Conflict with SELinux

#1
Hi,
We are very concerned about SELinux. We have been deploying SELinux on all our Linux Servers. When we started deploying OpenLiteSpeed in general, we encountered a conflict. We had to disable SELinux to make OpenLiteSpeed work. Please help us resolve this issue.

ps auxZ | grep litespeed

Got:

unconfined_service_t

1743914494404.png

Reference link:
https://github.com/aws/amazon-ssm-agent-selinux

Thanks
 

Cold-Egg

Administrator
#2
Hi, I launched a fresh AlmaLinux with SELinux enabled, and no such issue. Maybe the amazon-ssm-agent-selinux package has its own custom policy rules that are not compatible with OLS? You might want to generate a custom policy for the OLS process based on the existing policy.
 
#3
Hi @Cold-Egg,
Thank you for your reply and testing. To be clearer about this Issue, I reproduce the error:

1. Environment: AlmaLinux 8.10
2. Run command: ps auxZ | grep litespeed
3. I get the error: unconfined_service_t

** amazon-ssm-agent-selinux is what I sent for us to refer to how they do. My environment where the error occurs does not use amazon-ssm-agent-selinux.

** How do you configure and create a separate policy for OLS with SELinux to avoid errors and install successfully?

Thank you.
 
Last edited:
#5
Hi @Cold-Egg ,
Thanks for your re-test and helping.
The issue seems to be in the configuration - definition of SELinux. We are researching and re-researching. We will report back with results and discuss further.
Thanks
 
#6
Hi, I launched a fresh AlmaLinux with SELinux enabled, and no such issue. Maybe the amazon-ssm-agent-selinux package has its own custom policy rules that are not compatible with OLS? You might want to generate a custom policy for the OLS process based on the existing policy.
I found the following thread before finding this one, and I'm wondering if this has been addressed: https://forum.openlitespeed.org/threads/no-selinux-support.4356/

The gist of it is that openlitespeed is/was requiring write access to /etc/ and access to the /etc/shadow file. Without those contexts, OLS won't run. And that thread also mentioned the unreserved issue.

Does OLS have a policy now? On RHEL 9.6 I don't see one. I'm still (finally) learning SELinux, so even if I'm right, I probably don't know what I'm doing
 
Top