Skip to main content

[Preview Feature] Workbench SELinux Policy Module with SSL & Postgres

Cecil Singh
  • Updated

Problem

You may notice the Workbench SELinux Policy Module causing issues with SSL and/or Postgres enabled on your server. For reference, this doc is below:
https://docs.posit.co/ide/server-pro/admin/access_and_security/selinux_configuration.html

It does work "out-of-the-box" on a standard Workbench install, however, using SSL and/or Postgres with your Workbench installation will cause the rstudio-server service to fail with misleading errors throughout the logs. In most cases it's SELinux stopping the Workbench service from starting.

Note that this is a preview feature. Preview features are unsupported and may face breaking changes in a future release. Any issues found in the feature will be addressed during the regular release schedule; they will not result in immediate patches or hotfixes.

We encourage customers to try these features and we welcome any feedback via Posit Support, but we recommend that the feature not be used in production until it is in general availability (i.e., officially released as a full feature). To provide feedback, please email your Posit Customer Success representative or sales@posit.co and specify that you are trialing this feature.

 

Solution

Load the Workbench SELinux policy module:

sudo semodule -i /usr/share/selinux/packages/workbench.pp

This example above is in the standard directory. If this file has been moved, you can find it with:

find / -type f -name "*.pp"

From there, if you are using SSL, you will see "SSL certificate not found" errors. This can be resolved with:

sudo semanage fcontext -a -t cert_t "/path/to/cert.crt"
sudo semanage fcontext -a -t cert_t "/path/to/key.key"
sudo restorecon -v /path/to/cert.crt
sudo restorecon -v /path/to/key.key

Where /path/to/cert.crt is replaced with the filepath to your SSL certificate file, and /path/to/key.key is the filepath to your private key file.

Next, if you are running Postgres as a database as specified in /etc/rstudio/database.conf, you will need to run the below:

sudo semanage port -m -t http_port_t -p tcp 5432

Change the port number if your Postgres installation doesn't use port 5432.  

From there, restart the Workbench and Launcher services:

sudo rstudio-server restart
sudo rstudio-launcher restart

Related articles

Comments

0 comments

Please sign in to leave a comment.