search

icing / mod_md

Let's Encrypt (ACME) in Apache httpd
https://icing.github.io/mod_md/
Apache License 2.0
335 stars 27 forks source link

SELinux mod_md Policy Deficiency #275

Closed grubbylilo closed 2 years ago

grubbylilo commented 2 years ago
  1. With a Centos 7 OS (7.9.2009) running SELinux, I installed iusrepo/httpd24u package (from ius.io repository)

'httpd -v' output: Server version: Apache/2.4.51 (IUS) Server built: Oct 8 2021 16:46:12

  1. I manually downloaded version 2.4.10 of mod_md -- the latest -- and ran ./configure && make && make install and added new domain configurations for mod_md and then restarted httpd.

  2. The following then appears in /var/log/messages multiple times, which I think is related to the number of domains configured to work with mod_md: Dec 24 11:56:19 python: SELinux is preventing /usr/sbin/httpd from rename access on the file fallback-privkey.pem.tmp.#012#012* Plugin catchall (100. confidence) suggests **#012#012If you believe that httpd should be allowed rename access on the fallback-privkey.pem.tmp file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'httpd' --raw | audit2allow -M my-httpd#012# semodule -i my-httpd.pp#012

  3. The following also appears a single time in /var/log/messages after each restart of httpd: Dec 24 12:15:46 systemd: httpd.service: main process exited, code=exited, status=1/FAILURE Dec 24 12:15:46 setroubleshoot: SELinux is preventing httpd from setattr access on the directory challenges. For complete SELinux messages run: sealert -l 7dbbf39b-4413-4fe4-b59e-e5262109c793 Dec 24 12:15:46 python: SELinux is preventing httpd from setattr access on the directory challenges.#012#012* Plugin catchall (100. confidence) suggests **#012#012If you believe that httpd should be allowed setattr access on the challenges directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'httpd' --raw | audit2allow -M my-httpd#012# semodule -i my-httpd.pp#012

  4. The ‘challenges’ subdirectory referenced above in #4 is created automatically based on the ‘MDStoreDir’ httpd configuration directive for mod_md

  5. This was all done with SELinux in permissive mode.

grubbylilo commented 2 years ago

Following manual resolution of the above, I receive the following error. At this point I can start httpd.

python: SELinux is preventing /usr/sbin/httpd from unlink access on the file job.json.#012#012* Plugin catchall (100. confidence) suggests **#012#012If you believe that httpd should be allowed unlink access on the job.json file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'httpd' --raw | audit2allow -M my-httpd#012# semodule -i my-httpd.pp#012

icing commented 2 years ago

Thanks, @grubbylilo. I do not use SELinux and have no experience really with it. You probably need to talk to the maintainers to get advice on how to configured your system - if they have any.

I am willing to take in patches that improve the situation on SELinux, but I have no time or desire to do the work.