Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Boot initialization service startup error - SELinux is preventing access on file

vivekbksingh
New Contributor III
New Contributor III

‎07/03/2023 06:34 PM

We have successfully installed SC client and can see tun0 is up with an ip in 192.168.255.2.

After Boot Initialization Configuration we are seeing below error while starting connect2initialization service:

>>

[root@........... connect2-client]# systemctl restart connect2initialization.service
Job for connect2initialization.service failed because the control process exited with error code.
See "systemctl status connect2initialization.service" and "journalctl -xe" for details.


[root@........... connect2-client]# systemctl status connect2initialization.service
● connect2initialization.service - This will flush Iptables and start Connect2.0 Openvpn Service
Loaded: loaded (/etc/systemd/system/connect2initialization.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Wed 2023-06-28 09:52:27 AWST; 12s ago
Process: 5152 ExecStart=/bin/bash /etc/init.d/connect2initialization.sh (code=exited, status=2)
Main PID: 5152 (code=exited, status=2)

Jun 28 09:52:27 is-nix-669 systemd[1]: Starting This will flush Iptables and start Connect2.0 Openvpn Service...
Jun 28 09:52:27 is-nix-669 systemd[1]: connect2initialization.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Jun 28 09:52:27 is-nix-669 systemd[1]: connect2initialization.service: Failed with result 'exit-code'.
Jun 28 09:52:27 is-nix-669 systemd[1]: Failed to start This will flush Iptables and start Connect2.0 Openvpn Service.
[root@........... connect2-client]#journalctl -xe
Jun 28 09:52:43 is-nix-669 setroubleshoot[5160]: AnalyzeThread.run(): Cancel pending alarm
Jun 28 09:52:43 is-nix-669 setroubleshoot[5160]: failed to retrieve rpm info for /proc/sys/net/ipv4/neigh/lo/retrans_time_ms
Jun 28 09:52:43 is-nix-669 dbus-daemon[796]: [system] Activating service name='org.fedoraproject.SetroubleshootPrivileged' requested by ':1.577' (uid=994 pid=5160 comm="/usr/libexec/platform-python -Es /usr/sbin/setroub" label="system_u:system_r:setroubleshootd_t:s0") (using ser>
Jun 28 09:52:43 is-nix-669 dbus-daemon[796]: [system] Successfully activated service 'org.fedoraproject.SetroubleshootPrivileged'
Jun 28 09:52:44 is-nix-669 /SetroubleshootPrivileged.py[5174]: failed to retrieve rpm info for /var/lib/selinux/targeted/active/modules/400/audisp_mdatp
Jun 28 09:52:44 is-nix-669 setroubleshoot[5160]: SELinux is preventing /opt/microsoft/mdatp/sbin/mdatp_audisp_plugin from getattr access on the file /proc/sys/net/ipv4/neigh/lo/retrans_time_ms. For complete SELinux messages run: sealert -l 603d9014-35a5-409b-9969-2d9c86d318d4
Jun 28 09:52:44 is-nix-669 setroubleshoot[5160]: SELinux is preventing /opt/microsoft/mdatp/sbin/mdatp_audisp_plugin from getattr access on the file /proc/sys/net/ipv4/neigh/lo/retrans_time_ms.

 

<<

Labels:
0 Kudos
5 REPLIES 5

rushikeshvartak
All-Star
All-Star

‎07/03/2023 07:31 PM

Why SELinux property cannot be used in prevention mode with this solution?

Setting SELinux property “enforcing” won’t allow certificate to be kept secretly for pinning and hence exposing it to be spoofed, that's the reason property has to set to be permissive/ disabled.

https://docs.saviyntcloud.com/bundle/Saviynt-Connect-20-Resources/page/Content/Saviynt-Connect-20-FA...

 

  1. Confirm output is net.ipv4.ip_forward = 1.

    # if not =1 then add or update net.ipv4.ip_forward = 1 using vi editor vi /etc/sysctl.conf

    setenforce 0

    echo 0 > /sys/fs/selinux/enforce

  2. Update to permissive mode for selinux.

    vi /etc/selinux/config

https://docs.saviyntcloud.com/bundle/Saviynt-Connect-20-Resources/page/Content/Saviynt-Connect-20-Cl... 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

vivekbksingh
New Contributor III
New Contributor III
In response to rushikeshvartak

‎07/03/2023 07:40 PM

Hi Rushikesh,

I can confirm that net.ipv4.ip_forward = 1, 

[root@........ client]# cat /etc/sysctl.conf
.......<removed irrelevant content>
net.ipv4.ip_forward = 1

The boot initialization script is running the commands which you have mentioned.

setenforce 0
echo 0 > /sys/fs/selinux/enforce

 Hence trying to understand why we need to specifically edit the selinux config?

vi /etc/selinux/config

We shouldn't be needing to edit this config as the script is running 

setenforce 0
0 Kudos

rushikeshvartak
All-Star
All-Star
In response to vivekbksingh

‎07/03/2023 07:43 PM - edited ‎07/03/2023 07:44 PM

1 it for temporary and other for permanent


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

vivekbksingh
New Contributor III
New Contributor III
In response to rushikeshvartak

‎07/03/2023 07:54 PM

Do we need to do both? We run the command to temporary set it to permissive mode so that we don't have to do that permanently.

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to vivekbksingh

‎07/03/2023 08:24 PM

as per documentation yes


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos
Copyright © 2024 Khoros, LLC