Https ssl error
ausearch -ts recent -m avc----
time->Wed Dec 2 15:15:43 2015 type=SYSCALL msg=audit(1449087343.148:192469): arch=c000003e syscall=2 success=no exit=-13 a0=7fffed886830 a1=80000 a2=0 a3=7f829f4ed2c1 items=0 ppid=1 pid=32688 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1449087343.148:192469): avc: denied { read } for pid=32688 comm="httpd" name="blog_dworak-linux_com.crt" dev="xvda2" ino=17779477 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file Is tcontext mean it will work with those contexts? |
Quote:
This is a message from SELinux. scontext means source context, i.e. the context of the httpd. tcontext is target context; the context of the file or other resource the process wanted to access. In your case, it seems to be a certificate file named blog_dworak-linux_com.crt. The usual SELinux setup only requires looking at the type part of the context, i.e. httpd_t and user_home_t. The standard SELinux rules don't allow an httpd_t process to access a user_home_t resource. To fix this, you have to change the type of the resource (chcon command) or the rules (semanage command). There is also an setroubleshoot package (the precise name may vary) that provides suggestions in readable English, but I would search for instructions for configuring https on a system with SELinux (Centos or RHEL, perhaps?) and check your setup. |
Code:
[root@ip-172-31-20-xxx certs]# chcon -t httpd_t blog_* EDIT: Found a solution. restorecon -RvF /etc/pki/ I mv'ed my files (which kept the original selinux context) to their respective locations instead of using cp. Thank you berndbausch! |
Quote:
You need to read about SELinux and httpd. I don't have pointers ready, but there is plenty of good information on the internet. There should even be a man page that covers the subject; use apropos to find it. For a quick fix or test, turn SELinux off with setenforce permissive, but be aware that this reduces the security of your system. |
Thanks berndbausch I finally got it. restorecon -RvF /etc/pki/ did the trick. Marked the thread as solved.
|
All times are GMT -5. The time now is 08:50 AM. |