I had a similar issue but on a derivative of Arch Linux.
Redis had to be installed for OpenVAS and I was getting a permission error after attempting to start the service like this:
systemctl start redis.service
The error was visible using:
journalctl -xeu redis.service
as recommended by the systemctl
command output.
When it attempted to create the Unix socket in /run
(also linked from /var/run
) it would fail because it could not create the file. I could manually created a redis
subdirectory under /run
using sudo
and change the owner to the redis
user then started redis
but the directory kept disappearing later.
I tried re-installing with pacman because I was a bit lost but that didn't seem to help.
Solution in my case
After running
sudo systemctl enable redis.service
I can start the service and /run/redis
(also linked as /var/run/redis
) is present with a PID and Unix socket file as configured with the unixsocket
entry in my config file.
I can confirm it's accessible with:
redis-cli -s /run/redis/redis.sock
After a reboot it's still good.
Congratulations, you've found a bad Internet tutorial. It appears that the author of that tutorial never actually tested it himself to see if it works, because it doesn't work as-is. Worse, it appears that that tutorial is actually linked to from the official OpenVAS web site, which is going to mislead and frustrate a lot of people.
So, the reason redis is failing to start is because SELinux denies redis-server to write to /tmp
. You can see this in your audit logs:
type=AVC msg=audit(1482284806.464:112): avc: denied { write } for pid=1275 comm="redis-server" name="tmp" dev="dm-0" ino=33574981 scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=SYSCALL msg=audit(1482284806.464:112): arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7ffe55938670 a2=6e a3=7ffe55938614 items=0 ppid=1 pid=1275 auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="redis-server" exe="/usr/bin/redis-server" subj=system_u:system_r:redis_t:s0 key=(null)
Rather than /tmp
, the socket file should be located in /run/redis
, for instance:
unixsocket /run/redis/redis.sock
This allows it to operate within the constraints SELinux imposes.
While editing /etc/redis.conf
, be sure to check the bottom of the file for a second unixsocket
directive that got added by openvas-setup
and remove it as redundant.
Of course, generally on SELinux enabled systems, redis should be configured to listen to a TCP port on localhost, rather than using a socket, as other daemons might not be allowed to communicate with redis via a socket, but only via TCP. This isn't really an issue here as OpenVAS isn't (yet) SELinux-confined, but it also doesn't support contacting redis via TCP. The result of this is that this redis installation cannot be shared or reused with any other services than the local copy of OpenVAS.
But there's more than that wrong with this tutorial!
The second thing is that nowhere in it does OpenVAS ever get configured to actually use redis. It relies on the compiled in default, which as we have seen is wrong. To fix this requires setting a configuration directive in /etc/openvas/openvassd.conf
, something which the tutorial never mentions:
kb_location = /run/redis/redis.sock
The third thing is that it uses a third party repo called atomic, which provides packages that conflict with packages in normal repos such as EPEL - which already provides redis and OpenVAS! It's not clear why atomic have done this, nor why this tutorial uses atomic to begin with. Using repositories with conflicting packages is potentially dangerous. If you continue with using atomic packages, you will need to be absolutely certain that this (virtual) machine is never used for anything else for any reason whatsoever.
Finally, once you get it installed, the web interface isn't actually reachable because the indicated port isn't open in the firewall. You also have to do this yourself.
firewall-cmd --add-port=9392/tcp # though this opens it to the world
firewall-cmd --runtime-to-permanent
Once you're done, openvas-check-setup
should say, among other things...
OK: scanner (kb_location setting) is configured properly using the redis-server socket: /run/redis/redis.sock
OK: redis-server is running and listening on socket: /run/redis/redis.sock.
OK: redis-server configuration is OK and redis-server is running.
The irony is that it will then also say:
ERROR: SELinux is enabled. For a working OpenVAS installation you need to disable it.
FIX: Please disable SELinux.
Which appears to be completely gratuitous and unnecessary, as OpenVAS doesn't run confined by SELinux anyway.
Best Answer
My guess is you are using ubuntu or some distro that mounts /var/run as tmpfs. So each reboot /var/run is cleaned out.
Run
mount
and if it lists /var/run seperately then that is the case