docs icon indicating copy to clipboard operation
docs copied to clipboard
verified publisher icon github

Self-hosted Linux-based runners do not start properly when SELinux is enabled

Open bschonec opened this issue 1 year ago • 11 comments

Code of Conduct

What article on docs.github.com is affected?

https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/configuring-the-self-hosted-runner-application-as-a-service#installing-the-service

What part(s) of the article would you like to see updated?

There should be some reference to the proper SELinux context when enabling the runners on systemd-enabled distributions.

In "Step 6: Start the runner" of this article it mentions a minimal context for runsvc.sh. I needed to "chcon -R system_u:object_r:usr_t:s0 " for the runner to start via systemd scripts.

Additional information

No response

bschonec avatar Apr 19 '24 16:04 bschonec

Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

welcome[bot] avatar Apr 19 '24 16:04 welcome[bot]

@bschonec Thank you for opening this issue! I'll get this triaged for review ✨

nguyenalex836 avatar Apr 19 '24 17:04 nguyenalex836

Thanks for opening an issue! We've triaged this issue for technical review by a subject matter expert :eyes:

github-actions[bot] avatar May 30 '24 18:05 github-actions[bot]

This is a gentle bump for the docs team that this issue is waiting for technical review.

github-actions[bot] avatar Jun 28 '24 16:06 github-actions[bot]

#32592

namka279 avatar Jul 13 '24 01:07 namka279

  • [ ]

namka279 avatar Jul 13 '24 01:07 namka279

  • [ ]

Jeremiegmoore avatar Jul 13 '24 10:07 Jeremiegmoore

  • [ ]

Jeremiegmoore avatar Jul 13 '24 10:07 Jeremiegmoore

  • [ ]

Jeremiegmoore avatar Jul 13 '24 10:07 Jeremiegmoore

The problem is your admin can configure the SELinux on the machine to lock down all kinds of permission. When the runner fails to configure or start due SELinux, the customer needs to work with their admin to track down the required permission.

We had small patch like this for SELinux, but might not able to catch all cases, especially for cases that needs to run arbitrary commands on the customer's machine like the one mentioned in the issue:

chcon -R system_u:object_r:usr_t:s0

ericsciple avatar Jul 15 '24 14:07 ericsciple

@ericsciple, you are correct but the original reason for me opening this issue is that there isn't any mention of this in the documentation.

bschonec avatar Jul 15 '24 14:07 bschonec

A stale label has been added to this issue because it has been open for 60 days with no activity. To keep this issue open, add a comment within 3 days.

github-actions[bot] avatar Sep 16 '24 16:09 github-actions[bot]

Why was this closed? It's a simple matter to add a few lines to the documentation to describe the behavior.

bschonec avatar Sep 16 '24 16:09 bschonec