From 8c96b12e65a33e5728995db5e516418f6aa41f1c Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Thu, 16 Jan 2020 21:25:29 +0000 Subject: [PATCH] resultsdb: set sebool httpd_execmem=true for fedora-messaging After the upgrade to fedora-messaging-2.0.1, we started seeing a bunch of 500s coming out of resultsdb. Turns out that selinux was blocking part of the code that was emitting messages on rabbitmq. This is apparently a known issue in python-cryptography [1] and their docs say that the sebool deny_execmem needs to be off. Since this is executed by apache, this leads to httpd_execmem needing to be true. I still don't understand why this started suddenly - the underlying issue in python-cryptography has been there for a while. Either way, I'm changing the sebool for resultsdb machines to make sure it doesn't continue to cause problems for things that are submitting results to resultsdb. --- roles/taskotron/resultsdb-backend/tasks/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/taskotron/resultsdb-backend/tasks/main.yml b/roles/taskotron/resultsdb-backend/tasks/main.yml index d8ff05d116..c1ca05965f 100644 --- a/roles/taskotron/resultsdb-backend/tasks/main.yml +++ b/roles/taskotron/resultsdb-backend/tasks/main.yml @@ -46,6 +46,9 @@ - name: ensure selinux lets httpd talk to postgres seboolean: name=httpd_can_network_connect_db persistent=yes state=yes +- name: ensure selinux lets fedora-messaging emit messages + seboolean: name=httpd_execmem persistent=yes state=yes + - name: generate resultsdb config template: src=settings.py.j2 dest=/etc/resultsdb/settings.py owner=root group=root mode=0644 notify: