Unable to start redis server when selinux enabled - Leap 16

Buttshill · October 21, 2025, 11:46am

Hi,
My main 15.6 failed significantly on upgrade to Leap 16.0 so I am taking the opportunity to have a clean out and start with a clean slate.
I have a separate small PC to use as a system to sort out certain issues.
The biggest problem to date is not able to start the redis server (for Nextcloud) when selinux is enabled. I get a "Permission denied " error on /etc/redis/redis.conf
I have done somne reading and got as far as running
semanage fcontext -a -t redis_conf_t ‘/etc/redis/(/.*)?’
restorecon ‘/etc/redis’

But no luck. Can someone help please?

Thanks

John

arvidjaar · October 21, 2025, 11:47am

Start with

touch /.autorelabel
reboot

Buttshill · October 21, 2025, 12:19pm

I tried this command in the /etc/redis directory.
but it did nothing.

arvidjaar · October 21, 2025, 12:29pm

I do not understand what it means.

Which one? There were two commands.

Buttshill · October 21, 2025, 12:32pm

Sorry misunderstood - I see it produces a file in the root dir but doesn’t change the permission s problems

arvidjaar · October 21, 2025, 12:35pm

Reboot, try to start your application, post

ausearch -m avc -ts boot

It can be long, upload to https://paste.opensuse.org/

Buttshill · October 21, 2025, 12:46pm

Paste up loaded on the link and saved. Plus the below is a subset of that output

----
time->Tue Oct 21 13:41:00 2025
type=AVC msg=audit(1761050460.533:55): avc:  denied  { read } for  pid=1135 comm="redis-server" name="redis.conf" dev="sda2" ino=238664 scontext=system_u:system_r:redis_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0
----
time->Tue Oct 21 13:41:00 2025
type=AVC msg=audit(1761050460.856:61): avc:  denied  { read } for  pid=1192 comm="redis-server" name="redis.conf" dev="sda2" ino=238664 scontext=system_u:system_r:redis_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0
----
time->Tue Oct 21 13:41:01 2025
type=AVC msg=audit(1761050461.193:67): avc:  denied  { read } for  pid=1228 comm="redis-server" name="redis.conf" dev="sda2" ino=238664 scontext=system_u:system_r:redis_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0
----
time->Tue Oct 21 13:41:01 2025
type=AVC msg=audit(1761050461.522:70): avc:  denied  { read } for  pid=1249 comm="redis-server" name="redis.conf" dev="sda2" ino=238664 scontext=system_u:system_r:redis_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0
----
time->Tue Oct 21 13:41:02 2025
type=AVC msg=audit(1761050462.022:73): avc:  denied  { read } for  pid=1254 comm="redis-server" name="redis.conf" dev="sda2" ino=238664 scontext=system_u:system_r:redis_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0

arvidjaar · October 21, 2025, 12:53pm

You forgot to paste the link here.

Buttshill · October 21, 2025, 12:56pm

https://paste.opensuse.org/pastes/5c7f95209a34

arvidjaar · October 21, 2025, 1:02pm

Show

ls -ilZ /etc/redis

Buttshill · October 21, 2025, 1:28pm

saturn:/home/john # ls -ilZ /etc/redis
total 116
238621 drwxr-xr-x. 1 redis redis system_u:object_r:redis_conf_t:s0        82 Oct 20 17:16 includes
238664 -rw-r-----. 1 redis redis unconfined_u:object_r:user_home_t:s0 106638 Oct 20 17:26 redis.conf
238624 -rw-r-----. 1 redis redis system_u:object_r:redis_conf_t:s0       154 Aug  4 12:22 redis.default.conf.template
238625 -rw-rw----. 1 redis redis system_u:object_r:redis_conf_t:s0       148 Aug  4 12:22 sentinel.defaults.conf.template

Ps thanks for the help

arvidjaar · October 21, 2025, 5:50pm

Show

restorecon -nrv /etc/redis

Buttshill · October 21, 2025, 8:06pm

As shown below the output as requested:

saturn:/srv/www/htdocs/nextcloud/config # restorecon -nrv /etc/redis
Would relabel /etc/redis/redis.conf from unconfined_u:object_r:user_home_t:s0 to unconfined_u:object_r:redis_conf_t:s0

arvidjaar · October 22, 2025, 3:49am

And now run

restorecon -rv /etc/redis
ls -lZ /etc/redis

Buttshill · October 22, 2025, 8:34am

Hi arvidjaar,
here is the output

saturn:/home/john # restorecon -rv /etc/redis
Relabeled /etc/redis/redis.conf from unconfined_u:object_r:user_home_t:s0 to unconfined_u:object_r:redis_conf_t:s0
saturn:/home/john # ls -lZ /etc/redis
total 116
drwxr-xr-x. 1 redis redis system_u:object_r:redis_conf_t:s0         82 Oct 20 17:16 includes
-rw-r-----. 1 redis redis unconfined_u:object_r:redis_conf_t:s0 106638 Oct 20 17:26 redis.conf
-rw-r-----. 1 redis redis system_u:object_r:redis_conf_t:s0        154 Aug  4 12:22 redis.default.conf.template
-rw-rw----. 1 redis redis system_u:object_r:redis_conf_t:s0        148 Aug  4 12:22 sentinel.defaults.conf.template

I am completely new to selinux, but can I ask what is it that you are looking for?

arvidjaar · October 22, 2025, 8:38am

Does your program start now?

Buttshill · October 22, 2025, 8:39am

Hi arvidjaar,
That seems to have done it redis now starts. I rebooted and I am able to start redis.
Can I confirm which commands would need to be run for a new system?

Buttshill · October 22, 2025, 8:42am

Commands to enable redis to start under selinux

1.semanage fcontext -a -t redis_conf_t ‘/etc/redis/(/.*)?’
2. touch /.autorelabel and then reboot - (is this still needed?)
3. restorecon -rv /etc/redis

Is that correct ?

arvidjaar · October 22, 2025, 8:50am

This is default and is not needed.

If you created (copied, restored from backup, whatever) a file with a wrong context, you need to relabel this file. Either 2 or 3 should have worked. I do not know why the 2 did not work.

You can use matchpathcon to find out the expected security label:

tumbleweed:~ # matchpathcon /etc/redis/redis.conf
/etc/redis/redis.conf   system_u:object_r:redis_conf_t:s0
tumbleweed:~ #

Buttshill · October 22, 2025, 8:56am

So IF only I only need command 1 (semanage…) why did it not work originally ? Was it because I issued a [restorecon ‘/etc/redis’] command?
Anyway many thanks for the help and persevering with this.