Skip to content

Fix SELinux denials and "Text file busy" on SSH fleet provisioning#3712

Merged
peterschmidt85 merged 1 commit intomasterfrom
fix/selinux-shim-binary-context
Mar 27, 2026
Merged

Fix SELinux denials and "Text file busy" on SSH fleet provisioning#3712
peterschmidt85 merged 1 commit intomasterfrom
fix/selinux-shim-binary-context

Conversation

@peterschmidt85
Copy link
Copy Markdown
Contributor

@peterschmidt85 peterschmidt85 commented Mar 27, 2026

Summary

  • Revert shim binary download from cp back to mv to fix "Text file busy" (ETXTBSY) errors when re-provisioning an SSH fleet without host cleanup — cp fails on a running executable, while mv atomically replaces the directory entry
  • Add chcon after mv to set correct SELinux context (bin_t) for the shim binary — on SELinux-enforcing hosts (RHEL, Rocky, CentOS), files moved from /tmp retain user_tmp_t context which blocks execution; no-op on non-SELinux systems

Companion to #3702 which fixed the same SELinux issue for the service file and env file.

Test plan

  • RHEL 9.4 (SELinux Enforcing) clean provision — fleet active
  • RHEL 9.4 (SELinux Enforcing) re-provision without cleanup — fleet active
  • Ubuntu 24.04 (no SELinux) clean provision — fleet active
  • Ubuntu 24.04 (no SELinux) re-provision without cleanup — fleet active (no "Text file busy")
  • Pre-commit hooks pass

🤖 Generated with Claude Code

@claude
Fix SELinux denials and "Text file busy" on SSH fleet provisioning
86edcc5 
The shim binary download uses cp to copy from /tmp to /usr/local/bin/.
This causes two issues:

1. "Text file busy" (ETXTBSY) when re-provisioning without cleanup,
   because cp tries to write to a running executable. Revert to mv
   which atomically replaces the directory entry.

2. On SELinux-enforcing hosts (RHEL, Rocky), mv from /tmp preserves
   the user_tmp_t context. Add chcon to set the correct bin_t context.
   No-op on non-SELinux systems via 2>/dev/null || true.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@peterschmidt85 peterschmidt85 requested a review from un-def March 27, 2026 16:18
@peterschmidt85 peterschmidt85 merged commit c314684 into master Mar 27, 2026
28 checks passed
@peterschmidt85 peterschmidt85 deleted the fix/selinux-shim-binary-context branch March 27, 2026 16:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@un-def un-def un-def approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@peterschmidt85 @un-def