[JENKINS-67497] Some options under Manage Jenkins crash when launched on STIG-hardened, SELinux enabled Linux

[timja]

This is a brand new server installation. I installed OpenJDK 11 first, and then installed Jenkins from RPM. After I started the system, it provided a blank screen even though the browser tab title read "Sign In - Jenkins". Only after I created a file named "jenkins.install.InstallUtil.lastExecVersion" and restarted the service, was I presented with the activation screen and I was able to continue the initial set up from there. At the URL configuration part, it gave me the right IP:port and when I told it to continue, it gave me an error message, but when I hit retry, it continued without issue.

 

After I logged in with the account I created, if I try to select the Configure Global Security, About Jenkins, Global Tool Configuration options, or Logout, it gives me the error message similar to what it located in the PNG attachment.

 

I have attached the log file that the UI displays, and it is largely repetitive.

---

Originally reported by dwight_k_schrute, imported from: Some options under Manage Jenkins crash when launched on STIG-hardened, SELinux enabled Linux

• status: Open
• priority: Major
• resolution: Unresolved
• imported: 2022/01/10

[timja]

markewaite:

I assume that STIG-hardening or SELinux enabling has disabled some of the hashing algorithms used by Jenkins (like MD5) or some of the libraries used by Jenkins.

The stack trace mentions org.jenkinsci.main.modules.instance_identity.InstanceIdentityRSAProvider

In the environment section of the issue report, it says that the system is not "internet-facing". Does that mean it does not have access to the internet? If so, then you may want to read "Offline Installations" for other hints of steps that may be necessary for an offline installation.

[timja]

JIRAUSER138037:

Yes, that is correct. It does not have access to the internet. I looked through the "Offline Installations" link before I deployed this server, and other than installing plugins, which I haven't gotten around to yet, there didn't seem to be anything different in how the system is installed in a server with internet access. 

Does Jenkins get tested under different OS hardening requirements for various OSes, or does it just get tested on various OSes without any hardening applied to them?

I think you are correct to assume the STIG-hardening, SELinux, and FIPS (which I forgot to mention above) would have some impact with the hashing algorithms and/or libraries used by Jenkins. Without removing the applied hardening, are there any settings in Jenkins that can be enabled/disabled to handle this hardened system?

 

[timja]

markewaite:

I'm not aware of anyone testing or using Jenkins on a STIG-hardened environment. I would expect that is more likely of interest to the companies that provide commercial products based on Jenkins, like CloudBees and Red Hat.

I am aware of some work to operate inside an SELinux environment with the git plugin (as described in JENKINS-64913 and JENKINS-65395), but nothing more than that.

If you'd like to contribute documentation based on your experiences, you're welcome to submit pull requests to www.jenkins.io documentation pages. You're also welcome to join the Platform SIG meetings that happen every two weeks.