APAR status
Closed as program error.
Error description
After installing the IBM Spectrum Protect for Virtual Environments - Data Protection for VMware on Linux where SElinux is enabled, The vmcli and webserver services fail to start automatically on boot due to lack of SElinux context. Running the "systemctl status" command against the webserver and vmcli services will show the following errors : [root@host_name ~]#? systemctl status webserver ? webserver.service - LSB: starts and stops the liberty profile for TDP for VMWare in daemon mode Loaded: loaded (/etc/rc.d/init.d/webserver; generated) Active: failed (Result: exit-code) since Mon 2020-12-14 08:58:07 PST; 3h 12min ago Docs: man:systemd-sysv-generator(8) Process: 1459 ExecStart=/etc/rc.d/init.d/webserver start (code=exited, status=127) Dec 24 08:58:07 host_name systemd[1]: Starting LSB: starts and stops the liberty profile for TDP for VMWare in daemon> Dec 24 08:58:07 host_name webserver[1459]: /etc/rc.d/init.d/webserver: line 73: su: command not found Dec 24 08:58:07 host_name systemd[1]: webserver.service: Control process exited, code=exited status=127 Dec 24 08:58:07 host_name systemd[1]: webserver.service: Failed with result 'exit-code'. Dec 24 08:58:07 host_name systemd[1]: Failed to start LSB: starts and stops the liberty profile for TDP for VMWare in> [root@host_name ~]#? systemctl status vmcli ? vmcli.service - LSB: starts and stops the vmcli for TDP for VMWare in daemon mode Loaded: loaded (/etc/rc.d/init.d/vmcli; generated) Active: failed (Result: exit-code) since Mon 2020-12-14 08:58:07 PST; 3h 13min ago Docs: man:systemd-sysv-generator(8) Process: 1458 ExecStart=/etc/rc.d/init.d/vmcli start (code=exited, status=127) Dec 24 08:58:07 host_name systemd[1]: Starting LSB: starts and stops the vmcli for TDP for VMWare in daemon mode... Dec 24 08:58:07 host_name vmcli[1458]: /etc/rc.d/init.d/vmcli: line 119: su: command not found Dec 24 08:58:07 host_name systemd[1]: vmcli.service: Control process exited, code=exited status=127 Dec 24 08:58:07 host_name systemd[1]: vmcli.service: Failed with result 'exit-code'. Dec 24 08:58:07 host_name systemd[1]: Failed to start LSB: starts and stops the vmcli for TDP for VMWare in daemon mo> The following errors are reported in the OS logs and indicating that the SELinux is preventing access to the "su" command while starting up the services : Dec 24 09:49:49 host_name setroubleshoot[1105555]: SELinux is preventing vmcli from execute access on the file su. For complete SELinux messages run: sealert -l 4b57e9e9-03bf-490c-9> Dec 24 09:49:49 host_name platform-python[1105555]: SELinux is preventing vmcli from execute access on the file su. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that vmcli should be allowed execute access on the su file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: #? ausearch -c 'vmcli' --raw | audit2allow -M my-vmcli #? semodule -X 300 -i my-vmcli.pp Dec 24 09:49:49 host_name setroubleshoot[1105555]: SELinux is preventing vmcli from getattr access on the file /usr/bin/su. For complete SELinux messages run: sealert -l 1ebdc102-6c> Dec 24 09:49:49 host_name platform-python[1105555]: SELinux is preventing vmcli from getattr access on the file /usr/bin/su. The SELinux context should be taken into consideration if enabled and in Enforcing Mode while starting the services. ======================= Affected versions: IBM Spectrum Protect for Virtual Environments - Data Protection for VMware version 8.1.x on Supported Linux platforms ======================= Initial Impact: Medium ======================= Additional Keywords: TS004505432 tsm tdp SP ve vmware linux webserver vmcli auto start boot spectrum protect SElinux rc 127
Local fix
The following script can be used to change the SELinux context for the services allowing them to start automatically : chcon -t bin_t /etc/rc.d/init.d/vmcli chcon -t bin_t /etc/rc.d/init.d/webserver systemctl daemon-reload
Problem summary
**************************************************************** * USERS AFFECTED: * * Data Protection for VMware version 7.1, 8.1 running on all * * Linux platforms. * **************************************************************** * PROBLEM DESCRIPTION: * * See ERROR DESCRIPTION. * **************************************************************** * RECOMMENDATION: * * Apply fixing level when available. The issue is projected to * * be fixed in the Data Protection for VMware version 8.1.13 on * * all Linux platforms. * ****************************************************************
Problem conclusion
During an installation of the product the files were not registered in SElinux database, which prevented the scripts to use "su" command. The installation scripts were modified, so the corresponding SElinux patterns are created for the startup scripts.
Temporary fix
Comments
APAR Information
APAR number
IT36065
Reported component name
TSM FOR VE DP V
Reported component ID
5725TVEVM
Reported release
81L
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-03-01
Closed date
2021-04-30
Last modified date
2021-04-30
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
webgui
Fix information
Fixed component name
TSM FOR VE DP V
Fixed component ID
5725TVEVM
Applicable component levels
[{"Line of Business":{"code":"LOB26","label":"Storage"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SS8TDQ","label":"Tivoli Storage Manager for Virtual Environments"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"81L"}]
Document Information
Modified date:
01 May 2021