[ERROR ] [configure] /Stage[main]/Foreman::Config::Apache/Selboolean

oxtan · May 29, 2021, 7:46pm

foreman-installer fails:
Choose an option from the menu… 60
2021-05-29 21:34:59 [NOTICE] [configure] Starting system configuration.
The total number of configuration tasks may increase during the run.
Observe logs or specify --verbose-log-level to see individual configuration tasks.
2021-05-29 21:35:05 [NOTICE] [configure] 100 out of 944 done.
2021-05-29 21:35:05 [NOTICE] [configure] 200 out of 944 done.
2021-05-29 21:35:05 [ERROR ] [configure] /Stage[main]/Foreman::Config::Apache/Selboolean[httpd_can_network_connect]: Could not evaluate: Execution of ‘/usr/sbin/getsebool httpd_can_network_connect’ returned 1: /usr/sbin/getsebool: SELinux is disabled
2021-05-29 21:35:05 [NOTICE] [configure] 300 out of 944 done.
2021-05-29 21:35:05 [NOTICE] [configure] 400 out of 946 done.
2021-05-29 21:35:05 [NOTICE] [configure] 500 out of 946 done.
2021-05-29 21:35:06 [NOTICE] [configure] 600 out of 948 done.
2021-05-29 21:35:06 [NOTICE] [configure] 700 out of 952 done.
2021-05-29 21:35:06 [NOTICE] [configure] 800 out of 952 done.
2021-05-29 21:35:06 [NOTICE] [configure] 900 out of 952 done.
2021-05-29 21:35:12 [NOTICE] [configure] System configuration has finished.

There were errors detected during install.

Expected outcome: installation succeeds

Foreman and Proxy versions: foreman-2.4.0-1.el8.noarch

Foreman and Proxy plugin versions:

Distribution and version: centos8

Other relevant data:

this is a systemd-nspawn container. These containers do not enable selinux because they do not run their own kernel, they share it from the host. So even if I enable it, it’s still disabled.
I need an option to override selinux but I cannot see it in the installer. Is there something I can use, or is this impossible and I need to start a full vm?

gvde · May 30, 2021, 5:41am

It’s not supported: Installing Foreman 2.4 server on Enterprise Linux

SELinux must be enabled, either in enforcing or permissive mode. Installation with disabled SELinux is not supported.

oxtan · May 30, 2021, 9:00pm

ah, ok. I installed it in a centos 7 nspawn container and it works fine, so this will be the fix I needed.

ekohl · May 31, 2021, 9:18am

Normally this should work. It looks like the SELinux fact is reporting that SELinux is enabled, but not really. I’m not sure if you can override the fact. Back in the day you could use export FACTER_selinux=false but I’m not sure how that’s done now with structured facts.

Can you check the output of facter os.selinux?

oxtan · May 31, 2021, 4:42pm

I need to recreate a nspawn container with centos 8 and reinstall tfm, I’ll do it and post my findings?

oxtan · May 31, 2021, 5:13pm

this is the requested output:

facter os.selinux

{
config_mode => “enforcing”,
config_policy => “targeted”,
current_mode => “enforcing”,
enabled => true,
enforced => true,
policy_version => “33”
}

oxtan · May 31, 2021, 5:21pm

I tried the envvar FACTER_selinux=false but same error during foreman-installer

ekohl · May 31, 2021, 8:28pm

Yes, so the problem is that facter thinks it’s in enforcing mode but it really isn’t. Reading facter/selinux.rb at main · puppetlabs/facter · GitHub it looks like it reads some selinuxfs as reported in /proc/self/mounts.

Generally speaking Foreman can run without SELinux or in disabled mode, but we can’t really deal with this. SELinux appears to be enforcing, but the installer can’t change some booleans that must be on. It may be a workaround to enable those manually in the “host”.

Another might be to unmount the SELinux filesystem in the nspawn container, but I don’t know nspawn well enough to say for sure.