Self-hosted Linux-based runners do not start properly when SELinux is enabled

[bschonec]

Code of Conduct

• I have read and agree to the GitHub Docs project's Code of Conduct

What article on docs.github.com is affected?

https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/configuring-the-self-hosted-runner-application-as-a-service#installing-the-service

What part(s) of the article would you like to see updated?

There should be some reference to the proper SELinux context when enabling the runners on systemd-enabled distributions.

In "Step 6: Start the runner" of this article it mentions a minimal context for runsvc.sh. I needed to "chcon -R system_u:object_r:usr_t:s0 " for the runner to start via systemd scripts.

Additional information

No response

[welcome]

Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

[nguyenalex836]

@bschonec Thank you for opening this issue! I'll get this triaged for review ✨

[github-actions]

Thanks for opening an issue! We've triaged this issue for technical review by a subject matter expert 👀

[github-actions]

This is a gentle bump for the docs team that this issue is waiting for technical review.

[ericsciple]

The problem is your admin can configure the SELinux on the machine to lock down all kinds of permission. When the runner fails to configure or start due SELinux, the customer needs to work with their admin to track down the required permission.

We had small patch like this for SELinux, but might not able to catch all cases, especially for cases that needs to run arbitrary commands on the customer's machine like the one mentioned in the issue:

chcon -R system_u:object_r:usr_t:s0

[bschonec]

@ericsciple, you are correct but the original reason for me opening this issue is that there isn't any mention of this in the documentation.