When trying to install SRAdmin using srainstall.bin we get the following
# ./srainstall.bin -i silent
JRE libraries are missing or not compatible....
Exiting....
When installing Spectrum via sdiclinux.exe using an HII and password file and I get "Operation not permitted" when executing
./sdiclinux.exe -h HII.txt -p pwd.txt -test
<ServerName>: Error launching ./linux/distinst
<ServerName>: ./linux/distinst: Operation not permitted
Release : 21.2, 22.2
The system has fapolicyd installed and running which is blocking the execution and opening of files needed to both install and run.
fapolicyd
"The fapolicyd software framework controls the execution of applications based on a user-defined policy. This is one of the most efficient ways to prevent running untrusted and possibly malicious applications on the system."
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/assembly_blocking-and-allowing-applications-using-fapolicyd_security-hardening#doc-wrapper
The Linux systems have fapolicyd installed and running which locks down access to files (open/execute).
Rules need to be created for both root (install/processd) and the spectrum user
An example that allowed SRAdmin and Spectrum to both install and run
Created rules file: /etc/fapolicyd/rules.d/39-spectrum.rules
Added:
# Carve out exceptions for Spectrum
allow perm=any uid=1009 : dir=/opt
allow perm=any uid=0 : dir=/opt
# /tmp for Install anywhere and any temp files needed during execution
allow perm=any uid=1009 : dir=/tmp
allow perm=any uid=0 : dir=/tmp
#Install directories
allow perm=any uid=1009 : dir=/usr/Spectrum
allow perm=any uid=0 : dir=/usr/Spectrum
allow perm=any uid=1009 : dir=/sw/SPECTRUM/SRAdmin
allow perm=any uid=0 : dir=/sw/SPECTRUM/SRAdmin
#Install Media
allow perm=any uid=0 : dir=/netops_media
Note: The fapolicyd daemon needs to be restarted for the new rules to take effect
systemctl stop fapolicyd
systemctl start fapolicyd
Note: uid=0 is for root, and uid=1009 was for the spectrum user (the uid for the spectrum user will vary from system to system, use the `id` command to obtain)
This allowed the Install to execute and complete as well as allow Spectrum to start/run
This can likely be further tuned
Debugging fapolicyd to see if it is denying execution
https://access.redhat.com/solutions/5336451
Stop the fapolicyd service.
# systemctl stop fapolicyd
Run fapolicyd in debug mode, saving its messages to a log file.
# fapolicyd --debug 2> /tmp/fapolicy.log
Try to perform the denied operation.
Stop fapolicyd by hitting Ctrl-C
Inspect the log file, searching for the rules that prevent the desired operation from being performed. For example:
fapolicyd.log
--------------------------------------------------------------------------
allow perm=any uid=0 : dir=/var/tmp/
allow perm=any uid=0 trust=1 : all
allow perm=open exe=/usr/bin/rpm : all
allow perm=open exe=/usr/libexec/platform-python3.6 comm=dnf : all
deny_audit perm=any pattern=ld_so : all
deny_audit perm=any all : ftype=application/x-bad-elf
allow perm=open all : ftype=application/x-sharedlib trust=1
deny_audit perm=open all : ftype=application/x-sharedlib
allow perm=execute all : trust=1
allow perm=open all : ftype=%languages trust=1
deny_audit perm=any all : ftype=%languages
allow perm=any all : ftype=text/x-shellscript
deny_audit perm=execute all : all
allow perm=open all : all
Loaded 14 rules
~
~
rule=8 dec=deny_audit perm=open auid=1008 pid=26455 exe=/tmp/install.dir.26279/Linux/resource/jre/bin/java : path=/tmp/install.dir.26279/Linux/resource/jre/lib/amd64/jli/libjli.so ftype=application/x-sharedlib trust=0