Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

Boot initialization service startup error - SELinux is preventing access on file

vivekbksingh
New Contributor III
New Contributor III

We have successfully installed SC client and can see tun0 is up with an ip in 192.168.255.2.

After Boot Initialization Configuration we are seeing below error while starting connect2initialization service:

>>

[root@........... connect2-client]# systemctl restart connect2initialization.service
Job for connect2initialization.service failed because the control process exited with error code.
See "systemctl status connect2initialization.service" and "journalctl -xe" for details.


[root@........... connect2-client]# systemctl status connect2initialization.service
● connect2initialization.service - This will flush Iptables and start Connect2.0 Openvpn Service
Loaded: loaded (/etc/systemd/system/connect2initialization.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Wed 2023-06-28 09:52:27 AWST; 12s ago
Process: 5152 ExecStart=/bin/bash /etc/init.d/connect2initialization.sh (code=exited, status=2)
Main PID: 5152 (code=exited, status=2)

Jun 28 09:52:27 is-nix-669 systemd[1]: Starting This will flush Iptables and start Connect2.0 Openvpn Service...
Jun 28 09:52:27 is-nix-669 systemd[1]: connect2initialization.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Jun 28 09:52:27 is-nix-669 systemd[1]: connect2initialization.service: Failed with result 'exit-code'.
Jun 28 09:52:27 is-nix-669 systemd[1]: Failed to start This will flush Iptables and start Connect2.0 Openvpn Service.
[root@........... connect2-client]#journalctl -xe
Jun 28 09:52:43 is-nix-669 setroubleshoot[5160]: AnalyzeThread.run(): Cancel pending alarm
Jun 28 09:52:43 is-nix-669 setroubleshoot[5160]: failed to retrieve rpm info for /proc/sys/net/ipv4/neigh/lo/retrans_time_ms
Jun 28 09:52:43 is-nix-669 dbus-daemon[796]: [system] Activating service name='org.fedoraproject.SetroubleshootPrivileged' requested by ':1.577' (uid=994 pid=5160 comm="/usr/libexec/platform-python -Es /usr/sbin/setroub" label="system_u:system_r:setroubleshootd_t:s0") (using ser>
Jun 28 09:52:43 is-nix-669 dbus-daemon[796]: [system] Successfully activated service 'org.fedoraproject.SetroubleshootPrivileged'
Jun 28 09:52:44 is-nix-669 /SetroubleshootPrivileged.py[5174]: failed to retrieve rpm info for /var/lib/selinux/targeted/active/modules/400/audisp_mdatp
Jun 28 09:52:44 is-nix-669 setroubleshoot[5160]: SELinux is preventing /opt/microsoft/mdatp/sbin/mdatp_audisp_plugin from getattr access on the file /proc/sys/net/ipv4/neigh/lo/retrans_time_ms. For complete SELinux messages run: sealert -l 603d9014-35a5-409b-9969-2d9c86d318d4
Jun 28 09:52:44 is-nix-669 setroubleshoot[5160]: SELinux is preventing /opt/microsoft/mdatp/sbin/mdatp_audisp_plugin from getattr access on the file /proc/sys/net/ipv4/neigh/lo/retrans_time_ms.

 

<<

5 REPLIES 5

rushikeshvartak
All-Star
All-Star

Why SELinux property cannot be used in prevention mode with this solution?

Setting SELinux property “enforcing” won’t allow certificate to be kept secretly for pinning and hence exposing it to be spoofed, that's the reason property has to set to be permissive/ disabled.

https://docs.saviyntcloud.com/bundle/Saviynt-Connect-20-Resources/page/Content/Saviynt-Connect-20-FA...

 

  1. Confirm output is net.ipv4.ip_forward = 1.

    # if not =1 then add or update net.ipv4.ip_forward = 1 using vi editor vi /etc/sysctl.conf

    setenforce 0

    echo 0 > /sys/fs/selinux/enforce

  2. Update to permissive mode for selinux.

    vi /etc/selinux/config

https://docs.saviyntcloud.com/bundle/Saviynt-Connect-20-Resources/page/Content/Saviynt-Connect-20-Cl... 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Hi Rushikesh,

I can confirm that net.ipv4.ip_forward = 1, 

[root@........ client]# cat /etc/sysctl.conf
.......<removed irrelevant content>
net.ipv4.ip_forward = 1

The boot initialization script is running the commands which you have mentioned.

setenforce 0
echo 0 > /sys/fs/selinux/enforce

 Hence trying to understand why we need to specifically edit the selinux config?

vi /etc/selinux/config

We shouldn't be needing to edit this config as the script is running 

setenforce 0

1 it for temporary and other for permanent


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Do we need to do both? We run the command to temporary set it to permissive mode so that we don't have to do that permanently.

as per documentation yes


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.