{"id":5706,"date":"2024-03-09T16:16:54","date_gmt":"2024-03-09T15:16:54","guid":{"rendered":"https:\/\/gpmfactory.com\/?p=5706"},"modified":"2024-03-09T23:02:32","modified_gmt":"2024-03-09T22:02:32","slug":"selinux-side-effects-when-adding-tls-ssl-certificates","status":"publish","type":"post","link":"https:\/\/gpmfactory.com\/index.php\/2024\/03\/09\/selinux-side-effects-when-adding-tls-ssl-certificates\/","title":{"rendered":"SELinux side effects when adding TLS\/SSL certificates"},"content":{"rendered":"\n

Beware of a funny side effect with SELinux.<\/p>\n\n\n\n

Use case<\/h3>\n\n\n\n

We have to activate SSL\/TLS on the Linux server, AlmaLinux in my case (RedHat variant).<\/p>\n\n\n\n

SELinux (Security Enhanced Linux) in enabled by default.<\/p>\n\n\n\n

I upload certificates and private key on \/tmp directory, then I move<\/strong> these two files on the target directory \/etc\/ssl\/certs\/ (with the mv<\/code> command).<\/p>\n\n\n\n

When restarting httpd, it complaigns because it can’t access the two certificate files.
We can set all security flags that we want, \u00ab\u00a0open all the doors\u00a0\u00bb, that will not run.<\/p>\n\n\n\n

In fact, the solution is to re-label<\/strong> the certificate files because the SELinux inheritance rules are specific to the directory which contains certificates. Then, the two new files will be setup correctly.<\/p>\n\n\n\n

restorecon -RvF \/etc\/ssl\/certs\/<\/pre>\n\n\n\n
Or… we can disable SELinux.
Display the status
getenforce<\/code><\/p>\n\n\n\n
Disable SELInux until next reboot<\/p>\n\n\n\n
sudo setenforce 0<\/code><\/p>\n\n\n\n
This would not have happened if I had copied (and not moved) my certificate files because in this case, they would have automatically inherited the SELinux rules from the receiving directory<\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
Beware of a funny side effect with SELinux. Use case We have to activate SSL\/TLS on the Linux server, AlmaLinux in my case (RedHat…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"ppma_author":[150],"class_list":["post-5706","post","type-post","status-publish","format-standard","hentry","category-non-classe"],"authors":[{"term_id":150,"user_id":1,"is_guest":0,"slug":"admin8700","display_name":"Patrick","avatar_url":"https:\/\/secure.gravatar.com\/avatar\/209d5ed69b74d288390621ab4c1d3773?s=96&d=mm&r=g","0":null,"1":"","2":"","3":"","4":"","5":"","6":"","7":"","8":""}],"_links":{"self":[{"href":"https:\/\/gpmfactory.com\/index.php\/wp-json\/wp\/v2\/posts\/5706","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gpmfactory.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gpmfactory.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gpmfactory.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/gpmfactory.com\/index.php\/wp-json\/wp\/v2\/comments?post=5706"}],"version-history":[{"count":7,"href":"https:\/\/gpmfactory.com\/index.php\/wp-json\/wp\/v2\/posts\/5706\/revisions"}],"predecessor-version":[{"id":5714,"href":"https:\/\/gpmfactory.com\/index.php\/wp-json\/wp\/v2\/posts\/5706\/revisions\/5714"}],"wp:attachment":[{"href":"https:\/\/gpmfactory.com\/index.php\/wp-json\/wp\/v2\/media?parent=5706"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gpmfactory.com\/index.php\/wp-json\/wp\/v2\/categories?post=5706"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gpmfactory.com\/index.php\/wp-json\/wp\/v2\/tags?post=5706"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/gpmfactory.com\/index.php\/wp-json\/wp\/v2\/ppma_author?post=5706"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}