3

After installing the latest version of nexus, currently 3.6.0, I'm able to start it by using the manual command 

/opt/nexus/bin/nexus start

but when trying to start as a service (per directions https://help.sonatype.com/display/NXRM3/Installation#Installation-RunningtheService), I get the following:

Oct 04 13:47:53 localhost.localdomain sudo[2546]:     root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/bin/systemctl start nexus.service
Oct 04 13:47:53 localhost.localdomain audit[2546]: USER_CMD pid=2546 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/root" cmd=73797374656D63746C207374617274206E657875732E7365
Oct 04 13:47:53 localhost.localdomain audit[2546]: CRED_REFR pid=2546 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/
Oct 04 13:47:53 localhost.localdomain sudo[2546]: pam_systemd(sudo:session): Cannot create session: Already running in a session
Oct 04 13:47:53 localhost.localdomain audit[2546]: USER_START pid=2546 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_keyini
Oct 04 13:47:53 localhost.localdomain sudo[2546]: pam_unix(sudo:session): session opened for user root by root(uid=0)
Oct 04 13:47:53 localhost.localdomain systemd[1]: Starting nexus service...
-- Subject: Unit nexus.service has begun start-up
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit nexus.service has begun starting up.
Oct 04 13:47:53 localhost.localdomain systemd[2549]: nexus.service: Failed at step EXEC spawning /opt/nexus/bin/nexus: Permission denied
-- Subject: Process /opt/nexus/bin/nexus could not be executed
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- The process /opt/nexus/bin/nexus could not be executed and failed.
--
-- The error number returned by this process is 13.
Oct 04 13:47:53 localhost.localdomain audit[2549]: AVC avc:  denied  { execute } for  pid=2549 comm="(nexus)" name="nexus" dev="dm-0" ino=398592 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:adm
Oct 04 13:47:53 localhost.localdomain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nexus comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=
Oct 04 13:47:53 localhost.localdomain systemd[1]: nexus.service: Control process exited, code=exited status=203
Oct 04 13:47:53 localhost.localdomain systemd[1]: Failed to start nexus service.
-- Subject: Unit nexus.service has failed
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit nexus.service has failed.
--
-- The result is failed.
Oct 04 13:47:53 localhost.localdomain systemd[1]: nexus.service: Unit entered failed state.
Oct 04 13:47:53 localhost.localdomain systemd[1]: nexus.service: Failed with result 'exit-code'.
Oct 04 13:47:53 localhost.localdomain sudo[2546]: pam_unix(sudo:session): session closed for user root
Oct 04 13:47:53 localhost.localdomain audit[2546]: USER_END pid=2546 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits,pam_keyinit
Oct 04 13:47:53 localhost.localdomain audit[2546]: CRED_DISP pid=2546 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/
l

UPDATE: I discovered that disabling selinx, i.e. setenforce 0 allows for managing the service, but I don't want to do this as a long term solution.

here are a few lines from /var/log/audit/audit.log

type=AVC msg=audit(1507473817.658:193): avc:  denied  { execute } for  pid=975 comm="(nexus)" name="nexus" dev="dm-0" ino=398592 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
type=SERVICE_START msg=audit(1507473817.660:194): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nexus comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
type=AVC msg=audit(1507474250.245:195): avc:  denied  { execute } for  pid=1052 comm="(nexus)" name="nexus" dev="dm-0" ino=398592 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:unconfined_exec_t:s0 tclass=file permissive=0
type=SERVICE_START msg=audit(1507474250.246:196): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nexus comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'

Any chance someone can help from here?

swv
  • 319

5 Answers5

2

To rectify this issue, add a SELinux policy to allow Systemd to access the nexus binary in path /app/nexus/bin/nexus using the following command.

sudo chcon -R -t bin_t /opt/nexus/bin/nexus
lruiz
  • 21
  • 2
0

I have to suggest an answer after burning some time on this issue. I had the same issue as cited above. My OS is RHEL 7.5 with SELinux set to enforcing. Nexus version is 3.13.0-01.

The nexus service with systemd was defined as identified by Sonatype. See Sonatype instructions for running a systemd service here: https://help.sonatype.com/repomanager3/installation/run-as-a-service

The service using nexus.service definition from that page starts up but the eventually reaches a timeout and is shutdown. The service type of forking Forking type waits some time for the parent process to exit but it this event apparently does not happen. I didn't contact Sonatype but since this question was not addressed, I am adding a solution that worked. To resolve the issue I changed the type from forking to simple in the nexus.service file.

BenDavid
  • 1
0

Also make sure you have the /opt/nexus owned by nexus user

Here's the code snippet which worked as per: /etc/systemd/system/nexus.service

[Unit]
Description=nexus service
After=network.target

[Service]
Type=simple
LimitNOFILE=65536
ExecStart=/opt/nexus-3.19.0-01/bin/nexus start
ExecStop=/opt/nexus-3.19.0-01/bin/nexus stop
User=nexus
Restart=on-abort

[Install]
WantedBy=multi-user.target
Vamshi Krishna Santhapuri
  • 1
0

Set the context for nexus directory (maybe overly, but it's better than disabling SELinux): https://linux.die.net/man/8/initrc_selinux

semanage fcontext -a -t initrc_t   "/opt/nexus(/.*)?"
semanage fcontext -a -t initrc_exec_t   "/opt/nexus(/.*)?"

list


semanage fcontext --list | grep '/opt/nexus'


apply changes


restorecon -R -v /opt/nexus > /dev/null
Pietrek z gór
  • 9
  • 1
    Could you explain what this does, and how it helps? – Stephen Kitt Sep 02 '20 at 12:33
  • Sets the context for nexus directory (maybe overly, but it's better than disabling SELinux): https://linux.die.net/man/8/initrc_selinux Am I wrong? – Pietrek z gór Sep 04 '20 at 06:32
  • 1
    I’m not suggesting you’re wrong (and yes, this is better than disabling SELinux), but your answer would be better if it explained what you’re doing and why; please [edit] it to include the information from your comment. – Stephen Kitt Sep 04 '20 at 06:35
  • I downvoted because the explanation from the comment was not included in the answer and that code/command only answers are discouraged without a clear explanation. – Zeitounator Dec 19 '22 at 23:25
0

Use this link to troubleshoot what the problem is exactly: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/troubleshooting-problems-related-to-selinux_using-selinux

  1. run the command below to get an selinux alert ID to check with sealert. The command should give you something like "to find more information about this run sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020 ..."

    journalctl -t setroubleshoot

  2. Run the sealert command which should give a suggested solution in my case the solution was something like

    semanage fcontext -a -t initrc_exec_t "/opt/nexus(/.*)?"

    restorecon -R -v /opt/nexus > /dev/null

Kudzayi Ndoro
  • 1
  • 1