Consul: Linux Package Repo - Consul service/sysctl commands denied when enforcing selinux

Created on 24 Jul 2020  ·  5Comments  ·  Source: hashicorp/consul

Overview of the Issue

Using the new hashicorp linux repos (thanks for adding this!).

When installing consul on a system running selinux in enforcing mode, access is denied when attempting to run systemctl restart consul or systemctl status consul after consul is installed. This issue can be worked around externally or even in a 'postinstall' scriptlet in the RPM.

Reproduction Steps

Steps to reproduce this issue, eg:

With the system running selinux in enforcing mode:

Enforcing
  1. Install consul from the new linux repos
  2. check the service status systemctl status consul
systemctl status consul
Redirecting to /bin/systemctl status consul.service
Failed to get properties: Access denied

I'm able to fix this by running the following command:
systemctl daemon-reexec

Output after running daemon-reexec:

systemctl restart consul
Redirecting to /bin/systemctl status consul.service
● consul.service - "HashiCorp Consul - A service mesh solution"
   Loaded: loaded (/usr/lib/systemd/system/consul.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2020-07-24 18:34:20 UTC; 3s ago
     Docs: https://www.consul.io/
 Main PID: 18106 (consul)
   CGroup: /system.slice/consul.service
           └─18106 /usr/bin/consul agent -config-dir=/etc/consul.d/

Operating system and Environment details

CentOS Linux release 7.8.2003 (Core) selinux enforcing

picture ndobbs

All 5 comments

Thanks for reporting this @ndobbs !

I'm working on reproducing this on my end so that I can make sure it gets fixed. Can you let me know which version of consul you installed? I'm testing in a fresh vagrant centos/7 environment with the consul-1.8.0-2.x86_64 package and selinux Enforcing

kpenfound picture kpenfound on 24 Jul 2020
👍1

Thanks for reporting this @ndobbs !

I'm working on reproducing this on my end so that I can make sure it gets fixed. Can you let me know which version of consul you installed? I'm testing in a fresh vagrant centos/7 environment with the consul-1.8.0-2.x86_64 package and selinux Enforcing

I've installed consul-1.8.0-2.x86_64.

Now that I'm looking into it more - this isn't affecting a fresh install, only machines that already have consul already installed. We may find this is an issue in my environment only.

Thanks so much!

ndobbs picture ndobbs on 24 Jul 2020

Thanks for the update! That's definitely a path we want to support, so I'll keep working on reproducing it

kpenfound picture kpenfound on 24 Jul 2020
👍1

Thanks for the update! That's definitely a path we want to support, so I'll keep working on reproducing it

I've tested this on a broader set of machines and I've isolated it to a particular group - at this point I'm certain this isn't an issue in the package. Want to apologize for jumping the gun here.

I'm able to install the hashicorp packages from the linux repos across our existing fleet as well as new machines successfully, thank you for the quick response, I'm going to close this issue for now; if you can reproduce the issue, feel free to reopen.

We can leave the thread around for posterity.

ndobbs picture ndobbs on 25 Jul 2020
1

Thanks @ndobbs ! I went ahead and added a daemon-reload in the postinst scriptlet if the unit is already loaded

kpenfound picture kpenfound on 25 Jul 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

wing731 picture wing731  ·  3Comments
nschoe picture nschoe  ·  4Comments
atomantic picture atomantic  ·  4Comments
runswithd6s picture runswithd6s  ·  3Comments
matteoturra picture matteoturra  ·  4Comments