Hi All,
I'm running into an issue running Jenkins as a service in RHEL 8 with
SELINUX running (I don't have a choice). It seems since /var/lib/jenkins
is a symbolic link to /opt/jenkins, SELINUX doesn't want to allow running
the service from there. Would it be acceptable to just change the value
for JENKINS_HOME to /opt/jenkins in /etc/sysconfig/jenkins? Thanks!
]# journalctl -xe
You can generate a local
policy module to allow this access.
Do
allow this access for
now by executing:
# ausearch -c
'(jenkins)' --raw | audit2allow -M my-jenkins
# semodule -X 300 -i
my-jenkins.pp
Dec 02 10:45:03 nd655bd001 setroubleshoot[144816]: AnalyzeThread.run(): Set
alarm timeout to 10
Dec 02 10:45:03 nd655bd001 setroubleshoot[144816]: AnalyzeThread.run():
Cancel pending alarm
Dec 02 10:45:07 nd655bd001 setroubleshoot[144816]: SELinux is preventing
/usr/lib/systemd/systemd from read access on the lnk_file /var/lib/jenkins.
For com>
Dec 02 10:45:07 nd655bd001 setroubleshoot[144816]: SELinux is preventing
/usr/lib/systemd/systemd from read access on the lnk_file /var/lib/jenkins.
***** Plugin
catchall_labels (83.8 confidence) suggests *******************
If you want to allow
systemd to have read access on the jenkins lnk_file
Then you need to change
the label on /var/lib/jenkins
Do
# semanage fcontext -a
-t FILE_TYPE '/var/lib/jenkins'
where FILE_TYPE is one
of the following: NetworkManager_etc_rw_t, NetworkManager_etc_t,
NetworkManager_un>
Then execute:
restorecon -v
'/var/lib/jenkins'
***** Plugin catchall
(17.1 confidence) suggests **************************
If you believe that
systemd should be allowed read access on the jenkins lnk_file by default.
Then you should report
this as a bug.
You can generate a local
policy module to allow this access.
Do
allow this access for
now by executing:
# ausearch -c
'(jenkins)' --raw | audit2allow -M my-jenkins
# semodule -X 300 -i
my-jenkins.pp
Dec 02 10:45:07 nd655bd001 setroubleshoot[144816]: AnalyzeThread.run(): Set
alarm timeout to 10
Dec 02 10:45:18 nd655bd001 systemd[1]: setroubleshootd.service: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.redhat.com%2Fsupport&data=05%7C01%7Ceric.fetzer%40dynamo.works%7Cf073214ec53d487bba8c08dad4b081f9%7C20011f20d2a44579a5cc40c8d987672b%7C0%7C0%7C638056151829928292%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=WMisNWM7KMmRGWY7k0n4euY6NIyCo74ECMq42lMC64Q%3D&reserved=0>
--
-- The unit setroubleshootd.service has successfully entered the 'dead'
state.
lines 5338-5376/5376 (END)
--
You received this message because you are subscribed to the Google Groups
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-users/8ce021ab-d787-4fe3-96d5-d5476a4aac75n%40googlegroups.com.
