Timeout when stopping Policy Server on Linux Systemd
search cancel

Timeout when stopping Policy Server on Linux Systemd

book

Article ID: 398037

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

Stopping the Policy Server with systemd on Linux, it takes 2 - 3 minutes, and reaches a timeout. The systemd process reports:

May 05 09:23:36 <host> stop-ps[280922]: /{home_policy_server}/smpolsrv[31]: /{home_policy_server}/config/.siteminder.conf: cannot create [Permission denied]
May 05 09:25:07 <host> systemd[1]: <service>.service: Stopping timed out. Terminating.
May 05 09:25:07 <host> stop-ps[280935]: SiteMinder Policy Server is stopping.......
May 05 09:25:37 <host> systemd[1]: <service>.service: Failed with result 'timeout'.
May 05 09:25:37 <host> systemd[1]: Stopped fk-siteminder Service.

Cause

From the system message, the SELinux blocks the full shutdown process, preventing the Policy Server to be able to write a temporary file called

/{home_policy_server}/config/.siteminder.conf.

May  5 09:14:14 <host> setroubleshoot[280702]: SELinux is preventing /usr/bin/ksh93 from add_name access on the directory .siteminder.conf. For complete SELinux messages run: sealert -l <value>
May  5 09:14:14 <host>sadbsatps2 setroubleshoot[280702]: SELinux is preventing /usr/bin/ksh93 from add_name access on the directory .siteminder.conf.
#012#012*****  Plugin file (35.3 confidence) suggests   ******************************#012#012
This is caused by a newly created file system.
#012Then you need to add labels to it.
#012Do#012/sbin/restorecon -R -v .siteminder.conf
#012#012*****  Plugin file (35.3 confidence) suggests   ******************************#012#012
If you think this is caused by a badly mislabeled machine.
#012Then you need to fully relabel.
#012Do
#012touch /.autorelabel; reboot
#012#012*****  Plugin catchall_labels (6.31 confidence) suggests   *******************#012#012
If you want to allow ksh93 to have add_name access on the .siteminder.conf directory
#012Then you need to change the label on .siteminder.conf
#012Do
#012
# semanage fcontext -a -t FILE_TYPE '.siteminder.conf'
#012where FILE_TYPE is one of the following: NetworkManager_unit_file_t, [...omitted for brevity...]

As per documentation, SELinux should be permissive or disable on the host (1).

 

Resolution

On the Policy Server machine, set SELINUX=disabled in the file (1)

/etc/selinux/config

or

Configure the SELinux for the Policy Server to "Add Exceptions to Security–Enhanced Linux (SELinux)" (1).  

Additional Information

Powered by Wolken Software