View Issue Details

IDProjectCategoryView StatusLast Update
0016973CentOS-7firewalldpublic2020-01-26 22:46
ReporterCloudPursuitUK 
PriorityurgentSeveritycrashReproducibilityalways
Status newResolutionopen 
Product Version7.7-1908 
Target VersionFixed in Version 
Summary0016973: auditd and firewalld refuse to start with selinux enabled...
DescriptionOut of a sudden, we have noticed that all our CentOS clusters, which are running httpd, are no longer running auditd and firewalld. Status of systemctrl –failed is:
 
[root@cpuk ~]# systemctl --failed
  UNIT LOAD ACTIVE SUB DESCRIPTION
● auditd.service loaded failed failed Security Auditing Service
● firewalld.service loaded failed failed firewalld - dynamic firewall daemon
 
LOAD = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB = The low-level unit activation state, values depend on unit type.
 
2 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.
[root@cpuk ~]#
 
We looked into everything and issues are consistently pointing to file permissions in /log/messages or /log/audit
 
[root@cpuk ~]# systemctl start firewalld
Job for firewalld.service failed because the control process exited with error code. See "systemctl status firewalld.service" and "journalctl -xe" for details.
[root@cpuk ~]#
 
[root@cpuk ~]# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Sun 2020-01-26 22:29:33 GMT; 21s ago
     Docs: man:firewalld(1)
  Process: 4936 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=1/FAILURE)
 Main PID: 4936 (code=exited, status=1/FAILURE)
 
Jan 26 22:29:33 cpuk.apache01.int systemd[1]: Starting firewalld - dynamic firewall daemon...
Jan 26 22:29:33 cpuk.apache01.int systemd[1]: firewalld.service: main process exited, code=exited, status=1/FAILURE
Jan 26 22:29:33 cpuk.apache01.int systemd[1]: Failed to start firewalld - dynamic firewall daemon.
Jan 26 22:29:33 cpuk.apache01.int systemd[1]: Unit firewalld.service entered failed state.
Jan 26 22:29:33 cpuk.apache01.int systemd[1]: firewalld.service failed.
[root@cpuk ~]#
 
Journalctl -xe shows:
 
Jan 26 22:29:33 cpuk.apache01.int rsyslogd[1175]: action 'action 0' resumed (module 'builtin:omfile') [v8.24.0-41.el7_7.2 try http://www.rsyslog.com/e/2359 ]
Jan 26 22:29:33 cpuk.apache01.int rsyslogd[1175]: file '/var/log/messages': open error: Permission denied [v8.24.0-41.el7_7.2 try http://www.rsyslog.com/e/2433 ]
Jan 26 22:29:33 cpuk.apache01.int rsyslogd[1175]: file '/var/log/messages': open error: Permission denied [v8.24.0-41.el7_7.2 try http://www.rsyslog.com/e/2433 ]
Jan 26 22:29:33 cpuk.apache01.int rsyslogd[1175]: action 'action 0' resumed (module 'builtin:omfile') [v8.24.0-41.el7_7.2 try http://www.rsyslog.com/e/2359 ]
Jan 26 22:29:33 cpuk.apache01.int rsyslogd[1175]: file '/var/log/messages': open error: Permission denied [v8.24.0-41.el7_7.2 try http://www.rsyslog.com/e/2433 ]
Jan 26 22:29:33 cpuk.apache01.int rsyslogd[1175]: file '/var/log/messages': open error: Permission denied [v8.24.0-41.el7_7.2 try http://www.rsyslog.com/e/2433 ]
Jan 26 22:29:33 cpuk.apache01.int rsyslogd[1175]: action 'action 0' resumed (module 'builtin:omfile') [v8.24.0-41.el7_7.2 try http://www.rsyslog.com/e/2359 ]
Jan 26 22:29:33 cpuk.apache01.int rsyslogd[1175]: file '/var/log/messages': open error: Permission denied [v8.24.0-41.el7_7.2 try http://www.rsyslog.com/e/2433 ]
Jan 26 22:29:33 cpuk.apache01.int rsyslogd[1175]: file '/var/log/messages': open error: Permission denied [v8.24.0-41.el7_7.2 try http://www.rsyslog.com/e/2433 ]
Jan 26 22:29:33 cpuk.apache01.int rsyslogd[1175]: action 'action 0' suspended, next retry is Sun Jan 26 22:30:03 2020 [v8.24.0-41.el7_7.2 try http://www.rsyslog.com/
Jan 26 22:29:33 cpuk.apache01.int systemd[1]: firewalld.service: main process exited, code=exited, status=1/FAILURE
Jan 26 22:29:33 cpuk.apache01.int systemd[1]: Failed to start firewalld - dynamic firewall daemon.
-- Subject: Unit firewalld.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit firewalld.service has failed.
 
So as a first step, we suspected selinux to be an issue and we were successful to run auditd and firewalld, if we disable selinux.
 
So we know for sure that it is selinux that is causing these issues.
 
Some version info:
 
[root@cpuk ~]# rpm -q firewalld
firewalld-0.6.3-2.el7_7.2.noarch
[root@cpuk ~]#
 
[root@cpuk ~]# rpm -q kernel
kernel-3.10.0-1062.7.1.el7.x86_64
kernel-3.10.0-1062.9.1.el7.x86_64
[root@cpuk ~]#
 
We have looked all through google and also checked the context of /var/log directory. For example, for httpd, we do issue following command to set the context for httpd service.
 
chcon -t httpd_sys_rw_content_t /var/www/ -R
chcon -t httpd_sys_rw_content_t /var/log/ -R
 
O’wise httpd won’t start either.
 
So question is, can you please throw some light on this. Is there a context we need to set. Why all 6 clusters have this issue, is this due to some known version of selinux released recently?
 
I would appreciate some thoughts.
 
Steps To ReproduceAll CentOS clusters ...
TagsNo tags attached.
abrt_hash
URL

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2020-01-26 22:46 CloudPursuitUK New Issue