Skip to content

Fix SELinux denials on SSH fleet provisioning#3702

Merged
peterschmidt85 merged 1 commit intomasterfrom
fix/selinux-ssh-fleet-provisioning
Mar 27, 2026
Merged

Fix SELinux denials on SSH fleet provisioning#3702
peterschmidt85 merged 1 commit intomasterfrom
fix/selinux-ssh-fleet-provisioning

Conversation

@peterschmidt85
Copy link
Copy Markdown
Contributor

@peterschmidt85 peterschmidt85 commented Mar 26, 2026

Summary

  • On SELinux-enforcing hosts (RHEL, Rocky, CentOS), files moved from /tmp retain their original SELinux context (user_tmp_t/unconfined_u). systemd cannot read these files, causing the shim service to fail with "Permission denied".
  • Add chcon after mv to set correct SELinux contexts: systemd_unit_file_t for the service file, etc_t for the env file. No-op on non-SELinux systems.
  • Replace mv with cp+rm for the shim binary to ensure correct context in /usr/local/bin/.

Test plan

  • Tested on RHEL 9.4 with SELinux Enforcing — fleet goes active
  • Tested on Ubuntu 24.04 (no SELinux) — fleet goes active
  • All Python tests pass (2357 passed)
  • Pre-commit hooks pass

🤖 Generated with Claude Code

@claude
Fix SELinux denials on SSH fleet provisioning
7b02ebd 
On SELinux-enforcing hosts (RHEL, Rocky), files moved from /tmp retain
their original SELinux context. systemd (init_t) cannot read files with
user_tmp_t or unconfined_u context, causing the shim service to fail.

Fix by adding chcon after mv to set correct SELinux contexts for the
service file (systemd_unit_file_t) and env file (etc_t). The chcon
is a no-op on non-SELinux systems via 2>/dev/null || true.

Also replace mv with cp+rm for the shim binary download to ensure
correct context in /usr/local/bin/.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@peterschmidt85 peterschmidt85 requested a review from un-def March 26, 2026 17:25
un-def
un-def reviewed Mar 27, 2026
View reviewed changes
@peterschmidt85 peterschmidt85 mentioned this pull request Mar 27, 2026
Open
@peterschmidt85 peterschmidt85 merged commit 3c1b583 into master Mar 27, 2026
28 checks passed
@peterschmidt85 peterschmidt85 deleted the fix/selinux-ssh-fleet-provisioning branch March 27, 2026 09:23
@peterschmidt85 peterschmidt85 mentioned this pull request Mar 27, 2026
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@un-def un-def un-def approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@peterschmidt85 @un-def