SELinux Blocking ip from read/open on libjsig.so

BenRomlein · ‎05-21-2019

I'm running ArcGIS Server 10.7 on RHEL Server 7.6

Whenever I start ArcGIS Server with the systemd unit included in the install, copied from arcgis/server/framework/etc/scripts/ to /etc/systemd/system/arcgisserver.service, it gives SELinux alerts blocking read/open on libjsig.so and libprejsig.so.

When I start ArcGIS Server by directly calling startserver.sh, There are no alerts.

I have attempted to install local policy allowing access using audit2allow via this guide: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linu...

and also in the RHEL SELinux Troubleshooter instructions:

# ausearch -c 'ip' --raw | audit2allow -M my-ip
# semodule -i my-ip.

I've also tried adjusting the file's context with:

# semanage fcontext -a -t default_t libjsig.so
# restorecon -v libjsig.so

How can I start ArcGIS Server through systemd without the SELinux permission errors?

EarlMedina · ‎05-21-2019

Hi there,

I assume you want SELinux to remain enabled and probably don't want it in permissive mode. If so, then I think the other other option would be to make an exception for the process by flagging it with the unconfined option. I'm not 100% positive on what the proper place to configure that would be. Possibly you would just throw this line into the systemd service itself:

SELinuxContext=system_u:system_r:unconfined_t:s0

BenRomlein · ‎05-22-2019

Thanks, Earl.

I tried adding that line to my unit file in various places but none have yet solved the problem.

Adding it in the [Unit] or [Install] Section, the service can start successfully, but SELinux still alerts about libjsig.so.

Adding it to the [Service] Section, starting the service fails with SELinux denying transition on the startserver.sh script.

Is there a specific order the lines in my unit file have to be arranged?

Here are the current contents of the file:

sudo cat /etc/systemd/system/arcgisserver.service :

# ------------------------------------------------------------------
# ArcGIS Server systemd unit file
# ------------------------------------------------------------------
#
# Configure ArcGIS Server to be started at boot on Linux distributions
# adopting systemd init system (For example RHEL 7.x and SuSE12) by
# following these instructions:
#
# 1.) Switch to the root user.
#
# 2.) Copy this file to /etc/systemd/system
#
# 3.) Enable the service to start at boot:
#
# # systemctl enable arcgisserver.service
#
# 4.) Verify systemd service is setup correctly:
#
# # systemctl stop arcgisserver.service
# # systemctl start arcgisserver.service
# # systemctl status arcgisserver.service
#
# 5.) Reboot the system and verify that Server restarts properly.
#
# ------------------------------------------------------------------
[Unit]
Description=ArcGIS Server Service
After=network.target
SELinuxContext=system_u:system_r:unconfined_t:s0
[Service]
Type=forking
User=igsgis
GuessMainPID=false
# The minimum number of processes need to be set to 25059 or higher. Enable
# and raise this limit if it is a heavily used system. Use ulimit -Su -Hu to
# check current values.
# LimitNPROC=25059
# LimitNOFILE=65535
# To prevent any one service from spawning too many threads and consuming all
# server resources, systemd v228 and beyond included in SLES12 SP2 and higher
# set the maximum number of threads to be created at 512. Users on SLES12 may
# need to enable and raise this limit if it is a heavily used system. Use
# "systemctl show --property DefaultTasksMax" to check the current value. To
# find the version of systemd, use "systemctl --version".
# TasksMax=512

ExecStart=/diskarray/arcgis/server/startserver.sh
ExecStop=/diskarray/arcgis/server/stopserver.sh
[Install]
WantedBy=multi-user.target

Thanks again for your help.

EDIT:

This is the output of ls -Z for the two files throwing the error:

-rwx------. igsgis data unconfined_u:object_r:unlabeled_t:s0 libjsig.so
-rwx------. igsgis data unconfined_u:object_r:unlabeled_t:s0 libprejsig.so

(As mentioned earlier, I've tried switching context type to default as well, I've also tried switching user from unconfined to system)

The SELinux Alerts are:

SELinux is preventing /usr/sbin/ip from open access on the file /diskarray/arcgis/server/framework/runtime/jre/lib/libprejsig.so.
SELinux is preventing /usr/sbin/ip from getattr access on the file /diskarray/arcgis/server/framework/runtime/jre/lib/libjsig.so.