Requesting this conversation to be deleted because I accidentally let a machine name in without scrubbing it. Thanks!
On Monday, December 5, 2022 at 8:54:21 AM UTC-7 eric....@gmail.com wrote: > Not sure changing the home directory is the answer. I think the true > answer resides in how to allow the jenkins service to run in SELINUX... > > On Monday, December 5, 2022 at 8:45:42 AM UTC-7 slide wrote: > >> Jenkins switched to systemd "recently" check this page for how to change >> env variables and such >> https://www.jenkins.io/doc/book/system-administration/systemd-services/ >> >> On Mon, Dec 5, 2022 at 8:40 AM eric....@gmail.com <eric....@gmail.com> >> wrote: >> >>> Changing the JENKINS_HOME directory in that config file didn't work. I >>> got the same error some it's using that link somewhere else... >>> >>> Thanks, >>> Eric >>> >>> On Monday, December 5, 2022 at 8:09:31 AM UTC-7 eric....@gmail.com >>> wrote: >>> >>>> Hi All, >>>> >>>> I'm running into an issue running Jenkins as a service in RHEL 8 with >>>> SELINUX running (I don't have a choice). It seems since /var/lib/jenkins >>>> is a symbolic link to /opt/jenkins, SELINUX doesn't want to allow running >>>> the service from there. Would it be acceptable to just change the value >>>> for JENKINS_HOME to /opt/jenkins in /etc/sysconfig/jenkins? Thanks! >>>> >>>> >>>> ]# journalctl -xe >>>> >>>> You can generate a >>>> local policy module to allow this access. >>>> >>>> Do >>>> >>>> allow this access >>>> for now by executing: >>>> >>>> # ausearch -c >>>> '(jenkins)' --raw | audit2allow -M my-jenkins >>>> >>>> # semodule -X 300 -i >>>> my-jenkins.pp >>>> >>>> >>>> >>>> Dec 02 10:45:03 nd655bd001 setroubleshoot[144816]: AnalyzeThread.run(): >>>> Set alarm timeout to 10 >>>> >>>> Dec 02 10:45:03 nd655bd001 setroubleshoot[144816]: AnalyzeThread.run(): >>>> Cancel pending alarm >>>> >>>> Dec 02 10:45:07 nd655bd001 setroubleshoot[144816]: SELinux is >>>> preventing /usr/lib/systemd/systemd from read access on the lnk_file >>>> /var/lib/jenkins. For com> >>>> >>>> Dec 02 10:45:07 nd655bd001 setroubleshoot[144816]: SELinux is >>>> preventing /usr/lib/systemd/systemd from read access on the lnk_file >>>> /var/lib/jenkins. >>>> >>>> >>>> >>>> ***** Plugin >>>> catchall_labels (83.8 confidence) suggests ******************* >>>> >>>> >>>> >>>> If you want to allow >>>> systemd to have read access on the jenkins lnk_file >>>> >>>> Then you need to >>>> change the label on /var/lib/jenkins >>>> >>>> Do >>>> >>>> # semanage fcontext >>>> -a -t FILE_TYPE '/var/lib/jenkins' >>>> >>>> where FILE_TYPE is >>>> one of the following: NetworkManager_etc_rw_t, NetworkManager_etc_t, >>>> NetworkManager_un> >>>> >>>> Then execute: >>>> >>>> restorecon -v >>>> '/var/lib/jenkins' >>>> >>>> >>>> >>>> >>>> >>>> ***** Plugin >>>> catchall (17.1 confidence) suggests ************************** >>>> >>>> >>>> >>>> If you believe that >>>> systemd should be allowed read access on the jenkins lnk_file by default. >>>> >>>> Then you should >>>> report this as a bug. >>>> >>>> You can generate a >>>> local policy module to allow this access. >>>> >>>> Do >>>> >>>> allow this access >>>> for now by executing: >>>> >>>> # ausearch -c >>>> '(jenkins)' --raw | audit2allow -M my-jenkins >>>> >>>> # semodule -X 300 -i >>>> my-jenkins.pp >>>> >>>> >>>> >>>> Dec 02 10:45:07 nd655bd001 setroubleshoot[144816]: AnalyzeThread.run(): >>>> Set alarm timeout to 10 >>>> >>>> Dec 02 10:45:18 nd655bd001 systemd[1]: setroubleshootd.service: >>>> Succeeded. >>>> >>>> -- Subject: Unit succeeded >>>> >>>> -- Defined-By: systemd >>>> >>>> -- Support: https://access.redhat.com/support >>>> <https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.redhat.com%2Fsupport&data=05%7C01%7Ceric.fetzer%40dynamo.works%7Cf073214ec53d487bba8c08dad4b081f9%7C20011f20d2a44579a5cc40c8d987672b%7C0%7C0%7C638056151829928292%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=WMisNWM7KMmRGWY7k0n4euY6NIyCo74ECMq42lMC64Q%3D&reserved=0> >>>> >>>> -- >>>> >>>> -- The unit setroubleshootd.service has successfully entered the 'dead' >>>> state. >>>> >>>> lines 5338-5376/5376 (END) >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Jenkins Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to jenkinsci-use...@googlegroups.com. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/jenkinsci-users/0c57cbc8-8b60-4f6b-852a-bc892b97af38n%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/jenkinsci-users/0c57cbc8-8b60-4f6b-852a-bc892b97af38n%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> >> >> -- >> Website: http://earl-of-code.com >> > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/411d2bf2-4a73-4bc2-a797-460d07738a7en%40googlegroups.com.
