Cannot access eucaconsole when selinux set to enforcing because of invalid console.crt and console.key labels

Follow

 

 

This KB article is relevant when running:

  • Eucalyptus v4.3.0 or later, and
  • SELinux is enabled on the machine hosting eucaconsole

The issue

After installing eucaconsole, you discover that you are not able to access the console after starting it.

During your investigations, you see the following error in the systemctl status output:

Jul 27 10:42:24 g-15-02.qa1.eucalyptus-systems.com eucaconsole[26319]: Generating self-signed certificate: [  OK  ]
Jul 27 10:42:24 g-15-02.qa1.eucalyptus-systems.com eucaconsole[26319]: Generating cookie secrets: [  OK  ]
Jul 27 10:42:24 g-15-02.qa1.eucalyptus-systems.com eucaconsole[26319]: Starting eucaconsole nginx: nginx: [emerg] BIO_new_file("/etc/eucaconsole/console.crt") failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen('/etc/eucaconsole/console.crt','r') error:2006D002:BIO routines:BIO_new_file:system lib)
Jul 27 10:42:24 g-15-02.qa1.eucalyptus-systems.com eucaconsole[26319]: [FAILED]


Checking the file label, you see the following:

[root@g-15-02 ~]# ls -lZ /etc/eucaconsole/console.crt /etc/eucaconsole/console.key
-rw-------. eucaconsole eucaconsole system_u:object_r:eucaconsole_conf_t:s0 /etc/eucaconsole/console.crt
-rw-------. eucaconsole eucaconsole system_u:object_r:eucaconsole_conf_t:s0 /etc/eucaconsole/console.key


This is what the label should be:

[root@g-15-02 ~]# matchpathcon /etc/eucaconsole/console.crt /etc/eucaconsole/console.key
/etc/eucaconsole/console.crt    system_u:object_r:cert_t:s0
/etc/eucaconsole/console.key    system_u:object_r:cert_t:s0

The fix

Change the label per the example shown below:

[root@g-15-02 ~]# restorecon /etc/eucaconsole/console.crt /etc/eucaconsole/console.key
[root@g-15-02 ~]# ls -lZ /etc/eucaconsole/console.crt /etc/eucaconsole/console.key
-rw-------. eucaconsole eucaconsole system_u:object_r:cert_t:s0      /etc/eucaconsole/console.crt
-rw-------. eucaconsole eucaconsole system_u:object_r:cert_t:s0      /etc/eucaconsole/console.key


Once you have finished making the changes shown above, proceed with restarting eucaconsole:

# systemctl restart eucaconsole.service

Have more questions? Submit a request

Comments

Powered by Zendesk