puppet-openstack-cloud

SELinux preventing httpd to access to ssl certificates

Bug #1444560 reported by Dimitri Savineau
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
puppet-openstack-cloud
Won't Fix
Undecided
Unassigned

Bug Description

Hi,

When using SELinux and SSL configuration on httpd (forward by Haproxy) the service doesn't start because of SELinux :

From /var/log/httpd/error_log:
[Wed Apr 15 15:54:19.059615 2015] [core:notice] [pid 29382] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Wed Apr 15 15:54:19.061049 2015] [ssl:emerg] [pid 29382] (13)Permission denied: AH02201: Init: Can't open server certificate file /etc/ssl/certs/star_domain_com.crt
[Wed Apr 15 15:54:19.061068 2015] [ssl:emerg] [pid 29382] AH02312: Fatal error initialising mod_ssl, exiting.

From /var/log/audit/audit.log :
type=AVC msg=audit(1429113415.957:311401): avc: denied { read } for pid=3533 comm="httpd" name="star_domain_com.crt" dev="dm-1" ino=5769593 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_ho
me_t:s0 tclass=file
type=AVC msg=audit(1429113415.957:311401): avc: denied { open } for pid=3533 comm="httpd" path="/etc/pki/tls/certs/star_domain_com.crt" dev="dm-1" ino=5769593 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file

The SSL certificates are located in /etc/ssl/certs/

# ls -hl /etc/ssl/certs/*_domain_com.*
-rw-r--r--. 1 root root 1,2K 10 avril 19:51 /etc/ssl/certs/ca_domain_com.crt
-rw-r--r--. 1 root root 1,1K 13 avril 09:19 /etc/ssl/certs/star_domain_com.crt
-rw-r--r--. 1 root root 1,7K 10 avril 19:51 /etc/ssl/certs/star_domain_com.key
-rw-r--r--. 1 root root 2,7K 13 avril 10:18 /etc/ssl/certs/star_domain_com.pem

Parameters in the yaml env file :

  horizon_bind_options: []
  horizon_ssl_bind_options: []
  horizon_ssl: true
  horizon_listen_ssl: true
  horizon_cert: /etc/ssl/certs/star_domain_com.crt
  horizon_key: /etc/ssl/certs/star_domain_com.key
  horizon_ca: /etc/ssl/certs/ca_domain_com.crt

When disabling SELinux, httpd can start normaly

See original description
Tags: httpd selinux ssl
Dimitri Savineau (dsavineau)
description: updated
Revision history for this message
Emilien Macchi (emilienm) wrote :

Thanks for the report.
I think this is a not a bug in puppet-openstack-cloud, but rather a new boolean you could add in SElinux configuration (you can use Puppet for that, look at the environment file) or probably a bug in SElinux Red Hat package.
There is nothing we can do in puppet-openstack-cloud to fix it so I have to close this bug.

Changed in puppet-openstack-cloud:
status: New → Won't Fix
Revision history for this message
Gaëtan Trellu (goldyfruit) wrote :

Files have been created after SElinux labeling, we have to relabeling them.

# restorecon -RvF /etc/ssl/certs/

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.