Pm2 startup issue with CENTOS 8 / SELinux

Asked 7/6, 2020 at 3:1 Answered 3/9, 2020 at 21:55

Please, do you know how resolve this issue ? I searched everywhere without finding.

06:45 SELinux is preventing systemd from open access on the file /root/.pm2/pm2.pid. For complete SELinux messages run: sealert -l d84a5a0b-cfcf-4cb9-918a-c0952bf70600 setroubleshoot

06:45 pm2-root.service: Can't convert PID files /root/.pm2/pm2.pid O_PATH file descriptor to proper file descriptor: Permission denied systemd 2 

06:45 Failed to start PM2 process manager.

I have executed this command : sealert -l d84a5a0b-cfcf-4cb9-918a-c0952bf70600 setroubleshoot

Messages d'audit bruts 
type=AVC msg=audit(1591498085.184:7731): avc:  denied  { open } for  pid=1 comm="systemd" path="/root/.pm2/pm2.pid" dev="dm-0" ino=51695937 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=0

PM2 Version : 4.4.0 NODE version : 12.18.0 CentOS Version : 8

my systemd service :

[Unit]
Description=PM2 process manager
Documentation=https://pm2.keymetrics.io/
After=network.target

[Service]
Type=forking
User=root
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
Environment=PATH=/sbin:/bin:/usr/sbin:/usr/bin:/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
Environment=PM2_HOME=/root/.pm2
PIDFile=/root/.pm2/pm2.pid
Restart=on-failure

ExecStart=/usr/lib/node_modules/pm2/bin/pm2 resurrect
ExecReload=/usr/lib/node_modules/pm2/bin/pm2 reload all
ExecStop=/usr/lib/node_modules/pm2/bin/pm2 kill

[Install]
WantedBy=multi-user.target

Thank you

Vocalism answered 7/6, 2020 at 3:1 Comment(4)

I'm experiencing the exact same issue. Were you able to solve it ? – Coroner 12/8, 2020 at 19:27

Using forever... – Vocalism 15/8, 2020 at 6:51

Yeah, I considered it too... But I'm not done with this yet. I'm currently investigating on how to lift SELinux restrictions. It appears possible, as it was done for a similar issue : digitalocean.com/community/tutorials/…. The command is a bit cryptic, though : chcon -vR system_u:object_r:httpd_sys_content_t:s0 /var/www/your_domain/ – Coroner 15/8, 2020 at 10:0

I finally found it... I'm posting an answer here – Coroner 15/8, 2020 at 23:33

As said in the comments, I had the exact same issue.

To solve this, just run the following commands as root after trying to start the PM2 service (in your case, this start attempt would be systemctl start pm2-root)

ausearch -c 'systemd' --raw | audit2allow -M my-systemd
semodule -i my-systemd.pp

This looks pretty generic, but it works. These lines were suggested by SELinux itself. To get them, I had to run the command journalctl -xe after trying to start the service

Coroner answered 15/8, 2020 at 23:40 Comment(0)

Two options:

Edit the systemd file that starts pm2 and specify an alternative location for the pm2 PIDFile). You'll have to make two changes, one to tell pm2 where to place the PIDFile, and one to tell systemd where to look for it. Replace the existing PIDFile line with the following two lines

Environment=PM2_PID_FILE_PATH=/run/pm2.pid
PIDFile=/run/pm2.pid

Create an SELinux rule that allows this particular behavior. You can do that exactly as Backslash36 suggest in their answer. If you want to create the policy file yourself rather than through audit2allow,the following should work, although then you have to compile it to a usable .pp file yourself.

module pm2 1.0;

require {
        type user_home_t;
        type init_t;
        class file read;
}

#============= init_t ==============
allow init_t user_home_t:file read;

Adjoining answered 3/9, 2020 at 21:55 Comment(0)

Recommended topics

Hot tags