Startup Script Gets Permission Denied When SELinux is Enforcing and Filesystem is NOEXEC

[rcuza]

On a RHEL-9 GCP compute VM, the google_metadata_script_runner places the startup script in a /tmp/metadata-script${suffix}/ folder and adds the execution bit to the file. By default, one cannot execute a script from /tmp when SELinux is enforcing.

The permission denied error can be reproduced by trying to execute a script in /tmp while SELinux is enforcing.

Possible solutions:

• do not use TmpDir when SELinux is enforcing
• explicitly set the SELinux context for the startup script
• use a location that SELinux blesses (eg Red Hat uses /usr/local/sbin/custom-firet-boot for their first boot script)

[rcuza]

Further research shows that SELinux is only part of the problem. RHEL9 also mounts /var/tmp with NOEXEC. The server is configured in a hardened state as per CIS server 2 recommendations, including partition setup.

This service needs to be more prescriptive on where it creates its temporary scripts.

[ludovictual-system-u]

We are facing the same issue on RHEL 8 & 9 : google-guest-agent-20250327.01-g1.el8.x86_64 + SELinux

May 07 15:05:12 rhel8-vm-tmp google_compat_metadata_script_runner[1575]: Starting startup scripts (version 20250327.01).
May 07 15:05:12 rhel8-vm-tmp google_compat_metadata_script_runner[1575]: Found startup-script in metadata.
May 07 15:05:12 rhel8-vm-tmp google_compat_metadata_script_runner[1575]: startup-script: add group
May 07 15:05:12 rhel8-vm-tmp groupadd[1819]: group added to /etc/group: name=artifactory, GID=1100
May 07 15:05:12 rhel8-vm-tmp groupadd[1819]: group added to /etc/gshadow: name=artifactory
May 07 15:05:12 rhel8-vm-tmp groupadd[1819]: new group: name=artifactory, GID=1100
May 07 15:05:12 rhel8-vm-tmp google_compat_metadata_script_runner[1575]: startup-script: add user in group artifactory
May 07 15:05:12 rhel8-vm-tmp useradd[1827]: new user: name=artifactory, UID=1100, GID=1100, home=/usr/artifactory, shell=/bin/bash
May 07 15:05:12 rhel8-vm-tmp useradd[1827]: failed adding user 'artifactory', exit code: 12
May 07 15:05:12 rhel8-vm-tmp google_compat_metadata_script_runner[1575]: startup-script: useradd: cannot create directory /usr/artifactory
May 07 15:05:12 rhel8-vm-tmp google_compat_metadata_script_runner[1575]: Script "startup-script" failed with error: exit status 12
May 07 15:05:12 rhel8-vm-tmp google_compat_metadata_script_runner[1575]: Finished running startup scripts.

The currents gcp public images of rhel include version 20250306.00 that is NOT affected.
But soon the rolling update of will lead to breaking issue for many instance with redhat users.