Bug 1529068
| Summary: | sudo systemctl enable tangd.socket --now failed | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jan Pazdziora (Red Hat) <jpazdziora> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 27 | CC: | dwalsh, jpazdziora, kgliebov, lvrabec, mgrepl, npmccallum, plautrba, pmoore |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-283.35.fc27 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-07-06 15:44:11 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
audit.log contains
type=AVC msg=audit(1514278423.785:1729): avc: denied { create } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=0
RHEL equivalent of this bugzilla is likely bug 1509055. I think this needs to be assigned to selinux... I've tested it on Fedora 27 VM in QEMU. First of all, it did not worked out of the box, because of lacking SELinux policy as mentioned above and then, after disabling SELinux, reinstall of tang was required to make clevis get the key, otherwise, I was getting "Unable to fetch advertisement: 'http://localhost/adv/'!", even though, tangd.socket was running ( checked by "systemctl status tangd.socket" ). Message from journarctl provides this suggestion:
May 17 14:28:47 localhost.localdomain python3[29820]: SELinux is preventing tangd from getattr access on the tcp_socket tcp_socket.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that tangd should be allowed getattr access on the tcp_socket tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'tangd' --raw | audit2allow -M my-tangd
# semodule -X 300 -i my-tangd.pp
After executing provided commands and executing "echo hi | clevis encrypt tang '{"url": "http://localhost"}' > hi.jwe" I'm getting such messages in journalctl:
May 21 12:23:56 localhost.localdomain systemd[1]: Started Tang Server ([::1]:34536).
-- Subject: Unit tangd@5-::1:80-::1:34536.service has finished start-up
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit tangd@5-::1:80-::1:34536.service has finished starting up.
--
-- The start-up result is RESULT.
May 21 12:23:56 localhost.localdomain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=tangd@5-::1:80-::1:34536 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
May 21 12:23:56 localhost.localdomain tangd[27054]: ::1 GET /adv/ => 404 (src/tangd.c:70)
May 21 12:23:56 localhost.localdomain audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=tangd@5-::1:80-::1:34536 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
This was done on Fedora 28 host.
selinux-policy-3.13.1-283.35.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2a57dc63c1 selinux-policy-3.13.1-283.35.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2a57dc63c1 selinux-policy-3.13.1-283.35.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: On a fully upgrade Fedora 27 system, I tried to follow man tang(8) Getting a Tang server up and running is simple: $ sudo systemctl enable tangd.socket --now Version-Release number of selected component (if applicable): tang-6-3.fc27.x86_64 How reproducible: Deterministic. Steps to Reproduce: 1. dnf install -y tang 2. sudo systemctl enable tangd.socket --now Actual results: Created symlink /etc/systemd/system/multi-user.target.wants/tangd.socket → /usr/lib/systemd/system/tangd.socket. Job for tangd.socket failed. See "systemctl status tangd.socket" and "journalctl -xe" for details. Expected results: No error and as the man page promises, That´s it. The server is now running with a fresh set of cryptographic keys and will automatically start on the next reboot. Additional info: ● tangd.socket - Tang Server socket Loaded: loaded (/usr/lib/systemd/system/tangd.socket; enabled; vendor preset: disabled) Active: failed (Result: resources) Listen: [::]:80 (Stream) Accepted: 0; Connected: 0 Dec 26 09:53:43 machine.example.com systemd[1]: tangd.socket: Failed to listen on sockets: Permission denied Dec 26 09:53:43 machine.example.com systemd[1]: Failed to listen on Tang Server socket. Dec 26 09:53:43 machine.example.com systemd[1]: tangd.socket: Unit entered failed state.