Running concourse on centos7? could you help with selinux?

Hi

I’m running concourse on centos7, I’ve setup the web and worker on separate vm’s

For the most part I have all the configuration documented for the two configurations (firewalld, systemd, kernel-ml etc) but I’ve had to except to turning off SELinux to get the worker to function. (with it enabled the service will run and load etc but I will get an error trying to fork /usr/bin/tar or a runc error getting the final child’s pid)

example of the tar error

example go error

So I wanted to ask the community if you are running concourse with SELinux would you be willing to help me understand how you wrote the policy to allow them to play nicely ? :slight_smile: as I’m not seeing anything being denied in the audit log and I’m no expert with SELinux.

I would appreciate anyone help on the matter.

Thank you

I went down this path just about a month ago. I ran into so many issues with SELinux, I’d fix one rule then another would crop up. I eventually got tired of spending 3+ days trying to work it out and tried concourse as a docker image… My life dramatically improved after that. My suggestion: just run it under docker… you’ll save yourself all the frustration I went through.

You can set the set the selinux policy to permissive for a object type with semange permissive -a concourse_worker_t and tag the whole concourse dir with that, followed by using audit2allow to create a proper policy file which you can then re-use on other workers.

Once you achieved that you semanage enforcing -a concourse_worker_t and watch for a bit to make sure things work as expected.