Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
SELinux denies access to read the /etc/resolv.conf file by Puma webserver when Satellite needs to perform a DNS resolution before trying to initiate a connection to subscription.rhsm.redhat.com or cdn.redhat.com.
This is only observed when /etc/resolv.conf is a symlink of a different file ( or systemd-resolved is explicitly being used )
Version-Release number of selected component (if applicable):
Satellite 6.11 ( on RHEL 7 or RHEL 8 )
How reproducible:
Always
Steps to Reproduce:
1. Install a Satellite 6.11 and Import a manifest file.
2. Ensure that /etc/resolv.conf has valid DNS server entries and there are no issues with resolving the DNS for rhsm or cdn URLs.
3. Execute the following steps:
# cp -par /etc/resolv.conf /etc/resolv.conf_orig
# cat /etc/resolv.conf > /etc/resolv.conf.manual
# rm /etc/resolv.conf
# cd /etc/
# ln -s resolv.conf.manual resolv.conf
# restorecon -RFv /etc/resolv.conf
# semanage fcontext -a -t etc_t "/etc/resolv.conf.manual"
# restorecon -Fv /etc/resolv.conf.manual
# ls -l /etc/resolv.conf* -Z
Final output:
~~
lrwxrwxrwx. root root system_u:object_r:net_conf_t:s0 /etc/resolv.conf -> resolv.conf.manual
-rw-r--r--. root root system_u:object_r:etc_t:s0 /etc/resolv.conf.manual
-rw-r--r--. root root system_u:object_r:net_conf_t:s0 /etc/resolv.conf_orig
~~
4. Go to Satellite UI --> Content --> Subscriptions page and observe the behavior
Actual results:
GUI:
Failed to open TCP connection to subscription.rhsm.redhat.com:443 (getaddrinfo: Name or service not known)
production.log:
2022-11-30T08:05:38 [E|app|bcac0446] Katello::HttpErrors::BadRequest: Failed to open TCP connection to subscription.rhsm.redhat.com:443 (getaddrinfo: Name or service not known)
bcac0446 | /usr/share/gems/gems/katello-4.3.0.50/app/controllers/katello/api/v2/api_controller.rb:262:in `rescue in check_upstream_connection'
bcac0446 | /usr/share/gems/gems/katello-4.3.0.50/app/controllers/katello/api/v2/api_controller.rb:259:in `check_upstream_connection'
audit.log:
type=AVC msg=audit(1669729383.473:15447): avc: denied { read } for pid=2064 comm=70756D612073727620747020303031 name="resolv.conf" dev="dm-0" ino=1224904 scontext=system_u:system_r:foreman_rails_t:s0 tcontext=unconfined_u:object_r:net_conf_t:s0 tclass=lnk_file permissive=0
Expected results:
No such DNS issues and selinux denials.
Additional info:
The same issue would happen when someone uses systemd-resolved on RHEL 7 or RHEL 8 based Sat.
It only can be worked around by three ways:
A) Use nslookup to find the info and Put the IP\Hostname details for subscription.rhsm.redhat.com and cdn.redhat.com in /etc/hosts file
B) Or Run seliux is permissive mode
C) Or else ensure that /etc/resolv.conf is not a symlink to any other file and have net_conf_t context.
Took a fresh 6.13 snap 4 and followed steps from #0. I have not encountered any denials nor have I noticed any odd behavior, the rule allowing foreman_rails_t to read symlinks labeled with net_conf_t is present. Moving to verified.
# rpm -q satellite foreman-selinux
satellite-6.13.0-2.stream.el8sat.noarch
foreman-selinux-3.5.1-1.el8sat.noarch
# sesearch -t net_conf_t --allow | grep foreman_rails_t
allow foreman_rails_t net_conf_t:file { getattr ioctl lock open read };
allow foreman_rails_t net_conf_t:lnk_file read;
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Important: Satellite 6.13 Release), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2023:2097
Description of problem: SELinux denies access to read the /etc/resolv.conf file by Puma webserver when Satellite needs to perform a DNS resolution before trying to initiate a connection to subscription.rhsm.redhat.com or cdn.redhat.com. This is only observed when /etc/resolv.conf is a symlink of a different file ( or systemd-resolved is explicitly being used ) Version-Release number of selected component (if applicable): Satellite 6.11 ( on RHEL 7 or RHEL 8 ) How reproducible: Always Steps to Reproduce: 1. Install a Satellite 6.11 and Import a manifest file. 2. Ensure that /etc/resolv.conf has valid DNS server entries and there are no issues with resolving the DNS for rhsm or cdn URLs. 3. Execute the following steps: # cp -par /etc/resolv.conf /etc/resolv.conf_orig # cat /etc/resolv.conf > /etc/resolv.conf.manual # rm /etc/resolv.conf # cd /etc/ # ln -s resolv.conf.manual resolv.conf # restorecon -RFv /etc/resolv.conf # semanage fcontext -a -t etc_t "/etc/resolv.conf.manual" # restorecon -Fv /etc/resolv.conf.manual # ls -l /etc/resolv.conf* -Z Final output: ~~ lrwxrwxrwx. root root system_u:object_r:net_conf_t:s0 /etc/resolv.conf -> resolv.conf.manual -rw-r--r--. root root system_u:object_r:etc_t:s0 /etc/resolv.conf.manual -rw-r--r--. root root system_u:object_r:net_conf_t:s0 /etc/resolv.conf_orig ~~ 4. Go to Satellite UI --> Content --> Subscriptions page and observe the behavior Actual results: GUI: Failed to open TCP connection to subscription.rhsm.redhat.com:443 (getaddrinfo: Name or service not known) production.log: 2022-11-30T08:05:38 [E|app|bcac0446] Katello::HttpErrors::BadRequest: Failed to open TCP connection to subscription.rhsm.redhat.com:443 (getaddrinfo: Name or service not known) bcac0446 | /usr/share/gems/gems/katello-4.3.0.50/app/controllers/katello/api/v2/api_controller.rb:262:in `rescue in check_upstream_connection' bcac0446 | /usr/share/gems/gems/katello-4.3.0.50/app/controllers/katello/api/v2/api_controller.rb:259:in `check_upstream_connection' audit.log: type=AVC msg=audit(1669729383.473:15447): avc: denied { read } for pid=2064 comm=70756D612073727620747020303031 name="resolv.conf" dev="dm-0" ino=1224904 scontext=system_u:system_r:foreman_rails_t:s0 tcontext=unconfined_u:object_r:net_conf_t:s0 tclass=lnk_file permissive=0 Expected results: No such DNS issues and selinux denials. Additional info: The same issue would happen when someone uses systemd-resolved on RHEL 7 or RHEL 8 based Sat. It only can be worked around by three ways: A) Use nslookup to find the info and Put the IP\Hostname details for subscription.rhsm.redhat.com and cdn.redhat.com in /etc/hosts file B) Or Run seliux is permissive mode C) Or else ensure that /etc/resolv.conf is not a symlink to any other file and have net_conf_t context.