error installing package: failed to copy source directory

[Microdev82]

Hello,
I am trying to install an agent in elastic 8.14.3 and keep getting this error during the install:

Error copying files [0s] Error uninstalling. Printing logs
error installing package: failed to copy source directory (data/elastic-agent-2df2c1) to destination (data/elastic-agent-8.14.3-2df2c1): open /opt/elastic-agent-8.14.3-linux-x86_64/data/elastic-agent-2df2c1/components/java-attacher.jar: operation not permitted

Anyone run in to this?

[cmacknz]

What Linux distribution is this? Can you include the full command you executed and all of the logs?

[racooper]

I'm seeing the same issue with 8.15.2 on one box, a Satellite server running RHEL 8.10:

/usr/local/src/elastic-agent-8.15.2-linux-x86_64/elastic-agent install --url=https://<redacted>:443
--enrollment-token="<redacted>==" --tag <redacted> --non-interactive
Installing in non-interactive mode.
[=== ] Error copying files  [2s] Error uninstalling. Printing logs
Error: error installing package: failed to copy source directory (data/elastic-agent-621bbc) to destination (data/elastic-agent-8.15.2-621bbc):
open /usr/local/src/elastic-agent-8.15.2-linux-x86_64/data/elastic-agent-621bbc/components/java-attacher.jar: operation not permitted
For help, please see our troubleshooting guide at https://www.elastic.co/guide/en/fleet/8.15/fleet-troubleshooting.html

I've verified that the user running the install (root) has rwx permissions on the source and destination. I've done the install on 200+ other servers, running CentOS 7, RHEL 8 and 9, with no issues like this.

[cmacknz]

Hmm, perhaps something doesn't like .jar files specifically?

There is nothing off about the permissions in the 8.15.2 release. We are installing elastic agent builds constantly all day in automation and haven't seen this, but likely this is something peculiar about particular machines. Especially odd that this doesn't reproduce every time.

ubuntu@guiltless-rhea:~$ ls -la elastic-agent-8.15.2-linux-arm64/data/elastic-agent-621bbc/components/
total 840216
...
-rwxr-xr-x  1 ubuntu ubuntu 286061833 Sep 19 13:20 agentbeat
-rwxr-xr-x  1 ubuntu ubuntu  53608600 Sep 19 13:20 apm-server
-rwxr-xr-x  1 ubuntu ubuntu 220660033 Sep 19 13:20 cloudbeat
-rwxr-xr-x  1 ubuntu ubuntu  23661416 Sep 19 13:20 endpoint-security
-rwxr-xr-x  1 ubuntu ubuntu  35857120 Sep 19 13:20 fleet-server
-rwxr-xr-x  1 ubuntu ubuntu   8621110 Sep 19 13:20 java-attacher.jar
...

[leehinman]

Any chance SELinux is enabled on the RHEL 8.10 box? It is on by default with a targeted policy, if so it is probably worth checking the SELinux logs to see if it blocked access to the JAR file.

[racooper]

SELinux is enabled, but no alerts or warnings in the audit log. I remember checking that the first time I got errors. SELinux is enabled on most of our servers and didn't cause any other issues.

[strawgate]

Do you have fapolicyd enabled?

You could verify if it's running via systemctl status fapolicyd

If so, this could also be a fapolicy rule, something like

deny_audit perm=any all: ftype=application/java-archive

Sometimes this is found in 10-language-rules under /etc/fapolicyd/rules.d/ but could be part of any rule.

Turning off fapolicyd via systemctl stop fapolicyd would be a good way to test via fapolicyd --debug-deny and then running the install again.

[racooper]

That was it exactly! disabling fapolicyd allowed the Elastic agent to install. Apparently satellite is the only server we have running fapolicyd so I didn't even think about it (or, really know anything about it, until now!). Thanks!