Bug details
Describe the bug
Just noticed this when we changed from Centos 7 to Centos 8.
With selinux enforcing, the consul binary moved from /tmp retains the context tmp_t. selinux denies execution of the consul binary so startup fails.
Steps to reproduce the bug
In pillar, set:
Install and try to run consul on a Centos 8 minion.
salt-call state.apply consul
state will fail.
Check the audit log:
grep consul /var/log/audit/audit.log
Expected behaviour
service should start
Attempts to fix the bug
We use the following in install.sls after file.rename fixes the context;
{% if grains['os_family'] == 'RedHat' %}
consul_bin_restorecon:
module.run:
- file.restorecon:
- /usr/local/bin/consul-{{consul.version}}
- watch:
- file: consul_install
{% endif %}
Use the module function file.restorecon to change the context of the consul binary to match destination location of the file - which then permits execution by systemd.
Bug details
Describe the bug
Just noticed this when we changed from Centos 7 to Centos 8.
With selinux enforcing, the consul binary moved from /tmp retains the context tmp_t. selinux denies execution of the consul binary so startup fails.
Steps to reproduce the bug
In pillar, set:
Install and try to run consul on a Centos 8 minion.
salt-call state.apply consulstate will fail.
Check the audit log:
grep consul /var/log/audit/audit.logExpected behaviour
service should start
Attempts to fix the bug
We use the following in install.sls after file.rename fixes the context;
Use the module function
file.restoreconto change the context of the consul binary to match destination location of the file - which then permits execution by systemd.