audit2allow getting permission denied AND how to update policy

[cshank]

Hello,

I added port 443/ssl to one of my virtual sites and on restart I am getting the error that systemd-ask-password wants write access on the kmsg chr_file. I have 2 questions as it appears this has been corrected in later policies:

[1] should I update my policy - I am a little concerned with the number of manual changes I have made. Also, I have never updated my policy because I just change settings as needed, so, a quick refresher would be great.

[2] Any thoughts on why I am getting: could not write output file: [Errno 13] Permission denied: 'my-systemdaskpas.te', when I run the following command: ausearch -c 'systemd-ask-pas' --raw | audit2allow -M my-systemdaskpas

thanks!

C

[TrevorH]

For [2], what is your current working directory when you run that command?

[cshank]

I am sorry but I was having trouble with this login account and I missed your reply. It did help me move to my home directory to re-run the commands and that appeared successful, but, I still am having a problem adding the certificate to my website. Even though I did not add a passphrase, centos still wants to write to an area it can't write to. After I run the recommended permission adjustments, it still generates the same error which may be due to the response I get after my ausearch command. Since this is different than what you previously replied to, I will post this as a different question. I will try to get my account login info ironed out as well.

thanks...

Chip

/////////////

[craftadmin@psychology ~]$ sudo ausearch -c 'systemd-ask-pas' --raw | audit2allow -M my-systemdaskpas
[sudo] password for craftadmin:
libsepol.sepol_string_to_security_class: unrecognized class dir
libsepol.sepol_string_to_security_class: unrecognized class chr_file
libsepol.sepol_string_to_security_class: unrecognized class file
libsepol.sepol_string_to_security_class: unrecognized class chr_file
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i my-systemdaskpas.pp

[TrevorH]

Where are your certs located?

[cshank]

/etc/pki/CA/certs

[cshank]

when I run: sudo service http restart

I get a SE Alert:

The source process:/usr/bin/systemd-ask-password
Attempted this access: open
On this file: /proc/<pid>/environ

it says to run this command to provide access (which I have done previously)

ausearch -c 'systemd-ask-pas' --raw | audit2allow -M my-systemdaskpas
semodule -i my-systemdaskpas.pp


I can run those commands, but, the error stays the same.

[TrevorH]

That's the wrong location for httpd certs - that's where you'd put your own certs for your own CA (if you had one). They should probably really be in either /etc/pki/tls/certs/ or in /etc/httpd/conf.d/ssl.d/

If you move them to a new location, make sure you use mv -Z to assign the correct selinux context to the files that you move based on the new location. Otherwise mv will preserve the existing (wrong) contexts. Or just cp them and it does the right thing to begin with.

I'm not an http expert but it was my impression that it was usual to remove the passphrase from the cert if it was to be used by httpd to avoid the necessity for it to prompt for the passphrase.