Project

General

Profile

Actions
Copy link

Bug #27276

open

Rudder server or relay can't start httpd because SELinux forbids access to certificate/key files

Added by François ARMAND 1 day ago. Updated about 22 hours ago.

Status:
New
Priority:
To review
Assignee:
-
Category:
System integration
Target version:
8.2.9
Pull Request:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
To do
Regression:
No

Description

On a relay on Alma 9.5 (and likely other SELinux hardened distribution), there is error in agent run about the httpd service.

When looking at systemctl status httpd, the error message is:

SSLCertificateKeyFile: file '/var/rudder/cfengine-community/ppkeys/localhost.priv' does not exist or is empty

The keys are here, and it's actually a SELinux problem:
- executing setenforce 0 and running rudder agent repairs everything
- then, even if we set-back setenforce 1, rudder agent run are error less.

So, the workaround seems easy, but it's likely that the problem would occures again if files changed. And it makes analysing root cause of things like #27268 harder.

Seen at least in 8.2.5.

It also happens on the root server, for the files /var/rudder/lib/ssl/policy_server.pem after a migration from 8.2.5 to 8.3.3-nightly.
But it does not exist on a 8.3.3-nightly fresh install.
Again, the following workaround seems to correct the problem:

setenforce 0
rudder agent run
setenforce 1

Related issues 1 (0 open1 closed)

Related to Rudder - Bug #27268: On root, /var/rudder/lib/ssl/policy_server.pem can not be copied with a mixed of logic and selinuxRejectedActions
Actions
Copy link

Also available in: Atom PDF