Bug #21746
closed
[HTB] Put SELinux into permissive and relabel
Description
A HTB CU run into issue with Candlepin not starting because file /etc/candlepin/certs/candlepin-ca.crt had wrong label. I suggest to make a generic solution to all these kinds of problems via foreman maintain:
- Before upgrade starts, put SELinux into PERMISSIVE mode (using
setenforce- temporarily). - At the end of the upgrade run this command to relabel relevant files:
foreman-selinux-relabel /etc /var/log
Optionally we can relabel ALL files with: restorecon -FvR / but this will include also all Pulp files which can take hours, the above command is safer - it will only relabel foreman related files and etc/logs.
Updated by Lukas Zapletal over 6 years ago
Oh important: At the end of the procedure add a message:
SELinux was temporarily put into permissive for the upgrade, please enable enforcing via "setenforce 1" and restart all services and investigate possible denials via audit.log.
Updated by Lukas Zapletal over 6 years ago
We might want make this a check, so user is explicitly told to put SELinux into permissive (so it's safer and nobody will tell you "you disabled it").
Updated by Lukas Zapletal over 6 years ago
There was a security concern on the list which is valid, therefore I suggest to put only foreman, candlepin and pulp domains into permissive and not the whole system.
Updated by Lukas Zapletal over 6 years ago
- Status changed from New to Rejected
Filed https://github.com/RedHatSatellite/satellite-clone/issues/277 which should be better solution.