Bug 2151856
| Summary: | Access to /etc/resolv.conf file is denied by selinux for Puma Webserver when it's a symlink or systemd-resolved is explicitly being used | |||
|---|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Sayan Das <saydas> | |
| Component: | SELinux | Assignee: | Ewoud Kohl van Wijngaarden <ekohlvan> | |
| Status: | CLOSED ERRATA | QA Contact: | Adam Ruzicka <aruzicka> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 6.11.4 | CC: | aruzicka, pcreech, pdwyer | |
| Target Milestone: | 6.13.0 | Keywords: | Triaged | |
| Target Release: | Unused | |||
| Hardware: | All | |||
| OS: | All | |||
| Whiteboard: | ||||
| Fixed In Version: | foreman-selinux-3.5.0 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2184131 (view as bug list) | Environment: | ||
| Last Closed: | 2023-05-03 13:23:38 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
FYI, I tested this using Hardlink instead of softlink, and that works fine as long as both hardlink and original file has the net_conf_t context. Upstream bug assigned to ekohlvan Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/34807 has been resolved. Took a fresh 6.13 snap 4 and followed steps from #0. I have not encountered any denials nor have I noticed any odd behavior, the rule allowing foreman_rails_t to read symlinks labeled with net_conf_t is present. Moving to verified.
# rpm -q satellite foreman-selinux
satellite-6.13.0-2.stream.el8sat.noarch
foreman-selinux-3.5.1-1.el8sat.noarch
# sesearch -t net_conf_t --allow | grep foreman_rails_t
allow foreman_rails_t net_conf_t:file { getattr ioctl lock open read };
allow foreman_rails_t net_conf_t:lnk_file read;
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: Satellite 6.13 Release), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:2097 |
Description of problem: SELinux denies access to read the /etc/resolv.conf file by Puma webserver when Satellite needs to perform a DNS resolution before trying to initiate a connection to subscription.rhsm.redhat.com or cdn.redhat.com. This is only observed when /etc/resolv.conf is a symlink of a different file ( or systemd-resolved is explicitly being used ) Version-Release number of selected component (if applicable): Satellite 6.11 ( on RHEL 7 or RHEL 8 ) How reproducible: Always Steps to Reproduce: 1. Install a Satellite 6.11 and Import a manifest file. 2. Ensure that /etc/resolv.conf has valid DNS server entries and there are no issues with resolving the DNS for rhsm or cdn URLs. 3. Execute the following steps: # cp -par /etc/resolv.conf /etc/resolv.conf_orig # cat /etc/resolv.conf > /etc/resolv.conf.manual # rm /etc/resolv.conf # cd /etc/ # ln -s resolv.conf.manual resolv.conf # restorecon -RFv /etc/resolv.conf # semanage fcontext -a -t etc_t "/etc/resolv.conf.manual" # restorecon -Fv /etc/resolv.conf.manual # ls -l /etc/resolv.conf* -Z Final output: ~~ lrwxrwxrwx. root root system_u:object_r:net_conf_t:s0 /etc/resolv.conf -> resolv.conf.manual -rw-r--r--. root root system_u:object_r:etc_t:s0 /etc/resolv.conf.manual -rw-r--r--. root root system_u:object_r:net_conf_t:s0 /etc/resolv.conf_orig ~~ 4. Go to Satellite UI --> Content --> Subscriptions page and observe the behavior Actual results: GUI: Failed to open TCP connection to subscription.rhsm.redhat.com:443 (getaddrinfo: Name or service not known) production.log: 2022-11-30T08:05:38 [E|app|bcac0446] Katello::HttpErrors::BadRequest: Failed to open TCP connection to subscription.rhsm.redhat.com:443 (getaddrinfo: Name or service not known) bcac0446 | /usr/share/gems/gems/katello-4.3.0.50/app/controllers/katello/api/v2/api_controller.rb:262:in `rescue in check_upstream_connection' bcac0446 | /usr/share/gems/gems/katello-4.3.0.50/app/controllers/katello/api/v2/api_controller.rb:259:in `check_upstream_connection' audit.log: type=AVC msg=audit(1669729383.473:15447): avc: denied { read } for pid=2064 comm=70756D612073727620747020303031 name="resolv.conf" dev="dm-0" ino=1224904 scontext=system_u:system_r:foreman_rails_t:s0 tcontext=unconfined_u:object_r:net_conf_t:s0 tclass=lnk_file permissive=0 Expected results: No such DNS issues and selinux denials. Additional info: The same issue would happen when someone uses systemd-resolved on RHEL 7 or RHEL 8 based Sat. It only can be worked around by three ways: A) Use nslookup to find the info and Put the IP\Hostname details for subscription.rhsm.redhat.com and cdn.redhat.com in /etc/hosts file B) Or Run seliux is permissive mode C) Or else ensure that /etc/resolv.conf is not a symlink to any other file and have net_conf_t context.