2015-04-15 16:20:05 |
Dimitri Savineau |
description |
Hi,
When using SELinux and SSL configuration on httpd (forward by Haproxy) the service doesn't start because of SELinux :
From /var/log/httpd/error_log:
[Wed Apr 15 15:54:19.059615 2015] [core:notice] [pid 29382] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Wed Apr 15 15:54:19.061049 2015] [ssl:emerg] [pid 29382] (13)Permission denied: AH02201: Init: Can't open server certificate file /etc/ssl/certs/star_domain_com.crt
[Wed Apr 15 15:54:19.061068 2015] [ssl:emerg] [pid 29382] AH02312: Fatal error initialising mod_ssl, exiting.
From /var/log/audit/audit.log :
type=AVC msg=audit(1429113415.957:311401): avc: denied { read } for pid=3533 comm="httpd" name="star_domain_com.crt" dev="dm-1" ino=5769593 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_ho
me_t:s0 tclass=file
type=AVC msg=audit(1429113415.957:311401): avc: denied { open } for pid=3533 comm="httpd" path="/etc/pki/tls/certs/star_domain_com.crt" dev="dm-1" ino=5769593 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
The SSL certificates are located in /etc/ssl/certs/
# ls -hl /etc/ssl/certs/*_domain_com.*
-rw-r--r--. 1 root root 1,2K 10 avril 19:51 /etc/ssl/certs/ca_domain_com.crt
-rw-r--r--. 1 root root 1,1K 13 avril 09:19 /etc/ssl/certs/star_domain_com.crt
-rw-r--r--. 1 root root 1,7K 10 avril 19:51 /etc/ssl/certs/star_domain_com.key
-rw-r--r--. 1 root root 2,7K 13 avril 10:18 /etc/ssl/certs/star_domain_com.pem
Parameters in the yaml env file :
horizon_bind_options: []
horizon_ssl_bind_options: []
horizon_ssl: true
horizon_listen_ssl: true
horizon_cert: /etc/ssl/certs/star_domain_com.crt
horizon_key: /etc/ssl/certs/star_domain_com.key
horizon_ca: /etc/ssl/certs/ca_domain_com.crt
When disabling SELinux, httpd car start normaly |
Hi,
When using SELinux and SSL configuration on httpd (forward by Haproxy) the service doesn't start because of SELinux :
From /var/log/httpd/error_log:
[Wed Apr 15 15:54:19.059615 2015] [core:notice] [pid 29382] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Wed Apr 15 15:54:19.061049 2015] [ssl:emerg] [pid 29382] (13)Permission denied: AH02201: Init: Can't open server certificate file /etc/ssl/certs/star_domain_com.crt
[Wed Apr 15 15:54:19.061068 2015] [ssl:emerg] [pid 29382] AH02312: Fatal error initialising mod_ssl, exiting.
From /var/log/audit/audit.log :
type=AVC msg=audit(1429113415.957:311401): avc: denied { read } for pid=3533 comm="httpd" name="star_domain_com.crt" dev="dm-1" ino=5769593 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_ho
me_t:s0 tclass=file
type=AVC msg=audit(1429113415.957:311401): avc: denied { open } for pid=3533 comm="httpd" path="/etc/pki/tls/certs/star_domain_com.crt" dev="dm-1" ino=5769593 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
The SSL certificates are located in /etc/ssl/certs/
# ls -hl /etc/ssl/certs/*_domain_com.*
-rw-r--r--. 1 root root 1,2K 10 avril 19:51 /etc/ssl/certs/ca_domain_com.crt
-rw-r--r--. 1 root root 1,1K 13 avril 09:19 /etc/ssl/certs/star_domain_com.crt
-rw-r--r--. 1 root root 1,7K 10 avril 19:51 /etc/ssl/certs/star_domain_com.key
-rw-r--r--. 1 root root 2,7K 13 avril 10:18 /etc/ssl/certs/star_domain_com.pem
Parameters in the yaml env file :
horizon_bind_options: []
horizon_ssl_bind_options: []
horizon_ssl: true
horizon_listen_ssl: true
horizon_cert: /etc/ssl/certs/star_domain_com.crt
horizon_key: /etc/ssl/certs/star_domain_com.key
horizon_ca: /etc/ssl/certs/ca_domain_com.crt
When disabling SELinux, httpd can start normaly |
|