Bug #27276
open
Rudder server or relay can't start httpd because SELinux forbids access to certificate/key files
Description
On a relay on Alma 9.5 (and likely other SELinux hardened distribution), there is error in agent run about the httpd service.
When looking at systemctl status httpd, the error message is:
SSLCertificateKeyFile: file '/var/rudder/cfengine-community/ppkeys/localhost.priv' does not exist or is empty
The keys are here, and it's actually a SELinux problem:
- executing setenforce 0 and running rudder agent repairs everything
- then, even if we set-back setenforce 1, rudder agent run are error less.
So, the workaround seems easy, but it's likely that the problem would occures again if files changed. And it makes analysing root cause of things like #27268 harder.
Seen at least in 8.2.5.
It also happens on the root server, for the files /var/rudder/lib/ssl/policy_server.pem after a migration from 8.2.5 to 8.3.3-nightly.
But it does not exist on a 8.3.3-nightly fresh install.
Again, the following workaround seems to correct the problem:
setenforce 0 rudder agent run setenforce 1
Updated by François ARMAND about 17 hours ago
- Related to Bug #27268: On root, /var/rudder/lib/ssl/policy_server.pem can not be copied with a mixed of logic and selinux added
Updated by François ARMAND about 16 hours ago
- Subject changed from Relay can't start httpd because SELinux forbids access to ppkeys/localhost.priv to Rudder server or relay can't start httpd because SELinux forbids access to certificate/key files
- Description updated (diff)
- Priority changed from N/A to To review
Updated by Félix DALLIDET about 12 hours ago
- Target version changed from 8.2.8 to 8.2.9