cancel
Showing results for 
Search instead for 
Did you mean: 

PEM Web Interface error "Could not connect to server: Permission denied"

Before installing PEM via an RPM method it is mandatory to disable SELinux. If SELinux is disabled using command : setenforce 0,
this command changes SELinux at runtime.
 
Initially one can access the PEM web interface through browser and it works without any issue. However, next time when the OS is rebooted SELinux setting will be changed back to Enforcing as it was set at session level earlier.
And there on the PEM web interface will complaint with the below error message and will not allow to login :
could not connect to server: Permission denied Is the server running on host "x.x.x.x" and accepting TCP/IP connections on port 5444 ?
 
[root@localhost Desktop]# getenforce
Enforcing
 
Solution :
 
To allow Apache to connect to database through SELinux, use below command.()
Use -P option with below command makes the change permanent. Without this option, the boolean would be reset to 0 at reboot.
 
[root@localhost Desktop]# setsebool -P httpd_can_network_connect 1
[root@localhost Desktop]# setsebool -P httpd_can_network_connect_db 1
 
[root@localhost Desktop]# getenforce
Enforcing
 
To verify the settings : 
 
[root@localhost Desktop]# getsebool -a | grep httpd_can_network 
httpd_can_network_connect --> on
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> on
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
 
 
Version history
Revision #:
5 of 5
Last update:
‎03-19-2019 10:29 AM
Updated by:
 
Attachments
Contributors
Comments

Hi, AmitSharma,

 

Thanks a lot for sharing this post.

 

However, after following the following steps in my test environment (CentOS 7.6), I can not restart httpd with SELinux enabled.

It shows log files can not be accessed.

[me@pem7test ~]$ getenforce
Enforcing
[me@pem7test ~]$ getsebool -a | grep httpd_can_network 
httpd_can_network_connect --> on
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> on
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
[me@pem7test ~]$ sudo service httpd start
Redirecting to /bin/systemctl start httpd.service
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
[me@pem7test ~]$ sudo service httpd status -l
Redirecting to /bin/systemctl status  -l httpd.service
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Fri 2019-04-12 03:52:00 UTC; 14s ago
     Docs: man:httpd(8)
           man:apachectl(8)
  Process: 4080 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
  Process: 4079 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
 Main PID: 4079 (code=exited, status=1/FAILURE)

Apr 12 03:52:00 pem7test systemd[1]: Starting The Apache HTTP Server...
Apr 12 03:52:00 pem7test httpd[4079]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::4001:aff:fe80:7. Set the 'ServerName' directive globally to suppress this message
Apr 12 03:52:00 pem7test httpd[4079]: (13)Permission denied: AH00091: httpd: could not open error log file /etc/httpd/logs/error_log.
Apr 12 03:52:00 pem7test httpd[4079]: AH00015: Unable to open logs
Apr 12 03:52:00 pem7test systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Apr 12 03:52:00 pem7test kill[4080]: kill: cannot find process ""
Apr 12 03:52:00 pem7test systemd[1]: httpd.service: control process exited, code=exited status=1
Apr 12 03:52:00 pem7test systemd[1]: Failed to start The Apache HTTP Server.
Apr 12 03:52:00 pem7test systemd[1]: Unit httpd.service entered failed state.
Apr 12 03:52:00 pem7test systemd[1]: httpd.service failed.
[me@pem7test ~]$ 

 

I check the permission to the mentioned file

[me@pem7test ~]$ sudo ls -l /etc/httpd/logs/
total 37616
-rw-r--r--. 1 root root     7090 Apr 12 03:26 access_log
-rw-r--r--. 1 root root  6243640 Mar 21 03:23 access_log-20190321
-rw-r--r--. 1 root root 10588538 Apr 12 03:16 access_log-20190412
-rw-r--r--. 1 root root     2058 Apr 12 03:43 error_log
-rw-r--r--. 1 root root   119345 Mar 21 03:23 error_log-20190321
-rw-r--r--. 1 root root    20087 Apr 12 03:16 error_log-20190412
-rw-r--r--. 1 root root        0 Mar 11 06:36 ssl_access_log
-rw-r--r--. 1 root root      564 Apr 12 03:43 ssl_error_log
-rw-r--r--. 1 root root     1504 Mar 21 02:35 ssl_error_log-20190321
-rw-r--r--. 1 root root     2444 Apr 12 02:52 ssl_error_log-20190412
-rw-r--r--. 1 root root     8770 Apr 12 03:26 ssl_request_log
-rw-r--r--. 1 root root  7999858 Mar 21 03:23 ssl_request_log-20190321
-rw-r--r--. 1 root root 13477859 Apr 12 03:16 ssl_request_log-20190412
[me@pem7test ~]$ sudo ls -l /etc/httpd/
total 0
drwxr-xr-x. 2 root root  37 Mar 11 05:58 conf
drwxr-xr-x. 2 root root 142 Mar 11 06:36 conf.d
drwxr-xr-x. 2 root root 185 Mar 11 05:58 conf.modules.d
lrwxrwxrwx. 1 root root  19 Mar 11 05:58 logs -> ../../var/log/httpd
lrwxrwxrwx. 1 root root  29 Mar 11 05:58 modules -> ../../usr/lib64/httpd/modules
lrwxrwxrwx. 1 root root  10 Mar 11 05:58 run -> /run/httpd
[me@pem7test ~]$ 

But the service can be started successfully if I immediately turn off SELinux

[me@pem7test ~]$ sudo setenforce 0
[me@pem7test ~]$ getenforce 
Permissive
[me@pem7test ~]$ sudo service httpd start
Redirecting to /bin/systemctl start httpd.service
[me@pem7test ~]$ sudo service httpd status
Redirecting to /bin/systemctl status httpd.service
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2019-04-12 03:55:58 UTC; 6s ago
     Docs: man:httpd(8)
           man:apachectl(8)
  Process: 4080 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
 Main PID: 4515 (httpd)
   Status: "Processing requests..."
   CGroup: /system.slice/httpd.service
           ├─4515 /usr/sbin/httpd -DFOREGROUND
           ├─4516 EDBPEM          -DFOREGROUND
           ├─4517 /usr/sbin/httpd -DFOREGROUND
           ├─4518 /usr/sbin/httpd -DFOREGROUND
           ├─4519 /usr/sbin/httpd -DFOREGROUND
           ├─4520 /usr/sbin/httpd -DFOREGROUND
           └─4521 /usr/sbin/httpd -DFOREGROUND

Apr 12 03:55:58 pem7test systemd[1]: Starting The Apache HTTP Server...
Apr 12 03:55:58 pem7test systemd[1]: Started The Apache HTTP Server.
[me@pem7test ~]$ 

What should I set further to make it work under SELinux?

 

Thanks.

Hello Alex,

 

The issue reported above is for PEM web console showing the error "Could not connect to server: Permission denied" when the SELINX is not disabled and is Enforcing.

From your information shared we see that the issue is for the HTTPD services. This should not cause any issues here. We have tested the same scenario at our end and we do not see anything similar as yours. It works fine.

We suspect that this may be a permission issue as the location /etc/httpd/logs has a symlink/redirected to logs -> ../../var/log/httpd

Can you once verify the permissions on logs -> ../../var/log/httpd ?

Also please check with your system admin once why is this causing an issue with the HTTPD services. The article is for the PEM services however in your case we see it is affecting the stand alone HTTPD services which in our case works fine hence please get in touch with your system admin to get more clarity on this.

[arun@localhost ~]$ getenforce

Enforcing

[arun@localhost ~]$ getsebool -a | grep httpd_can_network

httpd_can_network_connect --> on

httpd_can_network_connect_cobbler --> off

httpd_can_network_connect_db --> on

httpd_can_network_memcache --> off

httpd_can_network_relay --> off

[arun@localhost ~]$ sudo service httpd start

[sudo] password for arun: 

Redirecting to /bin/systemctl start httpd.service

[arun@localhost ~]$ sudo service httpd status -l

Redirecting to /bin/systemctl status  -l httpd.service

● httpd.service - The Apache HTTP Server

  Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)

  Active: active (running) since Mon 2019-04-15 18:46:49 IST; 13s ago

    Docs: man:httpd(8)

          man:apachectl(8)

Main PID: 6676 (httpd)

  Status: "Total requests: 0; Current requests/sec: 0; Current traffic:   0 B/sec"

   Tasks: 6

  CGroup: /system.slice/httpd.service

          ├─6676 /usr/sbin/httpd -DFOREGROUND

          ├─6680 /usr/sbin/httpd -DFOREGROUND

          ├─6681 /usr/sbin/httpd -DFOREGROUND

          ├─6682 /usr/sbin/httpd -DFOREGROUND

          ├─6683 /usr/sbin/httpd -DFOREGROUND

          └─6684 /usr/sbin/httpd -DFOREGROUND



Apr 15 18:46:49 localhost.localdomain systemd[1]: Starting The Apache HTTP Server...

Apr 15 18:46:49 localhost.localdomain httpd[6676]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message

Apr 15 18:46:49 localhost.localdomain systemd[1]: Started The Apache HTTP Server.

[arun@localhost ~]$