Re: Running Jenkins as a Service in RHEL 8
Requesting this conversation to be deleted because I accidentally let a machine name in without scrubbing it. Thanks! On Monday, December 5, 2022 at 8:54:21 AM UTC-7 eric@gmail.com wrote: > Not sure changing the home directory is the answer. I think the true > answer resides in how to allow the jenkins service to run in SELINUX... > > On Monday, December 5, 2022 at 8:45:42 AM UTC-7 slide wrote: > >> Jenkins switched to systemd "recently" check this page for how to change >> env variables and such >> https://www.jenkins.io/doc/book/system-administration/systemd-services/ >> >> On Mon, Dec 5, 2022 at 8:40 AM eric@gmail.com >> wrote: >> >>> Changing the JENKINS_HOME directory in that config file didn't work. I >>> got the same error some it's using that link somewhere else... >>> >>> Thanks, >>> Eric >>> >>> On Monday, December 5, 2022 at 8:09:31 AM UTC-7 eric@gmail.com >>> wrote: >>> >>>> Hi All, >>>> >>>> I'm running into an issue running Jenkins as a service in RHEL 8 with >>>> SELINUX running (I don't have a choice). It seems since /var/lib/jenkins >>>> is a symbolic link to /opt/jenkins, SELINUX doesn't want to allow running >>>> the service from there. Would it be acceptable to just change the value >>>> for JENKINS_HOME to /opt/jenkins in /etc/sysconfig/jenkins? Thanks! >>>> >>>> >>>> ]# journalctl -xe >>>> >>>>You can generate a >>>> local policy module to allow this access. >>>> >>>>Do >>>> >>>>allow this access >>>> for now by executing: >>>> >>>># ausearch -c >>>> '(jenkins)' --raw | audit2allow -M my-jenkins >>>> >>>># semodule -X 300 -i >>>> my-jenkins.pp >>>> >>>> >>>> >>>> Dec 02 10:45:03 nd655bd001 setroubleshoot[144816]: AnalyzeThread.run(): >>>> Set alarm timeout to 10 >>>> >>>> Dec 02 10:45:03 nd655bd001 setroubleshoot[144816]: AnalyzeThread.run(): >>>> Cancel pending alarm >>>> >>>> Dec 02 10:45:07 nd655bd001 setroubleshoot[144816]: SELinux is >>>> preventing /usr/lib/systemd/systemd from read access on the lnk_file >>>> /var/lib/jenkins. For com> >>>> >>>> Dec 02 10:45:07 nd655bd001 setroubleshoot[144816]: SELinux is >>>> preventing /usr/lib/systemd/systemd from read access on the lnk_file >>>> /var/lib/jenkins. >>>> >>>> >>>> >>>>* Plugin >>>> catchall_labels (83.8 confidence) suggests *** >>>> >>>> >>>> >>>>If you want to allow >>>> systemd to have read access on the jenkins lnk_file >>>> >>>>Then you need to >>>> change the label on /var/lib/jenkins >>>> >>>>Do >>>> >>>># semanage fcontext >>>> -a -t FILE_TYPE '/var/lib/jenkins' >>>> >>>>where FILE_TYPE is >>>> one of the following: NetworkManager_etc_rw_t, NetworkManager_etc_t, >>>> NetworkManager_un> >>>> >>>>Then execute: >>>> >>>>restorecon -v >>>> '/var/lib/jenkins' >>>> >>>> >>>> >>>> >>>> >>>>* Plugin >>>> catchall (17.1 confidence) suggests ** >>>> >&
Re: Running Jenkins as a Service in RHEL 8
Not sure changing the home directory is the answer. I think the true answer resides in how to allow the jenkins service to run in SELINUX... On Monday, December 5, 2022 at 8:45:42 AM UTC-7 slide wrote: > Jenkins switched to systemd "recently" check this page for how to change > env variables and such > https://www.jenkins.io/doc/book/system-administration/systemd-services/ > > On Mon, Dec 5, 2022 at 8:40 AM eric@gmail.com > wrote: > >> Changing the JENKINS_HOME directory in that config file didn't work. I >> got the same error some it's using that link somewhere else... >> >> Thanks, >> Eric >> >> On Monday, December 5, 2022 at 8:09:31 AM UTC-7 eric....@gmail.com wrote: >> >>> Hi All, >>> >>> I'm running into an issue running Jenkins as a service in RHEL 8 with >>> SELINUX running (I don't have a choice). It seems since /var/lib/jenkins >>> is a symbolic link to /opt/jenkins, SELINUX doesn't want to allow running >>> the service from there. Would it be acceptable to just change the value >>> for JENKINS_HOME to /opt/jenkins in /etc/sysconfig/jenkins? Thanks! >>> >>> >>> ]# journalctl -xe >>> >>>You can generate a >>> local policy module to allow this access. >>> >>>Do >>> >>>allow this access for >>> now by executing: >>> >>># ausearch -c >>> '(jenkins)' --raw | audit2allow -M my-jenkins >>> >>># semodule -X 300 -i >>> my-jenkins.pp >>> >>> >>> >>> Dec 02 10:45:03 nd655bd001 setroubleshoot[144816]: AnalyzeThread.run(): >>> Set alarm timeout to 10 >>> >>> Dec 02 10:45:03 nd655bd001 setroubleshoot[144816]: AnalyzeThread.run(): >>> Cancel pending alarm >>> >>> Dec 02 10:45:07 nd655bd001 setroubleshoot[144816]: SELinux is preventing >>> /usr/lib/systemd/systemd from read access on the lnk_file /var/lib/jenkins. >>> For com> >>> >>> Dec 02 10:45:07 nd655bd001 setroubleshoot[144816]: SELinux is preventing >>> /usr/lib/systemd/systemd from read access on the lnk_file /var/lib/jenkins. >>> >>> >>> >>>* Plugin >>> catchall_labels (83.8 confidence) suggests *** >>> >>> >>> >>>If you want to allow >>> systemd to have read access on the jenkins lnk_file >>> >>>Then you need to >>> change the label on /var/lib/jenkins >>> >>>Do >>> >>># semanage fcontext >>> -a -t FILE_TYPE '/var/lib/jenkins' >>> >>>where FILE_TYPE is >>> one of the following: NetworkManager_etc_rw_t, NetworkManager_etc_t, >>> NetworkManager_un> >>> >>>Then execute: >>> >>>restorecon -v >>> '/var/lib/jenkins' >>> >>> >>> >>> >>> >>>* Plugin >>> catchall (17.1 confidence) suggests ** >>> >>> >>> >>>If you believe that >>> systemd should be allowed read access on the jenkins lnk_file by default. >>> >>>Then you should >>> report this as a bug. >>> >>>You can generate a >>> local policy module to allow this access. >>> >>>Do >>&
Re: Running Jenkins as a Service in RHEL 8
Jenkins switched to systemd "recently" check this page for how to change env variables and such https://www.jenkins.io/doc/book/system-administration/systemd-services/ On Mon, Dec 5, 2022 at 8:40 AM eric@gmail.com wrote: > Changing the JENKINS_HOME directory in that config file didn't work. I > got the same error some it's using that link somewhere else... > > Thanks, > Eric > > On Monday, December 5, 2022 at 8:09:31 AM UTC-7 eric@gmail.com wrote: > >> Hi All, >> >> I'm running into an issue running Jenkins as a service in RHEL 8 with >> SELINUX running (I don't have a choice). It seems since /var/lib/jenkins >> is a symbolic link to /opt/jenkins, SELINUX doesn't want to allow running >> the service from there. Would it be acceptable to just change the value >> for JENKINS_HOME to /opt/jenkins in /etc/sysconfig/jenkins? Thanks! >> >> >> ]# journalctl -xe >> >>You can generate a >> local policy module to allow this access. >> >>Do >> >>allow this access for >> now by executing: >> >># ausearch -c >> '(jenkins)' --raw | audit2allow -M my-jenkins >> >># semodule -X 300 -i >> my-jenkins.pp >> >> >> >> Dec 02 10:45:03 nd655bd001 setroubleshoot[144816]: AnalyzeThread.run(): >> Set alarm timeout to 10 >> >> Dec 02 10:45:03 nd655bd001 setroubleshoot[144816]: AnalyzeThread.run(): >> Cancel pending alarm >> >> Dec 02 10:45:07 nd655bd001 setroubleshoot[144816]: SELinux is preventing >> /usr/lib/systemd/systemd from read access on the lnk_file /var/lib/jenkins. >> For com> >> >> Dec 02 10:45:07 nd655bd001 setroubleshoot[144816]: SELinux is preventing >> /usr/lib/systemd/systemd from read access on the lnk_file /var/lib/jenkins. >> >> >> >>* Plugin >> catchall_labels (83.8 confidence) suggests *** >> >> >> >>If you want to allow >> systemd to have read access on the jenkins lnk_file >> >>Then you need to >> change the label on /var/lib/jenkins >> >>Do >> >># semanage fcontext -a >> -t FILE_TYPE '/var/lib/jenkins' >> >>where FILE_TYPE is one >> of the following: NetworkManager_etc_rw_t, NetworkManager_etc_t, >> NetworkManager_un> >> >>Then execute: >> >>restorecon -v >> '/var/lib/jenkins' >> >> >> >> >> >>* Plugin catchall >> (17.1 confidence) suggests ** >> >> >> >>If you believe that >> systemd should be allowed read access on the jenkins lnk_file by default. >> >>Then you should report >> this as a bug. >> >>You can generate a >> local policy module to allow this access. >> >>Do >> >>allow this access for >> now by executing: >> >># ausearch -c >> '(jenkins)' --raw | audit2allow -M my-jenkins >> >># semodule -X 300 -i >> my-jenkins.pp >> >> >> >> Dec 02 10:45:07 nd655bd001 setroubleshoot[144816]: AnalyzeThread.run(): >> Set alarm timeout to 10 >> >> Dec 02 10:45:18 nd655bd001 systemd[1]: setroubleshootd.service: Succeeded. >> >> -- Subject: Unit succeeded >> >> -- Defined-By: systemd >> >> -- Support: https://access.redhat.com/support >> <https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.redhat.com%2Fsupport&data=05%7C01%7Ceric.fetzer%40dynamo.works%7Cf073214ec53d487bba8c08dad4b081f9%7C
Re: Running Jenkins as a Service in RHEL 8
Changing the JENKINS_HOME directory in that config file didn't work. I got the same error some it's using that link somewhere else... Thanks, Eric On Monday, December 5, 2022 at 8:09:31 AM UTC-7 eric@gmail.com wrote: > Hi All, > > I'm running into an issue running Jenkins as a service in RHEL 8 with > SELINUX running (I don't have a choice). It seems since /var/lib/jenkins > is a symbolic link to /opt/jenkins, SELINUX doesn't want to allow running > the service from there. Would it be acceptable to just change the value > for JENKINS_HOME to /opt/jenkins in /etc/sysconfig/jenkins? Thanks! > > > ]# journalctl -xe > >You can generate a > local policy module to allow this access. > >Do > >allow this access for > now by executing: > ># ausearch -c > '(jenkins)' --raw | audit2allow -M my-jenkins > ># semodule -X 300 -i > my-jenkins.pp > > > > Dec 02 10:45:03 nd655bd001 setroubleshoot[144816]: AnalyzeThread.run(): > Set alarm timeout to 10 > > Dec 02 10:45:03 nd655bd001 setroubleshoot[144816]: AnalyzeThread.run(): > Cancel pending alarm > > Dec 02 10:45:07 nd655bd001 setroubleshoot[144816]: SELinux is preventing > /usr/lib/systemd/systemd from read access on the lnk_file /var/lib/jenkins. > For com> > > Dec 02 10:45:07 nd655bd001 setroubleshoot[144816]: SELinux is preventing > /usr/lib/systemd/systemd from read access on the lnk_file /var/lib/jenkins. > > > >* Plugin > catchall_labels (83.8 confidence) suggests *** > > > >If you want to allow > systemd to have read access on the jenkins lnk_file > >Then you need to change > the label on /var/lib/jenkins > >Do > ># semanage fcontext -a > -t FILE_TYPE '/var/lib/jenkins' > >where FILE_TYPE is one > of the following: NetworkManager_etc_rw_t, NetworkManager_etc_t, > NetworkManager_un> > >Then execute: > >restorecon -v > '/var/lib/jenkins' > > > > > >* Plugin catchall > (17.1 confidence) suggests ** > > > >If you believe that > systemd should be allowed read access on the jenkins lnk_file by default. > >Then you should report > this as a bug. > >You can generate a > local policy module to allow this access. > >Do > >allow this access for > now by executing: > ># ausearch -c > '(jenkins)' --raw | audit2allow -M my-jenkins > ># semodule -X 300 -i > my-jenkins.pp > > > > Dec 02 10:45:07 nd655bd001 setroubleshoot[144816]: AnalyzeThread.run(): > Set alarm timeout to 10 > > Dec 02 10:45:18 nd655bd001 systemd[1]: setroubleshootd.service: Succeeded. > > -- Subject: Unit succeeded > > -- Defined-By: systemd > > -- Support: https://access.redhat.com/support > <https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.redhat.com%2Fsupport&data=05%7C01%7Ceric.fetzer%40dynamo.works%7Cf073214ec53d487bba8c08dad4b081f9%7C20011f20d2a44579a5cc40c8d987672b%7C0%7C0%7C638056151829928292%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=WMisNWM7KMmRGWY7k0n4euY6NIyCo74ECMq42lMC64Q%3D&reserved=0> > > -- > > -- The unit setroubleshootd.service has successfu
Running Jenkins as a Service in RHEL 8
Hi All, I'm running into an issue running Jenkins as a service in RHEL 8 with SELINUX running (I don't have a choice). It seems since /var/lib/jenkins is a symbolic link to /opt/jenkins, SELINUX doesn't want to allow running the service from there. Would it be acceptable to just change the value for JENKINS_HOME to /opt/jenkins in /etc/sysconfig/jenkins? Thanks! ]# journalctl -xe You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '(jenkins)' --raw | audit2allow -M my-jenkins # semodule -X 300 -i my-jenkins.pp Dec 02 10:45:03 nd655bd001 setroubleshoot[144816]: AnalyzeThread.run(): Set alarm timeout to 10 Dec 02 10:45:03 nd655bd001 setroubleshoot[144816]: AnalyzeThread.run(): Cancel pending alarm Dec 02 10:45:07 nd655bd001 setroubleshoot[144816]: SELinux is preventing /usr/lib/systemd/systemd from read access on the lnk_file /var/lib/jenkins. For com> Dec 02 10:45:07 nd655bd001 setroubleshoot[144816]: SELinux is preventing /usr/lib/systemd/systemd from read access on the lnk_file /var/lib/jenkins. * Plugin catchall_labels (83.8 confidence) suggests *** If you want to allow systemd to have read access on the jenkins lnk_file Then you need to change the label on /var/lib/jenkins Do # semanage fcontext -a -t FILE_TYPE '/var/lib/jenkins' where FILE_TYPE is one of the following: NetworkManager_etc_rw_t, NetworkManager_etc_t, NetworkManager_un> Then execute: restorecon -v '/var/lib/jenkins' * Plugin catchall (17.1 confidence) suggests ** If you believe that systemd should be allowed read access on the jenkins lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '(jenkins)' --raw | audit2allow -M my-jenkins # semodule -X 300 -i my-jenkins.pp Dec 02 10:45:07 nd655bd001 setroubleshoot[144816]: AnalyzeThread.run(): Set alarm timeout to 10 Dec 02 10:45:18 nd655bd001 systemd[1]: setroubleshootd.service: Succeeded. -- Subject: Unit succeeded -- Defined-By: systemd -- Support: https://access.redhat.com/support <https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.redhat.com%2Fsupport&data=05%7C01%7Ceric.fetzer%40dynamo.works%7Cf073214ec53d487bba8c08dad4b081f9%7C20011f20d2a44579a5cc40c8d987672b%7C0%7C0%7C638056151829928292%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=WMisNWM7KMmRGWY7k0n4euY6NIyCo74ECMq42lMC64Q%3D&reserved=0> -- -- The unit setroubleshootd.service has successfully entered the 'dead' state. lines 5338-5376/5376 (END) -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/8ce021ab-d787-4fe3-96d5-d5476a4aac75n%40googlegroups.com.
