SDP-562
Closed
Support SELinux in enforcing mode on RHEL 8/CentOS 8/Rocky Linux 8.
Add support for SELinux ("Security Enhanced Linux)") in enforcing mode
on RHEL 8, CentOS 8, and Rocky Linux 8.
With implementation of SDP-350, SDP added support for SELinux in
enforcing mode. This works with RHEL/CentOS 6 and 7, as well as
Ubuntu 18.04 and 20.04. However, changes in SELinux in RHEL, and
thus CentOS 8 and Rocky Linux 8, cause the systemd unit files packaged
with the SDP to be unable to start the p4d process if SELinux is
enabled in enforcing mode.
=== Sample Failure ===
As perforce@helix-centos8.p4demo.com:
$ sudo systemctl start p4d_1
Job for p4d_1.service failed because the control process exited with error code.
See "systemctl status p4d_1.service" and "journalctl -xe" for details.
$ journalctl -xe
<excerpt of output>
-- Unit p4d_1.service has begun starting up.
Oct 08 12:47:31 helix-centos8.p4demo.com systemd[18518]: p4d_1.service: Failed to execute command: Permission denied
Oct 08 12:47:31 helix-centos8.p4demo.com systemd[18518]: p4d_1.service: Failed at step EXEC spawning /p4/1/bin/p4d_1_init: Permission>
-- Subject: Process /p4/1/bin/p4d_1_init could not be executed
This seems to be due to new SELinux behavior in CentOS 8, as the
SDP systemd 'unit' files are known to work with SELinux in enforcing on
other OS versions. A review of RHEL release notes indicates significant
changes were made to SELinux for RHEL 8. A bit of Googling indicates
SELinux changes on RHEL/CentOS 8 can break systemd unit files if SELinux
is enabled in enforcing mode.
Links:
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/8.0_release_notes/index
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index
Add support for SELinux ("Security Enhanced Linux)") in enforcing mode
on RHEL 8, CentOS 8, and Rocky Linux 8.
With implementation of SDP-350, SDP added support for SELinux in
enforcing mode. This works with RHEL/CentOS 6 and 7, as well as
Ubuntu 18.04 and 20.04. However, changes in SELinux in RHEL, and
thus CentOS 8 and Rocky Linux 8, cause the systemd unit files packaged
with the SDP to be unable to start the p4d process if SELinux is
enabled in enforcing mode.
=== Sample Failure ===
As perforce@helix-centos8.p4demo.com:
$ sudo systemctl start p4d_1
Job for p4d_1.service failed because the control process exited with error code.
See "systemctl status p4d_1.service" and "journalctl -xe" for details.
$ journalctl -xe
<excerpt of output>
-- Unit p4d_1.service has begun starting up.
Oct 08 12:47:31 helix-centos8.p4demo.com systemd[18518]: p4d_1.service: Failed to execute command: Permission denied
Oct 08 12:47:31 helix-centos8.p4demo.com systemd[18518]: p4d_1.service: Failed at step EXEC spawning /p4/1/bin/p4d_1_init: Permission>
-- Subject: Process /p4/1/bin/p4d_1_init could not be executed
This seems to be due to new SELinux behavior in CentOS 8, as the
SDP systemd 'unit' files are known to work with SELinux in enforcing on
other OS versions. A review of RHEL release notes indicates significant
changes were made to SELinux for RHEL 8. A bit of Googling indicates
SELinux changes on RHEL/CentOS 8 can break systemd unit files if SELinux
is enabled in enforcing mode.
Links:
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/8.0_release_notes/index
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index
- Status
- Closed
- Project
- perforce-software-sdp
- Severity
- C
- Reported By
- C. Thomas Tyler
- Reported Date
- Modified By
- C. Thomas Tyler
- Modified Date
- Owned By
- tom_tyler
- Component
- init
- Type
- Feature