb8-404c-a135-3069eb5b56c9
Oct 01 14:09:47 server setroubleshoot[22047]: SELinux is preventing /opt/rudder/bin/rudder-relayd from search access on the directory krb5.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that rudder-relayd should be allowed search access on the krb5 directory by default.
Then you should report this as a bug.
lines 3965-3999/6906 49%
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'r2d2-worker-0' --raw | audit2allow -M my-r2d2worker0
# semodule -X 300 -i my-r2d2worker0.pp
Oct 01 14:10:14 server systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Oct 01 14:10:14 server systemd[1]: httpd.service: Failed with result 'exit-code'.
Oct 01 14:10:14 server systemd[1]: Failed to start The Apache HTTP Server.
Oct 01 14:10:14 server dbus-daemon[817]: [system] Activating service name='org.fedoraproject.Setroubleshootd' requested by ':1.137' (uid=0 pid=787 comm="/usr/sbin/sedispatch " label="system_u:system_r:auditd_t:s0") (using serv>
Oct 01 14:10:15 server dbus-daemon[817]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Oct 01 14:10:16 server setroubleshoot[23222]: AnalyzeThread.run(): Cancel pending alarm
Oct 01 14:10:16 server dbus-daemon[817]: [system] Activating service name='org.fedoraproject.SetroubleshootPrivileged' requested by ':1.304' (uid=995 pid=23222 comm="/usr/libexec/platform-python -Es /usr/sbin/setroub" label="s>
Oct 01 14:10:16 server dbus-daemon[817]: [system] Successfully activated service 'org.fedoraproject.SetroubleshootPrivileged'
Oct 01 14:10:20 server setroubleshoot[23222]: SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/rudder/cfengine-community/ppkeys/localhost.priv. For complete SELinux messages run: sealert -l 2b83dff3-b>
Oct 01 14:10:20 server setroubleshoot[23222]: SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/rudder/cfengine-community/ppkeys/localhost.priv.
***** Plugin catchall_labels (83.8 confidence) suggests *******************
If you want to allow httpd to have getattr access on the localhost.priv file
Then you need to change the label on /var/rudder/cfengine-community/ppkeys/localhost.priv
Do
# semanage fcontext -a -t FILE_TYPE '/var/rudder/cfengine-community/ppkeys/localhost.priv'
where FILE_TYPE is one of the following: NetworkManager_exec_t, NetworkManager_log_t, NetworkManager_tmp_t, abrt_dump_oops_exec_t, abrt_etc_t, abrt_exec_t, abrt_handle_event_exec_t>
Then execute:
restorecon -v '/var/rudder/cfengine-community/ppkeys/localhost.priv'
***** Plugin catchall (17.1 confidence) suggests **************************
If you believe that httpd should be allowed getattr access on the localhost.priv file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
# semodule -X 300 -i my-httpd.pp
Oct 01 14:11:04 server httpd[24659]: AH00526: Syntax error on line 24 of /etc/httpd/conf.d/rudder.conf:
Oct 01 14:11:04 server httpd[24659]: SSLCertificateKeyFile: file '/var/rudder/cfengine-community/ppkeys/localhost.priv' does not exist or is empty
Oct 01 14:11:04 server systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Oct 01 14:11:04 server systemd[1]: httpd.service: Failed with result 'exit-code'.
Oct 01 14:11:04 server systemd[1]: Failed to start The Apache HTTP Server.
Oct 01 14:11:04 server cf-agent[24071]: CFEngine(agent) rudder Finished command related to promiser '/bin/systemctl --no-ask-password start httpd.service' -- an error occurred, returned 1
Oct 01 14:11:04 server cf-agent[24071]: CFEngine(agent) rudder Completed execution of '/bin/systemctl --no-ask-password start httpd.service'
Oct 01 14:25:53 server setroubleshoot[29693]: SELinux is preventing /usr/sbin/httpd from getattr access on the fil>
Oct 01 14:25:53 server setroubleshoot[29693]: SELinux is preventing /usr/sbin/httpd from getattr access on the fil>
***** Plugin catchall_labels (83.8 confidence) suggests *********>
Updated by François ARMAND over 2 years ago
- Subject changed from error when upgrading from 6.2 to 7.0 on centos8 to selinux error when upgrading from 6.2 to 7.0 on centos8
Updated by Alexis Mousset over 2 years ago
- Subject changed from selinux error when upgrading from 6.2 to 7.0 on centos8 to SELinux error when upgrading from 6.2 to 7.0 on centos8
- Assignee set to Alexis Mousset
Updated by Nicolas CHARLES over 2 years ago
at least one of the issue is that /var/backups/rudder doesn't exist yet - it's created at 14:10:38, but upgrade is at 14:09:59
Updated by Nicolas CHARLES over 2 years ago
- Status changed from New to In progress
- Assignee changed from Alexis Mousset to Nicolas CHARLES
Updated by Nicolas CHARLES over 2 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from Nicolas CHARLES to Alexis Mousset
- Pull Request set to https://github.com/Normation/rudder/pull/3909
Updated by Nicolas CHARLES over 2 years ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder|fb9952064ede8149fc64528d6797dc2235f4e808.
Updated by Vincent MEMBRÉ over 2 years ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 7.0.0~beta2 which was released today.
Actions