certbot × nginx × SELinux #61

New issue

Open

opened 2024-12-13 23:07:28 +01:00 by mfocko · 0 comments

mfocko commented

2024-12-13 23:07:28 +01:00

Owner

/var/log/messages:

Dec 13 23:01:40 mountainside setroubleshoot[1493005]: SELinux is preventing /usr/sbin/nginx from read access on the file fullchain3.pem. For complete SELinux messages run: sealert -l 00299893-c5f5-4b7f-a6d5-325a38ccddfa

SE alert:

~ % sealert -l 00299893-c5f5-4b7f-a6d5-325a38ccddfa
SELinux is preventing /usr/sbin/nginx from read access on the file fullchain3.pem.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow httpd to read user content
Then you must tell SELinux about this by enabling the 'httpd_read_user_content' boolean.

Do
setsebool -P httpd_read_user_content 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that nginx should be allowed read access on the fullchain3.pem file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'nginx' --raw | audit2allow -M my-nginx
# semodule -X 300 -i my-nginx.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:container_file_t:s0
Target Objects                fullchain3.pem [ file ]
Source                        nginx
Source Path                   /usr/sbin/nginx
Port                          <Unknown>
Host                          mountainside.mfocko.xyz
Source RPM Packages           nginx-core-1.24.0-4.module_el9.5.0+122+220a1c6b.al
                              ma.1.aarch64
Target RPM Packages
SELinux Policy RPM            selinux-policy-targeted-38.1.45-3.el9_5.noarch
Local Policy RPM              selinux-policy-targeted-38.1.45-3.el9_5.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     mountainside.mfocko.xyz
Platform                      Linux mountainside.mfocko.xyz
                              6.6.31-20240529.v8.4.el9 #1 SMP PREEMPT Tue Sep 24
                              13:48:18 UTC 2024 aarch64 aarch64
Alert Count                   3
First Seen                    2024-11-21 00:26:00 CET
Last Seen                     2024-12-13 23:04:02 CET
Local ID                      00299893-c5f5-4b7f-a6d5-325a38ccddfa

Raw Audit Messages
type=AVC msg=audit(1734127442.234:74394): avc:  denied  { read } for  pid=1493397 comm="nginx" name="fullchain3.pem" dev="mmcblk0p2" ino=270082 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1734127442.234:74394): arch=aarch64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=5582553295 a2=0 a3=0 items=0 ppid=1 pid=1493397 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=nginx exe=/usr/sbin/nginx subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: nginx,httpd_t,container_file_t,file,read

Fix:

sudo setsebool -P httpd_read_user_content 1

`/var/log/messages`: ``` Dec 13 23:01:40 mountainside setroubleshoot[1493005]: SELinux is preventing /usr/sbin/nginx from read access on the file fullchain3.pem. For complete SELinux messages run: sealert -l 00299893-c5f5-4b7f-a6d5-325a38ccddfa ``` SE alert: ``` ~ % sealert -l 00299893-c5f5-4b7f-a6d5-325a38ccddfa SELinux is preventing /usr/sbin/nginx from read access on the file fullchain3.pem. ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow httpd to read user content Then you must tell SELinux about this by enabling the 'httpd_read_user_content' boolean. Do setsebool -P httpd_read_user_content 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that nginx should be allowed read access on the fullchain3.pem file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'nginx' --raw | audit2allow -M my-nginx # semodule -X 300 -i my-nginx.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:container_file_t:s0 Target Objects fullchain3.pem [ file ] Source nginx Source Path /usr/sbin/nginx Port <Unknown> Host mountainside.mfocko.xyz Source RPM Packages nginx-core-1.24.0-4.module_el9.5.0+122+220a1c6b.al ma.1.aarch64 Target RPM Packages SELinux Policy RPM selinux-policy-targeted-38.1.45-3.el9_5.noarch Local Policy RPM selinux-policy-targeted-38.1.45-3.el9_5.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name mountainside.mfocko.xyz Platform Linux mountainside.mfocko.xyz 6.6.31-20240529.v8.4.el9 #1 SMP PREEMPT Tue Sep 24 13:48:18 UTC 2024 aarch64 aarch64 Alert Count 3 First Seen 2024-11-21 00:26:00 CET Last Seen 2024-12-13 23:04:02 CET Local ID 00299893-c5f5-4b7f-a6d5-325a38ccddfa Raw Audit Messages type=AVC msg=audit(1734127442.234:74394): avc: denied { read } for pid=1493397 comm="nginx" name="fullchain3.pem" dev="mmcblk0p2" ino=270082 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1734127442.234:74394): arch=aarch64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=5582553295 a2=0 a3=0 items=0 ppid=1 pid=1493397 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=nginx exe=/usr/sbin/nginx subj=system_u:system_r:httpd_t:s0 key=(null) Hash: nginx,httpd_t,container_file_t,file,read ``` Fix: ``` sudo setsebool -P httpd_read_user_content 1 ```