How to Resolve SELinux Log Permission Issues for Redis (Valkey) on Fedora 41

Ujjawal SainiUjjawal Saini
2 min read

Fedora 41 introduced Valkey as a drop-in replacement for Redis. However, users upgrading from previous versions of Fedora or installing Valkey may encounter issues where the service fails to start due to SELinux denying access to the log file.

If you see an error like this:

sudo systemctl restart valkey.service
Job for valkey.service failed because the control process exited with error code.
See "systemctl status valkey.service" and "journalctl -xeu valkey.service" for details.

And checking logs with:

sudo journalctl -xeu valkey.service

Shows:

*** FATAL CONFIG FILE ERROR ***
Can't open the log file: Permission denied

Then SELinux is blocking Valkey from accessing its logs. Let's fix it properly without disabling SELinux.

Step 1: Verify the SELinux Denials

First, check SELinux audit logs for Valkey-related permission denials:

sudo ausearch -m avc -ts recent | grep valkey

If you see lines like:

type=AVC msg=audit(1739709137.172:375): avc:  denied  { open } for  pid=11144 comm="valkey-server" path="/var/log/redis/redis.log" ...

This confirms SELinux is blocking access to /var/log/redis/redis.log.

Step 2: Generate a Custom SELinux Policy

Instead of setting SELinux to permissive mode (which is a security risk), we can create a policy module that grants Valkey the necessary permissions.

Run:

sudo ausearch -m avc -ts recent | grep valkey | audit2allow -M valkey_custom

This generates two files:

  • valkey_custom.te (the policy source)

  • valkey_custom.pp (the compiled policy module)

Step 3: Install the Custom Policy Module

Now, install the generated policy:

sudo semodule -i valkey_custom.pp

This allows Valkey to access its log files without affecting other SELinux policies.

Step 4: Restart Valkey

Now, restart the service:

sudo systemctl restart valkey.service

Check its status:

systemctl status valkey.service

If everything is working correctly, Valkey should now start without permission errors.

Step 5: Confirm the Fix Persists After Reboot

The custom SELinux policy module is persistent across reboots, so you don't need to reapply it each time. However, if you ever need to remove it, use:

sudo semodule -r valkey_custom

Final Thoughts

By applying this fix, you retain the security benefits of SELinux while ensuring Valkey operates correctly. Fedora 41 users migrating from Redis should find this a smooth way to get Valkey running without compromising system security.

0
Subscribe to my newsletter

Read articles from Ujjawal Saini directly inside your inbox. Subscribe to the newsletter, and don't miss out.

RedisvalkeyFedora

Written by

Ujjawal Saini
Ujjawal Saini

Data Scientist and Software Engineer. Privacy and Security Advocate.