-
Bug
-
Resolution: Done-Errata
-
Normal
-
CentOS Stream 9
-
selinux-policy-38.1.44-1.el9
-
None
-
None
-
rhel-sst-security-selinux
-
ssg_security
-
25
-
None
-
False
-
-
No
-
None
-
Unspecified Release Note Type - Unknown
-
None
What were you trying to do that didn't work?
In the CentOS Stream CoreOS 9 build used by OKD, we faced OKD-223, where nodes aren't able to join a cluster because the afterburn units fail to start due to denied permissions when accessing the files they are meant to access to pursue their job.
I didn't find the right component to bind for afterburn and used ignition for the closeness to the coreos community.
Please provide the package NVR for which bug is seen:
How reproducible: Always
afterburn-5.6.0-1.el9.x86_64
afterburn-dracut-5.6.0-1.el9.x86_64
Steps to reproduce
- In a AWS machine with selinux enabled and CS9 (actually done with SCOS, I'm unsure it can reproduce so easily in pure CS9)
- systemctl start afterburn
Expected results
Success
Actual results
Jul 18 06:32:30 localhost afterburn[879]: Jul 18 06:32:30.747 INFO Putting http://169.254.169.254/latest/api/token: Attempt #1 Jul 18 06:32:31 ip-10-0-29-129 afterburn[879]: Jul 18 06:32:31.765 INFO Putting http://169.254.169.254/latest/api/token: Attempt #2 Jul 18 06:32:31 ip-10-0-29-129 afterburn[879]: Error: failed to run Jul 18 06:32:31 ip-10-0-29-129 afterburn[879]: Caused by: Jul 18 06:32:31 ip-10-0-29-129 afterburn[879]: 0: writing metadata attributes Jul 18 06:32:31 ip-10-0-29-129 afterburn[879]: 1: failed to create directory "/run/metadata" Jul 18 06:32:31 ip-10-0-29-129 afterburn[879]: 2: Permission denied (os error 13) Jul 18 06:32:31 ip-10-0-29-129 systemd[1]: afterburn.service: Main process exited, code=exited, status=1/FAILURE Jul 18 06:32:31 ip-10-0-29-129 systemd[1]: afterburn.service: Failed with result 'exit-code'. Jul 18 06:32:31 ip-10-0-29-129 systemd[1]: Failed to start Afterburn (Metadata).
Additional info:
https://github.com/fedora-selinux/selinux-policy/pull/1362/files, https://github.com/fedora-selinux/selinux-policy/pull/2000 might be the fixes to downstream (Fedora/FCOS is not affected)
- links to
-
RHBA-2024:130707 selinux-policy bug fix and enhancement update