resultsdb: set sebool httpd_execmem=true for fedora-messaging
After the upgrade to fedora-messaging-2.0.1, we started seeing a bunch of 500s coming out of resultsdb. Turns out that selinux was blocking part of the code that was emitting messages on rabbitmq. This is apparently a known issue in python-cryptography [1] and their docs say that the sebool deny_execmem needs to be off. Since this is executed by apache, this leads to httpd_execmem needing to be true. I still don't understand why this started suddenly - the underlying issue in python-cryptography has been there for a while. Either way, I'm changing the sebool for resultsdb machines to make sure it doesn't continue to cause problems for things that are submitting results to resultsdb.
This commit is contained in:
Pierre-Yves Chibon
parent
a25daf8d0a
commit
8c96b12e65
1 changed files with 3 additions and 0 deletions
|
|
@ -46,6 +46,9 @@
|
|||
- name: ensure selinux lets httpd talk to postgres
|
||||
seboolean: name=httpd_can_network_connect_db persistent=yes state=yes
|
||||
|
||||
- name: ensure selinux lets fedora-messaging emit messages
|
||||
seboolean: name=httpd_execmem persistent=yes state=yes
|
||||
|
||||
- name: generate resultsdb config
|
||||
template: src=settings.py.j2 dest=/etc/resultsdb/settings.py owner=root group=root mode=0644
|
||||
notify:
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue