With Netbox 4.2.3 using non-system Python the netbox_uwsgi_in_venv needs the secontext reasserted otherwise systemd cant start uwsgi

[Aethylred]

Going through the install on Rocky Linux 9. System python is still 3.9 but we've installed Python 3.11 and its available and have got the playbooks and variables to the point of installing, migrating and configuring netbox.

However systemd is unable to start the services because selinux won't approve:

from /var/log/messages

Feb 12 23:54:08 netbox01 setroubleshoot[29320]: SELinux is preventing /srv/netbox/releases/netbox-4.2.3/venv-py3/bin/uwsgi from ioctl access on the file /srv/netbox/releases/netbox-4.2.3/netbox/templates/dcim/rack.html.#012#012*****  Plugin catchall_labels (83.8 confidence) suggests   *******************#012#012If you want to allow uwsgi to have ioctl access on the rack.html file#012Then you need to change the label on /srv/netbox/releases/netbox-4.2.3/netbox/templates/dcim/rack.html#012Do#012# semanage fcontext -a -t FILE_TYPE '/srv/netbox/releases/netbox-4.2.3/netbox/templates/dcim/rack.html'#012where FILE_TYPE is one of the following: NetworkManager_dispatcher_console_var_run_t, NetworkManager_etc_rw_t, NetworkManager_etc_t, NetworkManager_initrc_exec_t, NetworkManager_tmp_t, NetworkManager_unit_file_t, NetworkManager_var_run_t, abrt_etc_t, abrt_helper_exec_t, abrt_initrc_exec_t, abrt_tmp_t, abrt_unit_file_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_run_t, accountsd_unit_file_t, acct_initrc_exec_t, adjtime_t, admin_crontab_tmp_t, afs_initrc_exec_t, afterburn_unit_file_t, aiccu_etc_t, aiccu_initrc_exec_t, aiccu_var_run_t, ajaxterm_initrc_exec_t, ajaxterm_var_run_t, alsa_etc_rw_t, alsa_lock_t, alsa_tmp_t, alsa_unit_file_t, alsa_var_run_t, amanda_inetd_exec_t, amanda_tmp_t, amanda_unit_file_t, amtu_initrc_exec_t, antivirus_conf_t, antivirus_initrc_exec_t, antivirus_tmp_t, antivirus_unit_file_t, antivirus_var_run_t, apcupsd_initrc_exec_t, apcupsd_lock_t, apcupsd_power_t, apcupsd_tmp_t, apcupsd_unit_file_t, apcupsd_var_run_t, apmd_initrc_exec_t, apmd_lock_t, apmd_tmp_t, apmd_unit_file_t, apmd_var_run_t, arpwatch_initrc_exec_t, arpwatch_tmp_t, arpwatch_unit_file_t, arpwatch_var_run_t, asterisk_etc_t, asterisk_initrc_exec_t, asterisk_tmp_t, asterisk_var_run_t, audisp_var_run_t, auditadm_sudo_tmp_t, auditd_etc_t, auditd_initrc_exec_t, auditd_tmp_t, auditd_unit_file_t, auditd_var_run_t, automount_initrc_exec_t, automount_lock_t, automount_tmp_t, automount_unit_file_t, automount_var_run_t, avahi_conf_t, avahi_initrc_exec_t, avahi_unit_file_t, avahi_var_run_t, awstats_tmp_t, bacula_initrc_exec_t, bacula_tmp_t, bacula_var_run_t, bcfg2_initrc_exec_t, bcfg2_unit_file_t, bcfg2_var_run_t, bin_t, binfmt_misc_fs_t, bitlbee_conf_t, bitlbee_exec_t, bitlbee_initrc_exec_t, bitlbee_tmp_t, bitlbee_var_run_t, blkmapd_initrc_exec_t, blkmapd_var_run_t, blktap_var_run_t, blueman_tmp_t, blueman_var_run_t, bluetooth_conf_t, bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t, bluetooth_initrc_exec_t, bluetooth_lock_t, bluetooth_tmp_t, bluetooth_unit_file_t, bluetooth_var_run_t, boinc_initrc_exec_t, boinc_project_tmp_t, boinc_tmp_t, boinc_unit_file_t, boltd_var_run_t, boot_t, boothd_etc_t, boothd_unit_file_t, boothd_var_run_t, bootloader_etc_t, bootloader_exec_t, bootloader_tmp_t, bootloader_var_run_t, bpf_t, brltty_unit_file_t, brltty_var_run_t, bugzilla_tmp_t, bumblebee_unit_file_t, bumblebee_var_run_t, cache_home_t, cachefilesd_var_run_t, callweaver_initrc_exec_t, callweaver_var_run_t, canna_initrc_exec_t, canna_var_run_t, cardmgr_dev_t, cardmgr_var_run_t, ccs_initrc_exec_t, ccs_tmp_t, ccs_var_run_t, cdcc_tmp_t, cert_t, certmaster_initrc_exec_t, certmaster_var_run_t, certmonger_initrc_exec_t, certmonger_tmp_t, certmonger_unit_file_t, certmonger_var_run_t, cfengine_initrc_exec_t, cgconfig_etc_t, cgconfig_initrc_exec_t, cgred_initrc_exec_t, cgred_var_run_t, cgroup_t, cgrules_etc_t, chkpwd_exec_t, chrome_sandbox_tmp_t, chronyd_exec_t, chronyd_initrc_exec_t, chronyd_keys_t, chronyd_tmp_t, chronyd_unit_file_t, chronyd_var_run_t, chroot_exec_t, cinder_api_tmp_t, cinder_api_unit_file_t, cinder_backup_tmp_t, cinder_backup_unit_file_t, cinder_scheduler_tmp_t, cinder_scheduler_unit_file_t, cinder_var_run_t, cinder_volume_tmp_t, cinder_volume_unit_file_t, ciped_initrc_exec_t, clogd_var_run_t, cloud_init_tmp_t, cloud_init_unit_file_t, cluster_conf_t, cluster_initrc_exec_t, cluster_tmp_t, cluster_unit_file_t, cluster_var_run_t, clvmd_initrc_exec_t, clvmd_var_run_t, cmirrord_initrc_exec_t, cmirrord_var_run_t, cobbler_etc_t, cobbler_tmp_t, cobblerd_initrc_exec_t, cockpit_session_exec_t, cockpit_tmp_t, cockpit_tmpfs_t, cockpit_unit_file_t, cockpit_var_run_t, collectd_initrc_exec_t, collectd_script_tmp_t, collectd_unit_file_t, collectd_var_run_t, colord_tmp_t, colord_unit_file_t, comsat_exec_t, comsat_tmp_t, comsat_var_run_t, condor_conf_t, condor_initrc_exec_t, condor_master_tmp_t, condor_schedd_tmp_t, condor_startd_tmp_t, condor_unit_file_t, condor_var_lock_t, condor_var_run_t, config_home_t, conman_tmp_t, conman_unit_file_t, conman_var_run_t, conntrackd_conf_t, conntrackd_initrc_exec_t, conntrackd_unit_file_t, conntrackd_var_lock_t, conntrackd_var_run_t, consolekit_log_t, consolekit_unit_file_t, consolekit_var_run_t, container_config_t, container_file_t, container_kvm_var_run_t, container_lock_t, container_plugin_var_run_t, container_ro_file_t, container_runtime_tmp_t, container_runtime_tmpfs_t, container_unit_file_t, container_var_lib_t, container_var_run_t, coreos_installer_unit_file_t, couchdb_conf_t, couchdb_initrc_exec_t, couchdb_tmp_t, couchdb_unit_file_t, couchdb_var_run_t, courier_etc_t, courier_var_run_t, cpu_online_t, cpucontrol_conf_t, cpuplug_initrc_exec_t, cpuplug_lock_t, cpuplug_var_run_t, cpuspeed_var_run_t, crack_tmp_t, cron_var_run_t, crond_initrc_exec_t, crond_tmp_t, crond_unit_file_t, crond_var_run_t, crontab_tmp_t, ctdbd_initrc_exec_t, ctdbd_tmp_t, ctdbd_var_run_t, cups_pdf_tmp_t, cupsd_config_var_run_t, cupsd_etc_t, cupsd_exec_t, cupsd_initrc_exec_t, cupsd_lock_t, cupsd_lpd_exec_t, cupsd_lpd_tmp_t, cupsd_lpd_var_run_t, cupsd_rw_etc_t, cupsd_tmp_t, cupsd_unit_file_t, cupsd_var_run_t, cvs_exec_t, cvs_initrc_exec_t, cvs_tmp_t, cvs_var_run_t, cyphesis_initrc_exec_t, cyphesis_tmp_t, cyphesis_var_run_t, cyrus_initrc_exec_t, cyrus_tmp_t, cyrus_var_run_t, data_home_t, dbadm_sudo_tmp_t, dbskkd_exec_t, dbskkd_tmp_t, dbskkd_var_run_t, dbus_home_t, dbusd_etc_t, dbusd_unit_file_t, dcc_client_tmp_t, dcc_dbclean_tmp_t, dcc_var_run_t, dccd_tmp_t, dccd_var_run_t, dccifd_tmp_t, dccifd_var_run_t, dccm_tmp_t, dccm_var_run_t, dcerpcd_var_run_t, ddclient_etc_t, ddclient_initrc_exec_t, ddclient_tmp_t, ddclient_var_run_t, default_context_t, deltacloudd_tmp_t, deltacloudd_var_run_t, denyhosts_initrc_exec_t, denyhosts_var_lock_t, device_t, devicekit_tmp_t, devicekit_var_run_t, dhcp_etc_t, dhcpc_helper_exec_t, dhcpc_state_t, dhcpc_tmp_t, dhcpc_var_run_t, dhcpd_initrc_exec_t, dhcpd_tmp_t, dhcpd_unit_file_t, dhcpd_var_run_t, dictd_etc_t, dictd_initrc_exec_t, dictd_var_run_t, dirsrv_snmp_var_run_t, dirsrv_tmp_t, dirsrv_unit_file_t, dirsrv_var_lock_t, dirsrv_var_run_t, dirsrvadmin_lock_t, dirsrvadmin_tmp_t, dirsrvadmin_unit_file_t, disk_munin_plugin_tmp_t, dkim_milter_data_t, dkim_milter_tmp_t, dlm_controld_initrc_exec_t, dlm_controld_var_run_t, dnsmasq_etc_t, dnsmasq_initrc_exec_t, dnsmasq_tmp_t, dnsmasq_unit_file_t, dnsmasq_var_run_t, dnssec_trigger_tmp_t, dnssec_trigger_unit_file_t, dnssec_trigger_var_run_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t, dovecot_etc_t, dovecot_initrc_exec_t, dovecot_tmp_t, dovecot_var_run_t, drbd_initrc_exec_t, drbd_lock_t, drbd_tmp_t, drbd_var_run_t, dspam_initrc_exec_t, dspam_var_run_t, efivarfs_t, entropyd_initrc_exec_t, entropyd_var_run_t, etc_aliases_t, etc_mail_t, etc_runtime_t, etc_t, eventlogd_var_run_t, evtchnd_var_run_t, exim_initrc_exec_t, exim_tmp_t, exim_var_run_t, exports_t, fail2ban_initrc_exec_t, fail2ban_tmp_t, fail2ban_var_run_t, faillog_t, fcoemon_initrc_exec_t, fcoemon_var_run_t, fdo_conf_rw_t, fdo_conf_t, fdo_tmp_t, fdo_unit_file_t, fenced_lock_t, fenced_tmp_t, fenced_var_run_t, fetchmail_etc_t, fetchmail_initrc_exec_t, fetchmail_var_run_t, file_context_t, fingerd_etc_t, fingerd_exec_t, fingerd_var_run_t, firewalld_etc_rw_t, firewalld_initrc_exec_t, firewalld_tmp_t, firewalld_unit_file_t, firewalld_var_run_t, firewallgui_tmp_t, firstboot_etc_t, foghorn_initrc_exec_t, foghorn_var_run_t, fonts_cache_t, fonts_t, fprintd_exec_t, fprintd_tmp_t, freeipmi_bmc_watchdog_unit_file_t, freeipmi_bmc_watchdog_var_run_t, freeipmi_ipmidetectd_unit_file_t, freeipmi_ipmidetectd_var_run_t, fr

Output from ausearch -c '(uwsgi)' --raw

type=PROCTITLE msg=audit(1739395952.555:16569): proctitle="(uwsgi)"
type=AVC msg=audit(1739395952.806:16575): avc:  denied  { read open } for  pid=29040 comm="(uwsgi)" path="/srv/netbox/releases/netbox-4.2.3/venv-py3/bin/uwsgi" dev="dm-0" ino=34757276 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1739395952.806:16575): arch=c000003e syscall=59 success=no exit=-13 a0=561118f6d7f0 a1=561119205180 a2=561119054d70 a3=0 items=0 ppid=1 pid=29040 auid=4294967295 uid=1001 gid=1002 euid=1001 suid=1001 fsuid=1001 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4294967295 comm="(uwsgi)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)ARCH=x86_64 SYSCALL=execve AUID="unset" UID="netbox" GID="netbox" EUID="netbox" SUID="netbox" FSUID="netbox" EGID="netbox" SGID="netbox" FSGID="netbox"

Note that the context has to be set on the absolute path and not the link to current (though It might need both?)

The context can't be set before the playbook because the binaries may not yet be installed, and can't be set after the playbook because this exits the Ansible run when the netbox.service can not start.

I'm having trouble setting the context appropriately but it should be possible with https://docs.ansible.com/ansible/latest/collections/community/general/sefcontext_module.html

We'd strongly prefer to be able to run this service wit SELinux in enforcing mode, so please don't recommend using permissive or disabling SELinux.

[Aethylred]

These are the relevant variables I'm setting for the role:

netbox_stable: true`
netbox_stable_version: 4.2.3
netbox_python_binary: /usr/bin/python3.11
netbox_uwsgi_in_venv: true

[Aethylred]

Another bit that SELinux flags:

Feb 13 22:41:41 netbox01 setroubleshoot[100863]: SELinux is preventing /srv/netbox/releases/netbox-4.2.3/venv-py3/bin/uwsgi from name_connect access on the tcp_socket port 389.#012#012*****  Plugin catchall_boolean (47.5 confidence) suggests   ******************#012#012If you want to allow authlogin to nsswitch use ldap#012Then you must tell SELinux about this by enabling the 'authlogin_nsswitch_use_ldap' boolean.#012#012Do#012setsebool -P authlogin_nsswitch_use_ldap

[tyler-8]

Are you able to run audit2why and audit2allow to get some further clarity on the issue?

It shouldn't be terrible difficult to add some RHEL specific tasks that add say... httpd_sys_content_t context to the templates directory or something like that.

[Aethylred]

I've already set httpd_sys_content_t for Apache which I'm running as a reverse proxy over Netbox (because I've got some established Ansible automation for that around getting certs from our CA etc.),

However, yeah, that's exactly what I was considering, but it's not RHEL specific. It'll be based on SELinux being in enforcing mode, though it should be done if SELinux is not disabled.

I'll have to do some googling on how to use the audit tools, do you have any suggestions on how audit2why and audit2allow should be run?