Bug 1586352
| Summary: | python: SELinux is preventing /usr/sbin/httpd from write access on the file /etc/letsencrypt/.certbot.lock | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | Sergio Basto <sergio> | ||||||
| Component: | certbot | Assignee: | Nick Bebout <nb> | ||||||
| Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | epel7 | CC: | elyscape, itamar, james.hogarth, nb, nick, rbu, sergio, thetaeridanus | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2024-07-09 02:24:09 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
Sergio Basto
2018-06-06 04:48:15 UTC
What uservare you trying to run certbot as? To provide some context for my question, certbot normally expects to run as root. Furthermore, httpd normally won't be invoking certbot, so this shouldn't be a problem. What are you doing that causes this to happen? (In reply to Eli Young from comment #1) > What uservare you trying to run certbot as? root , sorry for the delay to be clear I run as root :
certbot --apache
I have httpd running with a super simple configuration
/etc/httpd/conf.d/site.conf
<VirtualHost *:80>
ServerName site.name.country
ErrorLog logs/site.name.country-error_log
CustomLog logs/site.name.country-access_log common
</VirtualHost>
Could you post the syslog and audit messages you’re seeing that illustrate the error? Created attachment 1448593 [details]
var_log_messages.txt
cat /var/log/messages | grep SELinux > var_log_messages.txt
Created attachment 1448594 [details]
ausearch.txt
ausearch -x /usr/sbin/httpd --raw > ausearch.txt
is enough ?
more info
found 5 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------
SELinux is preventing /usr/sbin/httpd from write access on the file /etc/letsencrypt/.certbot.lock.
***** Plugin leaks (86.2 confidence) suggests *****************************
If you want to ignore httpd trying to write access the .certbot.lock file, because you believe it should not need this access.
Then you should report this as a bug.
You can generate a local policy module to dontaudit this access.
Do
# ausearch -x /usr/sbin/httpd --raw | audit2allow -D -M my-httpd
# semodule -i my-httpd.pp
***** Plugin catchall (14.7 confidence) suggests **************************
If you believe that httpd should be allowed write access on the .certbot.lock file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
# semodule -i my-httpd.pp
Additional Information:
Source Context unconfined_u:system_r:httpd_t:s0
Target Context unconfined_u:object_r:etc_t:s0
Target Objects /etc/letsencrypt/.certbot.lock [ file ]
Source httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host <Unknown>
Source RPM Packages httpd-2.4.6-80.el7.centos.1.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-192.el7_5.4.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name xxxx
Platform Linux xxxx 3.10.0-862.3.2.el7.x86_64
#1 SMP Mon May 21 23:36:36 UTC 2018 x86_64 x86_64
Alert Count 20
First Seen 2018-04-27 17:19:26 WEST
Last Seen 2018-07-27 12:47:43 WEST
Local ID 0c2ad820-6b7b-4ba9-a422-7a59ac577708
Raw Audit Messages
type=AVC msg=audit(1532692063.265:5968): avc: denied { write } for pid=3915 comm="httpd" path="/etc/letsencrypt/.certbot.lock" dev="dm-0" ino=583456 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1532692063.265:5968): avc: denied { write } for pid=3915 comm="httpd" path="/var/log/letsencrypt/.certbot.lock" dev="dm-0" ino=25547078 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1532692063.265:5968): avc: denied { write } for pid=3915 comm="httpd" path="/var/lib/letsencrypt/.certbot.lock" dev="dm-0" ino=8528454 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:cert_t:s0 tclass=file
type=SYSCALL msg=audit(1532692063.265:5968): arch=x86_64 syscall=execve success=yes exit=0 a0=16eb330 a1=16e6cb0 a2=16e7f90 a3=7fff91aff700 items=0 ppid=3913 pid=3915 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=585 comm=httpd exe=/usr/sbin/httpd subj=unconfined_u:system_r:httpd_t:s0 key=(null)
Hash: httpd,httpd_t,etc_t,file,write
*** Bug 1729813 has been marked as a duplicate of this bug. *** This package has changed maintainer in the Fedora. Reassigning to the new maintainer of this component. EPEL 7 entered end-of-life (EOL) status on 2024-06-30.\n\nEPEL 7 is no longer maintained, which means that it\nwill not receive any further security or bug fix updates.\n As a result we are closing this bug. |