Project

General

Profile

Actions

Bug #20035

closed

SELinux error when upgrading from 6.2 to 7.0 on centos8

Added by Nicolas CHARLES about 3 years ago. Updated about 3 years ago.

Status:
Released
Priority:
N/A
Category:
Packaging
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
To do
Regression:

Description

Transaction Summary
===================================================================================================================
Install  1 Package
Upgrade  5 Packages

Total download size: 173 M
Is this ok [y/N]: y
Downloading Packages:
(1/6): rudder-server-root-7.0.0.beta2.git202110010224-1.EL.8.noarch.rpm            108 kB/s |  10 kB     00:00    
(2/6): rudder-api-client-7.0.0.beta2.git202110010224-1.EL.8.x86_64.rpm             154 kB/s |  16 kB     00:00    
(3/6): rudder-reports-7.0.0.beta2.git202110010224-1.EL.8.noarch.rpm                148 kB/s |  15 kB     00:00    
(4/6): rudder-agent-7.0.0.beta2.git202110010224-1.EL.8.x86_64.rpm                   12 MB/s | 5.6 MB     00:00    
(5/6): rudder-server-relay-7.0.0.beta2.git202110010224-1.EL.8.x86_64.rpm           8.0 MB/s | 4.7 MB     00:00    
(6/6): rudder-webapp-7.0.0.beta2.git202110010224-1.EL.8.x86_64.rpm                  15 MB/s | 163 MB     00:10    
-------------------------------------------------------------------------------------------------------------------
Total                                                                               16 MB/s | 173 MB     00:10     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Running scriptlet: rudder-webapp-1398866025:7.0.0.beta2.git202110010224-1.EL.8.x86_64                        1/1 
  Running scriptlet: rudder-server-root-1398866025:7.0.0.beta2.git202110010224-1.EL.8.noarch                   1/1 
  Preparing        :                                                                                           1/1 
  Running scriptlet: rudder-agent-1398866025:7.0.0.beta2.git202110010224-1.EL.8.x86_64                         1/1 
  Running scriptlet: rudder-agent-1398866025:7.0.0.beta2.git202110010224-1.EL.8.x86_64                        1/11 
  Upgrading        : rudder-agent-1398866025:7.0.0.beta2.git202110010224-1.EL.8.x86_64                        1/11 
warning: /etc/cron.d/rudder-agent saved as /etc/cron.d/rudder-agent.rpmsave

  Running scriptlet: rudder-agent-1398866025:7.0.0.beta2.git202110010224-1.EL.8.x86_64                        1/11 
  Upgrading        : rudder-reports-1398866025:7.0.0.beta2.git202110010224-1.EL.8.noarch                      2/11 
  Running scriptlet: rudder-reports-1398866025:7.0.0.beta2.git202110010224-1.EL.8.noarch                      2/11 
  Upgrading        : rudder-server-relay-1398866025:7.0.0.beta2.git202110010224-1.EL.8.x86_64                 3/11 
warning: /opt/rudder/etc/relayd/main.conf created as /opt/rudder/etc/relayd/main.conf.rpmnew

  Running scriptlet: rudder-server-relay-1398866025:7.0.0.beta2.git202110010224-1.EL.8.x86_64                 3/11 
mv: cannot move '/opt/rudder/etc/ssl/rudder.crt' to '/var/backups/rudder//rudder-20211001.crt': No such file or directory
warning: %post(rudder-server-relay-1398866025:7.0.0.beta2.git202110010224-1.EL.8.x86_64) scriptlet failed, exit status 1

Error in POSTIN scriptlet in rpm package rudder-server-relay
  Installing       : rudder-api-client-7.0.0.beta2.git202110010224-1.EL.8.x86_64                              4/11 
  Running scriptlet: rudder-webapp-1398866025:7.0.0.beta2.git202110010224-1.EL.8.x86_64                       5/11 
  Upgrading        : rudder-webapp-1398866025:7.0.0.beta2.git202110010224-1.EL.8.x86_64                       5/11 
warning: /opt/rudder/etc/rudder-web.properties created as /opt/rudder/etc/rudder-web.properties.rpmnew

  Running scriptlet: rudder-webapp-1398866025:7.0.0.beta2.git202110010224-1.EL.8.x86_64                       5/11 
Job for httpd.service failed because the control process exited with error code.
See "systemctl status httpd.service" and "journalctl -xe" for details.
**************************************************************************************
ERROR: rudder-webapp postinstall script failed !

Trying to recover the problem, you should check that your instance is properly working

You should also try to manually execute: /opt/rudder/bin/rudder-upgrade

   Such errors should not happen, please open an issue for this problem on 
            https://issues.rudder.io/projects/rudder/issues/new
**************************************************************************************

  Running scriptlet: rudder-server-root-1398866025:7.0.0.beta2.git202110010224-1.EL.8.noarch                  6/11 
  Upgrading        : rudder-server-root-1398866025:7.0.0.beta2.git202110010224-1.EL.8.noarch                  6/11 
  Running scriptlet: rudder-server-root-1398866025:7.0.0.beta2.git202110010224-1.EL.8.noarch                  6/11 
  Cleanup          : rudder-server-root-1398866025:6.2.11.rc1.git202110010122-1.EL.8.noarch                   7/11 
  Running scriptlet: rudder-server-root-1398866025:6.2.11.rc1.git202110010122-1.EL.8.noarch                   7/11 
  Running scriptlet: rudder-webapp-1398866025:6.2.11.rc1.git202110010122-1.EL.8.x86_64                        8/11 
  Cleanup          : rudder-webapp-1398866025:6.2.11.rc1.git202110010122-1.EL.8.x86_64                        8/11 
  Running scriptlet: rudder-webapp-1398866025:6.2.11.rc1.git202110010122-1.EL.8.x86_64                        8/11 
  Running scriptlet: rudder-server-relay-1398866025:6.2.11.rc1.git202110010122-1.EL.8.x86_64                  9/11 
  Cleanup          : rudder-server-relay-1398866025:6.2.11.rc1.git202110010122-1.EL.8.x86_64                  9/11 
  Running scriptlet: rudder-server-relay-1398866025:6.2.11.rc1.git202110010122-1.EL.8.x86_64                  9/11 
  Running scriptlet: rudder-agent-1398866025:6.2.11.rc1.git202110010122-1.EL.8.x86_64                        10/11 
INFO: A back up copy of the /opt/rudder/etc/uuid.hive has been created in /var/backups/rudder
INFO: A back up copy of the /var/rudder/cfengine-community/policy_server.dat has been created in /var/backups/rudder
INFO: A back up copy of the /var/rudder/cfengine-community/ppkeys has been created in /var/backups/rudder
INFO: A back up copy of the /opt/rudder/etc/ssl/agent.cert has been created in /var/backups/rudder

  Cleanup          : rudder-agent-1398866025:6.2.11.rc1.git202110010122-1.EL.8.x86_64                        10/11 
  Running scriptlet: rudder-agent-1398866025:6.2.11.rc1.git202110010122-1.EL.8.x86_64                        10/11 
  Cleanup          : rudder-reports-1398866025:6.2.11.rc1.git202110010122-1.EL.8.noarch                      11/11 
  Running scriptlet: rudder-webapp-1398866025:7.0.0.beta2.git202110010224-1.EL.8.x86_64                      11/11 
Job for rudder-jetty.service failed because the control process exited with error code.
See "systemctl status rudder-jetty.service" and "journalctl -xe" for details.
warning: %posttrans(rudder-webapp-1398866025:7.0.0.beta2.git202110010224-1.EL.8.x86_64) scriptlet failed, exit status 1

Error in POSTTRANS scriptlet in rpm package rudder-webapp
  Running scriptlet: rudder-reports-1398866025:6.2.11.rc1.git202110010122-1.EL.8.noarch                      11/11 
  Verifying        : rudder-api-client-7.0.0.beta2.git202110010224-1.EL.8.x86_64                              1/11 
  Verifying        : rudder-reports-1398866025:7.0.0.beta2.git202110010224-1.EL.8.noarch                      2/11 
  Verifying        : rudder-reports-1398866025:6.2.11.rc1.git202110010122-1.EL.8.noarch                       3/11 
  Verifying        : rudder-server-root-1398866025:7.0.0.beta2.git202110010224-1.EL.8.noarch                  4/11 
  Verifying        : rudder-server-root-1398866025:6.2.11.rc1.git202110010122-1.EL.8.noarch                   5/11 
  Verifying        : rudder-agent-1398866025:7.0.0.beta2.git202110010224-1.EL.8.x86_64                        6/11 
  Verifying        : rudder-agent-1398866025:6.2.11.rc1.git202110010122-1.EL.8.x86_64                         7/11 
  Verifying        : rudder-server-relay-1398866025:7.0.0.beta2.git202110010224-1.EL.8.x86_64                 8/11 
  Verifying        : rudder-server-relay-1398866025:6.2.11.rc1.git202110010122-1.EL.8.x86_64                  9/11 
  Verifying        : rudder-webapp-1398866025:7.0.0.beta2.git202110010224-1.EL.8.x86_64                      10/11 
  Verifying        : rudder-webapp-1398866025:6.2.11.rc1.git202110010122-1.EL.8.x86_64                       11/11 

Upgraded:
  rudder-agent-1398866025:7.0.0.beta2.git202110010224-1.EL.8.x86_64                                                
  rudder-reports-1398866025:7.0.0.beta2.git202110010224-1.EL.8.noarch                                              
  rudder-server-relay-1398866025:7.0.0.beta2.git202110010224-1.EL.8.x86_64                                         
  rudder-server-root-1398866025:7.0.0.beta2.git202110010224-1.EL.8.noarch                                          
  rudder-webapp-1398866025:7.0.0.beta2.git202110010224-1.EL.8.x86_64                                               
Installed:
  rudder-api-client-7.0.0.beta2.git202110010224-1.EL.8.x86_64                                                      

Complete!
[root@server vagrant]# 

Actions #1

Updated by Nicolas CHARLES about 3 years ago

/var/log/rudder/install has 0 logs about this error

Actions #2

Updated by Nicolas CHARLES about 3 years ago

i have the following messages in journalctl

Oct 01 14:09:47 server /SetroubleshootPrivileged.py[22075]: failed to retrieve rpm info for /var/lib/selinux/targeted/active/modules/400/rudder-relay
Oct 01 14:09:47 server setroubleshoot[22047]: SELinux is preventing /opt/rudder/bin/rudder-relayd from search access on the directory krb5. For complete SELinux messages run: sealert -l 07df21af-5cb8-404c-a135-3069eb5b56c9
Oct 01 14:09:47 server setroubleshoot[22047]: SELinux is preventing /opt/rudder/bin/rudder-relayd from search access on the directory krb5.

                                              *****  Plugin catchall (100. confidence) suggests   **************************

                                              If you believe that rudder-relayd should be allowed search access on the krb5 directory by default.
                                              Then you should report this as a bug.
lines 3965-3999/6906 49%

                                              You can generate a local policy module to allow this access.
                                              Do
                                              allow this access for now by executing:
                                              # ausearch -c 'r2d2-worker-0' --raw | audit2allow -M my-r2d2worker0
                                              # semodule -X 300 -i my-r2d2worker0.pp

Oct 01 14:10:14 server systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Oct 01 14:10:14 server systemd[1]: httpd.service: Failed with result 'exit-code'.
Oct 01 14:10:14 server systemd[1]: Failed to start The Apache HTTP Server.
Oct 01 14:10:14 server dbus-daemon[817]: [system] Activating service name='org.fedoraproject.Setroubleshootd' requested by ':1.137' (uid=0 pid=787 comm="/usr/sbin/sedispatch " label="system_u:system_r:auditd_t:s0") (using serv>
Oct 01 14:10:15 server dbus-daemon[817]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Oct 01 14:10:16 server setroubleshoot[23222]: AnalyzeThread.run(): Cancel pending alarm
Oct 01 14:10:16 server dbus-daemon[817]: [system] Activating service name='org.fedoraproject.SetroubleshootPrivileged' requested by ':1.304' (uid=995 pid=23222 comm="/usr/libexec/platform-python -Es /usr/sbin/setroub" label="s>
Oct 01 14:10:16 server dbus-daemon[817]: [system] Successfully activated service 'org.fedoraproject.SetroubleshootPrivileged'
Oct 01 14:10:20 server setroubleshoot[23222]: SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/rudder/cfengine-community/ppkeys/localhost.priv. For complete SELinux messages run: sealert -l 2b83dff3-b>
Oct 01 14:10:20 server setroubleshoot[23222]: SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/rudder/cfengine-community/ppkeys/localhost.priv.

                                              *****  Plugin catchall_labels (83.8 confidence) suggests   *******************

                                              If you want to allow httpd to have getattr access on the localhost.priv file
                                              Then you need to change the label on /var/rudder/cfengine-community/ppkeys/localhost.priv
                                              Do
                                              # semanage fcontext -a -t FILE_TYPE '/var/rudder/cfengine-community/ppkeys/localhost.priv'
                                              where FILE_TYPE is one of the following: NetworkManager_exec_t, NetworkManager_log_t, NetworkManager_tmp_t, abrt_dump_oops_exec_t, abrt_etc_t, abrt_exec_t, abrt_handle_event_exec_t>
                                              Then execute:
                                              restorecon -v '/var/rudder/cfengine-community/ppkeys/localhost.priv'

                                              *****  Plugin catchall (17.1 confidence) suggests   **************************

                                              If you believe that httpd should be allowed getattr access on the localhost.priv file by default.
                                              Then you should report this as a bug.
                                              You can generate a local policy module to allow this access.
                                              Do
                                              allow this access for now by executing:
                                              # ausearch -c 'httpd' --raw | audit2allow -M my-httpd
                                              # semodule -X 300 -i my-httpd.pp

Oct 01 14:11:04 server httpd[24659]: AH00526: Syntax error on line 24 of /etc/httpd/conf.d/rudder.conf:
Oct 01 14:11:04 server httpd[24659]: SSLCertificateKeyFile: file '/var/rudder/cfengine-community/ppkeys/localhost.priv' does not exist or is empty
Oct 01 14:11:04 server systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Oct 01 14:11:04 server systemd[1]: httpd.service: Failed with result 'exit-code'.
Oct 01 14:11:04 server systemd[1]: Failed to start The Apache HTTP Server.
Oct 01 14:11:04 server cf-agent[24071]: CFEngine(agent) rudder Finished command related to promiser '/bin/systemctl --no-ask-password start httpd.service' -- an error occurred, returned 1
Oct 01 14:11:04 server cf-agent[24071]: CFEngine(agent) rudder Completed execution of '/bin/systemctl --no-ask-password start httpd.service'

Oct 01 14:25:53 server setroubleshoot[29693]: SELinux is preventing /usr/sbin/httpd from getattr access on the fil>
Oct 01 14:25:53 server setroubleshoot[29693]: SELinux is preventing /usr/sbin/httpd from getattr access on the fil>

                                              *****  Plugin catchall_labels (83.8 confidence) suggests   *********>

Actions #3

Updated by François ARMAND about 3 years ago

  • Subject changed from error when upgrading from 6.2 to 7.0 on centos8 to selinux error when upgrading from 6.2 to 7.0 on centos8
Actions #4

Updated by Alexis Mousset about 3 years ago

  • Subject changed from selinux error when upgrading from 6.2 to 7.0 on centos8 to SELinux error when upgrading from 6.2 to 7.0 on centos8
  • Assignee set to Alexis Mousset
Actions #5

Updated by Nicolas CHARLES about 3 years ago

at least one of the issue is that /var/backups/rudder doesn't exist yet - it's created at 14:10:38, but upgrade is at 14:09:59

Actions #6

Updated by Nicolas CHARLES about 3 years ago

  • Status changed from New to In progress
  • Assignee changed from Alexis Mousset to Nicolas CHARLES
Actions #7

Updated by Nicolas CHARLES about 3 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Nicolas CHARLES to Alexis Mousset
  • Pull Request set to https://github.com/Normation/rudder/pull/3909
Actions #8

Updated by Nicolas CHARLES about 3 years ago

  • Status changed from Pending technical review to Pending release
Actions #9

Updated by Vincent MEMBRÉ about 3 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 7.0.0~beta2 which was released today.

Actions

Also available in: Atom PDF