Bamboo Remote Agent using Systemd service fails to start due to SELinux
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
After configuring the Bamboo remote agent as a Systemd service, attempts to start the Systemd service fails with an error, "Job for bamboo-agent.service failed because the control process exited with error code.".
Environment
The solution has been tested in the following environments:
Bamboo Data Center versions 9.6.0 and 9.2.7
Red Hat Linux 8.8 and Oracle Enterprise Linux 8.9
Diagnosis
When starting the service the following error message appears
Job for bamboo-agent.service failed because the control process exited with error code.
See "systemctl status bamboo-agent.service" and "journalctl -xe" for details.
Usually there will be no error messages on the Bamboo agent logs, so use the journalctl command on the remote agent host as the root user.
# journalctl -xe
Mar 29 13:34:46 rhel8 setroubleshoot[23206]: SELinux is preventing /usr/lib/systemd/systemd from execute access on the file bamboo-agent.sh. For complete SELinux messages run: se>
Mar 29 13:34:46 rhel8 setroubleshoot[23206]: SELinux is preventing /usr/lib/systemd/systemd from execute access on the file bamboo-agent.sh.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that systemd should be allowed execute access on the bamboo-agent.sh file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c '(agent.sh)' --raw | audit2allow -M my-agentsh
# semodule -X 300 -i my-agentsh.pp
Upon checking the Syslog messages, /var/log/messages , the following log messages appears as well
#cat /var/log/messages
Mar 29 13:34:46 rhel8 setroubleshoot[23206]: SELinux is preventing /usr/lib/systemd/systemd from execute access on the file bamboo-agent.sh. For complete SELinux messages run: sealert -l c105542b-af2a-429f-85db-7b6a758d4105
Mar 29 13:34:46 rhel8 setroubleshoot[23206]: SELinux is preventing /usr/lib/systemd/systemd from execute access on the file bamboo-agent.sh.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that systemd should be allowed execute access on the bamboo-agent.sh file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c '(agent.sh)' --raw | audit2allow -M my-agentsh#012# semodule -X 300 -i my-agentsh.pp#012
Cause
Enterprise Linux platforms, like Red Hat Linux and Oracle Enterprise Linux, utilize Discretionary Access Control (DAC) systems such as SELinux to regulate access to the system.
SELinux establishes access controls for applications, processes and files within a system. In this particular case, SELinux is preventing systemd from executing the bamboo-agent.sh, which is located in the <Bamboo-agent-home>/bin folder. SELinux only permits systemd to execute binaries that have the object_r:bin_t:s0 attribute set.
#cat /etc/systemd/system/bamboo-agent.service
[Unit]
...
[Service]
...
ExecStart=<bamboo-agent-home>/bin/bamboo-agent.sh start sysd
ExecStop=<bamboo-agent-home>/bin/bamboo-agent.sh stop sysd
We can check by using the command below in the <Bamboo-agent-home>/bin,
$ls -lZ <Bamboo-agent-home>/bin
total 700
-rwxrwxr-x. 1 bamboo bamboo unconfined_u:object_r:user_home_t:s0 114340 Mar 29 13:08 bamboo-agent.sh
-rwxrwxr-x. 1 bamboo bamboo unconfined_u:object_r:user_home_t:s0 601160 Mar 29 13:08 wrapper
As seen above the bamboo-agent.sh located in the <Bamboo-agent-home>/bin has the SElinux context of object_r:user_home_t:s0 which causes it to fail.
Solution
You'll need to modify the SELinux labelling using the commands provided below. Please replace "Bamboo-agent-home" with your specific path.
[root@rhel8 ~]# semanage fcontext -a -t bin_t "/home/bamboo/bamboo-agent-home/bin(/.*)"
[root@rhel8 ~]# restorecon -r -v /home/bamboo/bamboo-agent-home/bin
Finally restart the Bamboo agent service.
# systemctl start bamboo-agent.service