OpenVAS on CentOS7 Redis won't start

Thorin asked:

I am trying to get OpenVAS working per the the article below.

However it isn’t working, when I run openvas-check-setup I get this error below and when I check /var/log/redis/redis.log it says “Opening Unix socket: bind: Permission denied”

openvas-check-setup 2.3.7   Test completeness and readiness of OpenVAS-8   (add '--v6' or '--v7' or '--v9'    if you want to check for another OpenVAS version)

  Please report us any non-detected problems and   help us to improve this check routine:

  Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.

  Use the parameter --server to skip checks for client tools   like GSD and OpenVAS-CLI.

Step 1: Checking OpenVAS Scanner ...
        OK: OpenVAS Scanner is present in version 5.0.7.
        OK: OpenVAS Scanner CA Certificate is present as /var/lib/openvas/CA/cacert.pem.
        OK: redis-server is present in version v=3.0.7.
        OK: scanner (kb_location setting) is configured properly using the redis-server socket: /tmp/redis.sock
        ERROR: redis-server is not running or not listening on socket: /tmp/redis.sock
        FIX: You should start the redis-server or configure it to listen on socket: /tmp/redis.sock

 ERROR: Your OpenVAS-8 installation is not yet complete!

My answer:

Congratulations, you’ve found a bad Internet tutorial. It appears that the author of that tutorial never actually tested it himself to see if it works, because it doesn’t work as-is. Worse, it appears that that tutorial is actually linked to from the official OpenVAS web site, which is going to mislead and frustrate a lot of people.

So, the reason redis is failing to start is because SELinux denies redis-server to write to /tmp. You can see this in your audit logs:

type=AVC msg=audit(1482284806.464:112): avc:  denied  { write } for  pid=1275 comm="redis-server" name="tmp" dev="dm-0" ino=33574981 scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=SYSCALL msg=audit(1482284806.464:112): arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7ffe55938670 a2=6e a3=7ffe55938614 items=0 ppid=1 pid=1275 auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="redis-server" exe="/usr/bin/redis-server" subj=system_u:system_r:redis_t:s0 key=(null)

Rather than /tmp, the socket file should be located in /run/redis, for instance:

unixsocket /run/redis/redis.sock

This allows it to operate within the constraints SELinux imposes.

While editing /etc/redis.conf, be sure to check the bottom of the file for a second unixsocket directive that got added by openvas-setup and remove it as redundant.

Of course, generally on SELinux enabled systems, redis should be configured to listen to a TCP port on localhost, rather than using a socket, as other daemons might not be allowed to communicate with redis via a socket, but only via TCP. This isn’t really an issue here as OpenVAS isn’t (yet) SELinux-confined, but it also doesn’t support contacting redis via TCP. The result of this is that this redis installation cannot be shared or reused with any other services than the local copy of OpenVAS.

But there’s more than that wrong with this tutorial!

The second thing is that nowhere in it does OpenVAS ever get configured to actually use redis. It relies on the compiled in default, which as we have seen is wrong. To fix this requires setting a configuration directive in /etc/openvas/openvassd.conf, something which the tutorial never mentions:

kb_location = /run/redis/redis.sock

The third thing is that it uses a third party repo called atomic, which provides packages that conflict with packages in normal repos such as EPEL – which already provides redis and OpenVAS! It’s not clear why atomic have done this, nor why this tutorial uses atomic to begin with. Using repositories with conflicting packages is potentially dangerous. If you continue with using atomic packages, you will need to be absolutely certain that this (virtual) machine is never used for anything else for any reason whatsoever.

Finally, once you get it installed, the web interface isn’t actually reachable because the indicated port isn’t open in the firewall. You also have to do this yourself.

firewall-cmd --add-port=9392/tcp    # though this opens it to the world
firewall-cmd --runtime-to-permanent

Once you’re done, openvas-check-setup should say, among other things…

        OK: scanner (kb_location setting) is configured properly using the redis-server socket: /run/redis/redis.sock
        OK: redis-server is running and listening on socket: /run/redis/redis.sock.
        OK: redis-server configuration is OK and redis-server is running.

The irony is that it will then also say:

        ERROR: SELinux is enabled. For a working OpenVAS installation you need to disable it.
        FIX: Please disable SELinux.

Which appears to be completely gratuitous and unnecessary, as OpenVAS doesn’t run confined by SELinux anyway.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.