Bug 2151600
| Summary: | SELinux is preventing /usr/libexec/certmonger/ipa-submit from name_connect access on tcp_socket port 443 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Carlos Mogas da Silva <r3pek> |
| Component: | cockpit | Assignee: | Martin Pitt <mpitt> |
| Status: | CLOSED MIGRATED | QA Contact: | Jan Ščotka <jscotka> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | CentOS Stream | CC: | bstinson, jwboyer, lvrabec, mmalik, nknazeko, zpytela |
| Target Milestone: | rc | Keywords: | MigratedToJIRA, Triaged |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-09-15 13:23:59 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Carlos Mogas da Silva
2022-12-07 15:38:21 UTC
Following what guide? Can you provide the full AVC output? Perhaps ausearch -m AVC for full context. > Following what guide? Oops... forgot to link to it (sorry): https://100things.wzzrd.com/2021/06/10/Proper-SSL-certs-in-cockpit.html(In reply to Rob Crittenden from comment #1) > Can you provide the full AVC output? Perhaps ausearch -m AVC for full > context. time->Wed Dec 7 15:11:19 2022 type=PROCTITLE msg=audit(1670425879.796:148): proctitle="/usr/libexec/certmonger/ipa-submit" type=SYSCALL msg=audit(1670425879.796:148): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=7ffe53573ab0 a2=10 a3=7ffe53599080 items=0 ppid=1797 pid=2015 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipa-submit" exe="/usr/libexec/certmonger/ipa-submit" subj=system_u:system_r:certmonger_t:s0 key=(null) type=AVC msg=audit(1670425879.796:148): avc: denied { name_connect } for pid=2015 comm="ipa-submit" dest=443 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:websm_port_t:s0 tclass=tcp_socket permissive=0 Have a bunch of this, but the "content" is always the same. It's just the retries I made trying to understand what was going on. It is failing due to changing the context of the port, per the guide: $ sudo semanage port -m -t websm_port_t -p tcp 443 certmonger does not manage its own SELinux policy. Overriding a port like this seems like it may break a lot of tools. Trying to install a custom policy to override http_port_t will fail because of policy priority differences so it may not be as simple as a custom policy. Re-assigning to selinux-policy for review. thx Rob. Since that was the problem, I've reverted the change and just made a local port forward using firewalld to be able to access :433 and keep all the selinux stuff intact. I really don't wanna mess with that. Anyway, I'll leave this open for the selinux folks just in case anyone wants some more info or test a way to do this. If anyone wants to close this as NOTABUG, not a problem for me. Hi Carlos, can you post here the guide where it was suggested to change the port? Thanks, Nikola (In reply to nknazeko from comment #6) > Hi Carlos, > > can you post here the guide where it was suggested to change the port? > It's on comment #2 ;) But I'll leave it here anyway https://100things.wzzrd.com/2021/06/10/Proper-SSL-certs-in-cockpit.html Thanks, there is also problem in the cockpit documentation: https://github.com/cockpit-project/cockpit/blob/main/doc/guide/listen.xml Changing SELinux type of 443 http_port_t will cause problems. More info: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-top_three_causes_of_problems-how_are_confined_services_running I have some trouble understanding this. `ipa-submit` has no business talking to Cockpit -- it needs to talk to the FreeIPA server. Are you saying you moved cockpit to FreeIPA's port, and ipa-submit tries to talk to Cockpit instead? Also, admittedly I don't know ipa-submit -- normally you'd use ipa-getcert request, see https://cockpit-project.org/guide/latest/https.html#https-certificates What exactly are you doing? Please describe step by step what you did. Note that current cockpit versions don't care about the permissions and ownership of the files in /etc/cockpit/ws-certs.d/, so you don't normally need to fumble around with SELinux contexts there. If you change cockpit's port away from 9090, you need a command like in https://cockpit-project.org/guide/latest/listen.html, but you already figured that out. However, that has nothing to do with FreeIPA. Thanks! Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug. This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there. Due to differences in account names between systems, some fields were not replicated. Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information. To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer. You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like: "Bugzilla Bug" = 1234567 In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information. The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days |