Hi All,
I'm running into an issue running Jenkins as a service in RHEL 8 with
SELINUX running (I don't have a choice). It seems since /var/lib/jenkins
is a symbolic link to /opt/jenkins, SELINUX doesn't want to allow running
the service from there. Would it be acceptable to just change the value
for JENKINS_HOME to /opt/jenkins in /etc/sysconfig/jenkins? Thanks!
]# journalctl -xe
You can generate a local
policy module to allow this access.
Do
allow this access for
now by executing:
# ausearch -c
'(jenkins)' --raw | audit2allow -M my-jenkins
# semodule -X 300 -i
my-jenkins.pp
Dec 02 10:45:03 nd655bd001 setroubleshoot[144816]: AnalyzeThread.run(): Set
alarm timeout to 10
Dec 02 10:45:03 nd655bd001 setroubleshoot[144816]: AnalyzeThread.run():
Cancel pending alarm
Dec 02 10:45:07 nd655bd001 setroubleshoot[144816]: SELinux is preventing
/usr/lib/systemd/systemd from read access on the lnk_file /var/lib/jenkins.
For com>
Dec 02 10:45:07 nd655bd001 setroubleshoot[144816]: SELinux is preventing
/usr/lib/systemd/systemd from read access on the lnk_file /var/lib/jenkins.
***** Plugin
catchall_labels (83.8 confidence) suggests *******************
If you want to allow
systemd to have read access on the jenkins lnk_file
Then you need to change
the label on /var/lib/jenkins
Do
# semanage fcontext -a
-t FILE_TYPE '/var/lib/jenkins'
where FILE_TYPE is one
of the following: NetworkManager_etc_rw_t, NetworkManager_etc_t,
NetworkManager_un>
Then execute:
restorecon -v
'/var/lib/jenkins'
***** Plugin catchall
(17.1 confidence) suggests **************************
If you believe that
systemd should be allowed read access on the jenkins lnk_file by default.
Then you should report
this as a bug.
You can generate a local
policy module to allow this access.
Do
allow this access for
now by executing:
# ausearch -c
'(jenkins)' --raw | audit2allow -M my-jenkins
# semodule -X 300 -i
my-jenkins.pp
Dec 02 10:45:07 nd655bd001 setroubleshoot[144816]: AnalyzeThread.run(): Set
alarm timeout to 10
Dec 02 10:45:18 nd655bd001 systemd[1]: setroubleshootd.service: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.redhat.com%2Fsupport&data=05%7C01%7Ceric.fetzer%40dynamo.works%7Cf073214ec53d487bba8c08dad4b081f9%7C20011f20d2a44579a5cc40c8d987672b%7C0%7C0%7C638056151829928292%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=WMisNWM7KMmRGWY7k0n4euY6NIyCo74ECMq42lMC64Q%3D&reserved=0>
--
-- The unit setroubleshootd.service has successfully entered the 'dead'
state.
lines 5338-5376/5376 (END)
--
You received this message because you are subscribed to the Google Groups
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-users/8ce021ab-d787-4fe3-96d5-d5476a4aac75n%40googlegroups.com.
