Requesting this conversation to be deleted because I accidentally let a machine name in without scrubbing it. Thanks!
On Monday, December 5, 2022 at 8:54:21 AM UTC-7 [email protected] wrote: > Not sure changing the home directory is the answer. I think the true > answer resides in how to allow the jenkins service to run in SELINUX... > > On Monday, December 5, 2022 at 8:45:42 AM UTC-7 slide wrote: > >> Jenkins switched to systemd "recently" check this page for how to change >> env variables and such >> https://www.jenkins.io/doc/book/system-administration/systemd-services/ >> >> On Mon, Dec 5, 2022 at 8:40 AM [email protected] <[email protected]> >> wrote: >> >>> Changing the JENKINS_HOME directory in that config file didn't work. I >>> got the same error some it's using that link somewhere else... >>> >>> Thanks, >>> Eric >>> >>> On Monday, December 5, 2022 at 8:09:31 AM UTC-7 [email protected] >>> wrote: >>> >>>> Hi All, >>>> >>>> I'm running into an issue running Jenkins as a service in RHEL 8 with >>>> SELINUX running (I don't have a choice). It seems since /var/lib/jenkins >>>> is a symbolic link to /opt/jenkins, SELINUX doesn't want to allow running >>>> the service from there. Would it be acceptable to just change the value >>>> for JENKINS_HOME to /opt/jenkins in /etc/sysconfig/jenkins? Thanks! >>>> >>>> >>>> ]# journalctl -xe >>>> >>>> You can generate a >>>> local policy module to allow this access. >>>> >>>> Do >>>> >>>> allow this access >>>> for now by executing: >>>> >>>> # ausearch -c >>>> '(jenkins)' --raw | audit2allow -M my-jenkins >>>> >>>> # semodule -X 300 -i >>>> my-jenkins.pp >>>> >>>> >>>> >>>> Dec 02 10:45:03 nd655bd001 setroubleshoot[144816]: AnalyzeThread.run(): >>>> Set alarm timeout to 10 >>>> >>>> Dec 02 10:45:03 nd655bd001 setroubleshoot[144816]: AnalyzeThread.run(): >>>> Cancel pending alarm >>>> >>>> Dec 02 10:45:07 nd655bd001 setroubleshoot[144816]: SELinux is >>>> preventing /usr/lib/systemd/systemd from read access on the lnk_file >>>> /var/lib/jenkins. For com> >>>> >>>> Dec 02 10:45:07 nd655bd001 setroubleshoot[144816]: SELinux is >>>> preventing /usr/lib/systemd/systemd from read access on the lnk_file >>>> /var/lib/jenkins. >>>> >>>> >>>> >>>> ***** Plugin >>>> catchall_labels (83.8 confidence) suggests ******************* >>>> >>>> >>>> >>>> If you want to allow >>>> systemd to have read access on the jenkins lnk_file >>>> >>>> Then you need to >>>> change the label on /var/lib/jenkins >>>> >>>> Do >>>> >>>> # semanage fcontext >>>> -a -t FILE_TYPE '/var/lib/jenkins' >>>> >>>> where FILE_TYPE is >>>> one of the following: NetworkManager_etc_rw_t, NetworkManager_etc_t, >>>> NetworkManager_un> >>>> >>>> Then execute: >>>> >>>> restorecon -v >>>> '/var/lib/jenkins' >>>> >>>> >>>> >>>> >>>> >>>> ***** Plugin >>>> catchall (17.1 confidence) suggests ************************** >>>> >>>> >>>> >>>> If you believe that >>>> systemd should be allowed read access on the jenkins lnk_file by default. >>>> >>>> Then you should >>>> report this as a bug. >>>> >>>> You can generate a >>>> local policy module to allow this access. >>>> >>>> Do >>>> >>>> allow this access >>>> for now by executing: >>>> >>>> # ausearch -c >>>> '(jenkins)' --raw | audit2allow -M my-jenkins >>>> >>>> # semodule -X 300 -i >>>> my-jenkins.pp >>>> >>>> >>>> >>>> Dec 02 10:45:07 nd655bd001 setroubleshoot[144816]: AnalyzeThread.run(): >>>> Set alarm timeout to 10 >>>> >>>> Dec 02 10:45:18 nd655bd001 systemd[1]: setroubleshootd.service: >>>> Succeeded. >>>> >>>> -- Subject: Unit succeeded >>>> >>>> -- Defined-By: systemd >>>> >>>> -- Support: https://access.redhat.com/support >>>> <https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.redhat.com%2Fsupport&data=05%7C01%7Ceric.fetzer%40dynamo.works%7Cf073214ec53d487bba8c08dad4b081f9%7C20011f20d2a44579a5cc40c8d987672b%7C0%7C0%7C638056151829928292%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=WMisNWM7KMmRGWY7k0n4euY6NIyCo74ECMq42lMC64Q%3D&reserved=0> >>>> >>>> -- >>>> >>>> -- The unit setroubleshootd.service has successfully entered the 'dead' >>>> state. >>>> >>>> lines 5338-5376/5376 (END) >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Jenkins Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/jenkinsci-users/0c57cbc8-8b60-4f6b-852a-bc892b97af38n%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/jenkinsci-users/0c57cbc8-8b60-4f6b-852a-bc892b97af38n%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> >> >> -- >> Website: http://earl-of-code.com >> > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/411d2bf2-4a73-4bc2-a797-460d07738a7en%40googlegroups.com.
