From 56c971373c228f71d12da6703c131d4152aaf665 Mon Sep 17 00:00:00 2001 From: Takuya ASADA Date: Thu, 20 Jun 2024 08:34:58 +0900 Subject: [PATCH 1/2] scylla_coredump_setup: fix SELinux configuration for RHEL9 Seems like specific version of systemd pacakge on RHEL9 has a bug on SELinux configuration, it introduced "systemd-container-coredump" module to provide rule for systemd-coredump, but not enabled by default. We have to manually load it, otherwise it causes permission error. Fixes #19325 --- dist/common/scripts/scylla_coredump_setup | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/dist/common/scripts/scylla_coredump_setup b/dist/common/scripts/scylla_coredump_setup index 12193cf0c6..2dfc565efc 100755 --- a/dist/common/scripts/scylla_coredump_setup +++ b/dist/common/scripts/scylla_coredump_setup @@ -40,6 +40,25 @@ if __name__ == '__main__': help='enable compress on systemd-coredump') args = parser.parse_args() + # Seems like specific version of systemd pacakge on RHEL9 has a bug on + # SELinux configuration, it introduced "systemd-container-coredump" module + # to provide rule for systemd-coredump but not enabled by default. + # We have to manually load it, otherwise it causes permission errror. + # (#19325) + if is_redhat_variant() and distro.major_version() == '9': + if not shutil.which('getenforce'): + pkg_install('libselinux-utils') + if not shutil.which('semodule'): + pkg_install('policycoreutils') + enforce = out('getenforce') + if enforce != "Disabled": + if os.path.exists('/usr/share/selinux/packages/targeted/systemd-container-coredump.pp.bz2'): + modules = out('semodule -l') + match = re.match(r'^systemd-container-coredump$', modules, re.MULTILINE) + if not match: + run('semodule -v -i /usr/share/selinux/packages/targeted/systemd-container-coredump.pp.bz2', shell=True, check=True) + run('semodule -v -e systemd-container-coredump', shell=True, check=True) + # abrt-ccpp.service needs to stop before enabling systemd-coredump, # since both will try to install kernel coredump handler # (This will only requires for abrt < 2.14) From 0ac450de05cd530ba01c2f454269de7c6a0e3615 Mon Sep 17 00:00:00 2001 From: Takuya ASADA Date: Wed, 11 Sep 2024 09:36:03 +0900 Subject: [PATCH 2/2] scylla_raid_setup: configure SELinux file context On RHEL9, systemd-coredump fails to coredump on /var/lib/scylla/coredump because the service only have write acess with systemd_coredump_var_lib_t. To make it writable, we need to add file context rule for /var/lib/scylla/coredump, and run restorecon on /var/lib/scylla. Fixes #20573 --- dist/common/scripts/scylla_raid_setup | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/dist/common/scripts/scylla_raid_setup b/dist/common/scripts/scylla_raid_setup index 1eb5bffa91..39c568e5c2 100755 --- a/dist/common/scripts/scylla_raid_setup +++ b/dist/common/scripts/scylla_raid_setup @@ -333,3 +333,19 @@ WantedBy=local-fs.target LOGGER.error(f'Error detected, dumping udev env parameters on {fsdev}') udev_info.verify() udev_info.dump_variables() + + if is_redhat_variant(): + if not shutil.which('getenforce'): + pkg_install('libselinux-utils') + if not shutil.which('restorecon'): + pkg_install('policycoreutils') + if not shutil.which('semanage'): + pkg_install('policycoreutils-python-utils') + selinux_status = out('getenforce') + selinux_context = out('matchpathcon -n /var/lib/systemd/coredump') + selinux_type = selinux_context.split(':')[2] + run(f'semanage fcontext -a -t {selinux_type} "{root}/coredump(/.*)?"', shell=True, check=True) + if selinux_status != 'Disabled': + run(f'restorecon -F -v -R {root}', shell=True, check=True) + else: + Path('/.autorelabel').touch(exist_ok=True)