[SOLVED] Https ssl error

HWDPlinux · 12-02-2015, 05:14 PM

ausearch -ts recent -m avc----
time->Wed Dec 2 15:15:43 2015
type=SYSCALL msg=audit(1449087343.148:192469): arch=c000003e syscall=2 success=no exit=-13 a0=7fffed886830 a1=80000 a2=0 a3=7f829f4ed2c1 items=0 ppid=1 pid=32688 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1449087343.148:192469): avc: denied { read } for pid=32688 comm="httpd" name="blog_dworak-linux_com.crt" dev="xvda2" ino=17779477 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u

bject_r:user_home_t:s0 tclass=file

Is tcontext mean it will work with those contexts?

berndbausch · 12-02-2015, 07:00 PM

Quote:

Originally Posted by HWDPlinux

ausearch -ts recent -m avc----
time->Wed Dec 2 15:15:43 2015
type=SYSCALL msg=audit(1449087343.148:192469): arch=c000003e syscall=2 success=no exit=-13 a0=7fffed886830 a1=80000 a2=0 a3=7f829f4ed2c1 items=0 ppid=1 pid=32688 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1449087343.148:192469): avc: denied { read } for pid=32688 comm="httpd" name="blog_dworak-linux_com.crt" dev="xvda2" ino=17779477 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u

bject_r:user_home_t:s0 tclass=file

Is tcontext mean it will work with those contexts?

Use code tags (see my signature) to make your output more readable.

This is a message from SELinux. scontext means source context, i.e. the context of the httpd. tcontext is target context; the context of the file or other resource the process wanted to access. In your case, it seems to be a certificate file named blog_dworak-linux_com.crt.

The usual SELinux setup only requires looking at the type part of the context, i.e. httpd_t and user_home_t. The standard SELinux rules don't allow an httpd_t process to access a user_home_t resource. To fix this, you have to change the type of the resource (chcon command) or the rules (semanage command).

There is also an setroubleshoot package (the precise name may vary) that provides suggestions in readable English, but I would search for instructions for configuring https on a system with SELinux (Centos or RHEL, perhaps?) and check your setup.

HWDPlinux · 12-03-2015, 01:05 PM

Code:

[root@ip-172-31-20-xxx certs]# chcon -t httpd_t blog_*
chcon: failed to change context of blog_dworak-linux_com.ca-bundle to unconfined_u:object_r:httpd_t:s0: Permission denied
chcon: failed to change context of blog_dworak-linux_com.crt to unconfined_u:object_r:httpd_t:s0: Permission denied

This is what I got when trying to change the type context.

EDIT:
Found a solution.
restorecon -RvF /etc/pki/

I mv'ed my files (which kept the original selinux context) to their respective locations instead of using cp. Thank you berndbausch!

berndbausch · 12-03-2015, 01:42 PM

Quote:

Originally Posted by HWDPlinux

Code:

[root@ip-172-31-20-xxx certs]# chcon -t httpd_t blog_*
chcon: failed to change context of blog_dworak-linux_com.ca-bundle to unconfined_u:object_r:httpd_t:s0: Permission denied
chcon: failed to change context of blog_dworak-linux_com.crt to unconfined_u:object_r:httpd_t:s0: Permission denied

This is what I got when trying to change the type context.

httpd_t is a process context. You can't apply it to a file.

You need to read about SELinux and httpd. I don't have pointers ready, but there is plenty of good information on the internet. There should even be a man page that covers the subject; use apropos to find it.

For a quick fix or test, turn SELinux off with setenforce permissive, but be aware that this reduces the security of your system.

HWDPlinux · 12-03-2015, 01:47 PM

Thanks berndbausch I finally got it. restorecon -RvF /etc/pki/ did the trick. Marked the thread as solved.