search cancel

Spectrum Install Fails When fapolicyd Is Running - Operation not permitted

book

Article ID: 257764

calendar_today

Updated On:

Products

DX NetOps CA Spectrum

Issue/Introduction


When trying to install SRAdmin using srainstall.bin we get the following

# ./srainstall.bin -i silent
JRE libraries are missing or not compatible....
Exiting....



When installing Spectrum via sdiclinux.exe using an HII and password file and I get "Operation not permitted" when executing


./sdiclinux.exe -h HII.txt -p pwd.txt -test

<ServerName>: Error launching ./linux/distinst
<ServerName>: ./linux/distinst: Operation not permitted

 

Environment

Release : 21.2, 22.2

Cause


The system has fapolicyd installed and running which is blocking the execution and opening of files needed to both install and run.

fapolicyd
"The fapolicyd software framework controls the execution of applications based on a user-defined policy. This is one of the most efficient ways to prevent running untrusted and possibly malicious applications on the system."

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/assembly_blocking-and-allowing-applications-using-fapolicyd_security-hardening#doc-wrapper

 

 

Resolution


The Linux systems have fapolicyd installed and running which locks down access to files (open/execute).


Rules need to be created for both root (install/processd) and the spectrum user


An example that allowed SRAdmin and Spectrum to both install and run

Created rules file:  /etc/fapolicyd/rules.d/39-spectrum.rules
Added:

# Carve out exceptions for Spectrum
allow perm=any uid=1009 : dir=/opt
allow perm=any uid=0 : dir=/opt
# /tmp for Install anywhere and any temp files needed during execution
allow perm=any uid=1009 : dir=/tmp
allow perm=any uid=0 : dir=/tmp
#Install directories
allow perm=any uid=1009 : dir=/usr/Spectrum
allow perm=any uid=0 : dir=/usr/Spectrum
allow perm=any uid=1009 : dir=/sw/SPECTRUM/SRAdmin
allow perm=any uid=0 : dir=/sw/SPECTRUM/SRAdmin
#Install Media
allow perm=any uid=0 : dir=/netops_media


Note: The fapolicyd daemon needs to be restarted for the new rules to take effect
               systemctl stop fapolicyd
               systemctl start fapolicyd

Note: uid=0 is for root, and uid=1009 was for the spectrum user (the uid for the spectrum user will vary from system to system, use the `id` command to obtain)

This allowed the Install to execute and complete as well as allow Spectrum to start/run


This can likely be further tuned

Additional Information


Debugging fapolicyd to see if it is denying execution

https://access.redhat.com/solutions/5336451

Stop the fapolicyd service.
# systemctl stop fapolicyd


Run fapolicyd in debug mode, saving its messages to a log file.
# fapolicyd --debug 2> /tmp/fapolicy.log

Try to perform the denied operation.

Stop fapolicyd by hitting Ctrl-C

Inspect the log file, searching for the rules that prevent the desired operation from being performed. For example:


fapolicyd.log
--------------------------------------------------------------------------
allow perm=any uid=0 : dir=/var/tmp/
allow perm=any uid=0 trust=1 : all
allow perm=open exe=/usr/bin/rpm : all
allow perm=open exe=/usr/libexec/platform-python3.6 comm=dnf : all
deny_audit perm=any pattern=ld_so : all
deny_audit perm=any all : ftype=application/x-bad-elf
allow perm=open all : ftype=application/x-sharedlib trust=1
deny_audit perm=open all : ftype=application/x-sharedlib
allow perm=execute all : trust=1
allow perm=open all : ftype=%languages trust=1
deny_audit perm=any all : ftype=%languages
allow perm=any all : ftype=text/x-shellscript
deny_audit perm=execute all : all
allow perm=open all : all
Loaded 14 rules
~
~
rule=8 dec=deny_audit perm=open auid=1008 pid=26455 exe=/tmp/install.dir.26279/Linux/resource/jre/bin/java : path=/tmp/install.dir.26279/Linux/resource/jre/lib/amd64/jli/libjli.so ftype=application/x-sharedlib trust=0