Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Self-hosted Linux-based runners do not start properly when SELinux is enabled #32592

Closed
1 task done
bschonec opened this issue Apr 19, 2024 · 13 comments
Closed
1 task done

Self-hosted Linux-based runners do not start properly when SELinux is enabled #32592

bschonec opened this issue Apr 19, 2024 · 13 comments
Labels
actions This issue or pull request should be reviewed by the docs actions team content This issue or pull request belongs to the Docs Content team SME reviewed An SME has reviewed this issue/PR stale There is no recent activity on this issue or pull request

Comments

@bschonec
Copy link

bschonec commented Apr 19, 2024
edited
Loading

Code of Conduct

What article on docs.github.com is affected?

https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/configuring-the-self-hosted-runner-application-as-a-service#installing-the-service

What part(s) of the article would you like to see updated?

There should be some reference to the proper SELinux context when enabling the runners on systemd-enabled distributions.

In "Step 6: Start the runner" of this article it mentions a minimal context for runsvc.sh. I needed to "chcon -R system_u:object_r:usr_t:s0 " for the runner to start via systemd scripts.

Additional information

No response
@bschonec bschonec added the content This issue or pull request belongs to the Docs Content team label Apr 19, 2024
@welcome Welcome
Copy link

welcome bot commented Apr 19, 2024

Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

@github-actions github-actions bot added the triage Do not begin working on this issue until triaged by the team label Apr 19, 2024
@nguyenalex836 nguyenalex836 added actions This issue or pull request should be reviewed by the docs actions team waiting for review Issue/PR is waiting for a writer's review and removed triage Do not begin working on this issue until triaged by the team labels Apr 19, 2024
@nguyenalex836
Copy link
Contributor

@bschonec Thank you for opening this issue! I'll get this triaged for review ✨

@SiaraMist SiaraMist added the needs SME This proposal needs review from a subject matter expert label May 30, 2024
@github-actions GitHub Actions
Copy link
Contributor

Thanks for opening an issue! We've triaged this issue for technical review by a subject matter expert 👀

@github-actions GitHub Actions
Copy link
Contributor

This is a gentle bump for the docs team that this issue is waiting for technical review.

@github-actions github-actions bot added the SME stale The request for an SME has staled label Jun 28, 2024
@nguyenalex836 nguyenalex836 removed the SME stale The request for an SME has staled label Jun 28, 2024
@namka279

This comment was marked as spam.

Sign in to view
@namka279

This comment was marked as spam.

Sign in to view
@Jeremiegmoore

This comment was marked as spam.

Sign in to view
@Jeremiegmoore

This comment was marked as spam.

Sign in to view
@Jeremiegmoore

This comment was marked as spam.

Sign in to view
@ericsciple
Copy link
Member

The problem is your admin can configure the SELinux on the machine to lock down all kinds of permission. When the runner fails to configure or start due SELinux, the customer needs to work with their admin to track down the required permission.

We had small patch like this for SELinux, but might not able to catch all cases, especially for cases that needs to run arbitrary commands on the customer's machine like the one mentioned in the issue:

chcon -R system_u:object_r:usr_t:s0

@bschonec
Copy link
Author

@ericsciple, you are correct but the original reason for me opening this issue is that there isn't any mention of this in the documentation.

@nguyenalex836 nguyenalex836 added SME reviewed An SME has reviewed this issue/PR and removed waiting for review Issue/PR is waiting for a writer's review needs SME This proposal needs review from a subject matter expert labels Jul 17, 2024
@github-actions GitHub Actions
Copy link
Contributor

A stale label has been added to this issue because it has been open for 60 days with no activity. To keep this issue open, add a comment within 3 days.

@github-actions github-actions bot added the stale There is no recent activity on this issue or pull request label Sep 16, 2024
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Sep 16, 2024
@bschonec
Copy link
Author

Why was this closed? It's a simple matter to add a few lines to the documentation to describe the behavior.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
actions This issue or pull request should be reviewed by the docs actions team content This issue or pull request belongs to the Docs Content team SME reviewed An SME has reviewed this issue/PR stale There is no recent activity on this issue or pull request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@bschonec @ericsciple @SiaraMist @Jeremiegmoore @nguyenalex836 @namka279