Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SELinux Enforcing stops systemd service from starting #1606

Closed
krayon opened this issue Jan 13, 2022 · 5 comments · May be fixed by #1607
Closed

SELinux Enforcing stops systemd service from starting #1606

krayon opened this issue Jan 13, 2022 · 5 comments · May be fixed by #1607
Labels
bug Something isn't working Runner Bug Bug fix scope to the runner Stale

Comments

@krayon
Copy link

krayon commented Jan 13, 2022

Describe the bug

When SELinux is Enforcing, scripts started by systemd need the initrc_exec_t context set. It is not currently.

To Reproduce

Steps to reproduce the behavior:

  1. Have SELinux Enforcing;

  2. Add a runner;

  3. Run ./svc.sh install

  4. Observe that systemd failed to start the script:

    sudo grep -i denied /var/log/audit/audit.log|grep -i svc|tail -1|fold -s
    type=AVC msg=audit(1642053001.589:304): avc:  denied  { execute } for  
pid=14114 comm="(unsvc.sh)" name="runsvc.sh" dev="vda1" ino=25325969 
scontext=system_u:system_r:init_t:s0 
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0

Expected behavior

  • systemd should be able to start the script.

Runner Version and Platform

  • Version: 2.278
  • OS: Linux (x64)

/cc: @mikedalton
@krayon krayon added the bug Something isn't working label Jan 13, 2022
@krayon krayon mentioned this issue Jan 13, 2022
Open
@june1963
Copy link

Customer wrote in with similar behavior when attempting to use Actions self-hosted runner on CentOS 8, which was unblocked thanks to @TingluoHuang's recommendation:

sudo semanage fcontext --add --type initrc_exec_t /<fullpath>/runsvc.sh
restorecon -v /<fullpath>/runsvc.sh
sudo ./svc.sh start
sudo ./svc.sh status

@kgrzebien
Copy link

I think we could also update our diagnostics:

  • Add information to esb-tools package if SELinux is turned on in the appliance
  • Add check to enterprise-diagnostic-scripts to check files context.

@nikola-jokic nikola-jokic added the Runner Bug Bug fix scope to the runner label Apr 4, 2022
@abhishek-CEQ
Copy link

Any update on this issue, when will it get resolved? I'm still facing this issue in current stable version.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Mar 4, 2024

This issue is stale because it has been open 365 days with no activity. Remove stale label or comment or this will be closed in 15 days.

@github-actions github-actions bot added the Stale label Mar 4, 2024
@github-actions GitHub Actions
Copy link
Contributor

This issue was closed because it has been stalled for 15 days with no activity.

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Mar 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working Runner Bug Bug fix scope to the runner Stale
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Adds file context for runner script with SELinux enabled krayon/github-actions-runner
5 participants
@krayon @kgrzebien @june1963 @abhishek-CEQ @nikola-jokic