Bug #27276: Rudder server or relay can't start httpd because SELinux forbids access to certificate/key files - Rudder - Issue Tracker

Bug #27276

On a relay on Alma 9.5 (and likely other SELinux hardened distribution), there is error in agent run about the httpd service.  

 When looking at @systemctl status httpd@, the error message is: 

 <pre> 
 SSLCertificateKeyFile: file '/var/rudder/cfengine-community/ppkeys/localhost.priv' does not exist or is empty 
 </pre> 

 The keys are here, and it's actually a SELinux problem:  
 - executing @setenforce 0@ and running rudder agent repairs everything 
 - then, even if we set-back @setenforce 1@, rudder agent run are error less.  

 So, the workaround seems easy, but it's likely that the problem would occures again if files changed. And it makes analysing root cause of things like #27268 harder.  

 Seen at least in 8.2.5.  

 It also happens on the root server, for the files @/var/rudder/lib/ssl/policy_server.pem@ after a migration from 8.2.5 to 8.3.3-nightly.  
 But it does not exist on a 8.3.3-nightly fresh install.  
 Again, the following workaround seems to correct the problem:  

 <pre> 
 setenforce 0 
 rudder agent run 
 setenforce 1 
 </pre>

Back

Project

General

Profile

Rudder

Bug #27276