2151856 – Access to /etc/resolv.conf file is denied by selinux for Puma Webserver when it's a symlink or systemd-resolved is explicitly being used

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2151856 - Access to /etc/resolv.conf file is denied by selinux for Puma Webserver when it's a symlink or systemd-resolved is explicitly being used

Summary: Access to /etc/resolv.conf file is denied by selinux for Puma Webserver when ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	SELinux
Sub Component:
Version:	6.11.4
Hardware:	All
OS:	All
Priority:	unspecified
Severity:	medium
Target Milestone:	6.13.0
Assignee:	Ewoud Kohl van Wijngaarden
QA Contact:	Adam Ruzicka
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-12-08 11:04 UTC by Sayan Das
Modified:	2023-05-03 13:24 UTC (History)
CC List:	3 users (show)
Fixed In Version:	foreman-selinux-3.5.0
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	2184131 (view as bug list)
Environment:
Last Closed:	2023-05-03 13:23:38 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	34807	Normal	Closed	Access to /etc/resolv.conf is denied when using systemd-resolved	2022-12-08 11:05:35 UTC
Red Hat Issue Tracker	SAT-14331	None	None	None	2022-12-08 15:13:28 UTC
Red Hat Knowledge Base (Solution)	5043641	None	None	None	2022-12-12 09:02:09 UTC
Red Hat Product Errata	RHSA-2023:2097	None	None	None	2023-05-03 13:24:22 UTC

Description Sayan Das 2022-12-08 11:04:48 UTC

Description of problem:

SELinux denies access to read the  /etc/resolv.conf file by Puma webserver when Satellite needs to perform a DNS resolution before trying to initiate a connection to subscription.rhsm.redhat.com or cdn.redhat.com.

This is only observed when /etc/resolv.conf is a symlink of a different file ( or systemd-resolved is explicitly being used )


Version-Release number of selected component (if applicable):

Satellite 6.11 ( on RHEL 7 or RHEL 8 )


How reproducible:

Always

Steps to Reproduce:
1. Install a Satellite 6.11 and Import a manifest file.

2. Ensure that /etc/resolv.conf has valid DNS server entries and there are no issues with resolving the DNS for rhsm or cdn URLs.

3. Execute the following steps:

# cp -par /etc/resolv.conf /etc/resolv.conf_orig
# cat /etc/resolv.conf > /etc/resolv.conf.manual
# rm /etc/resolv.conf
# cd /etc/
# ln -s resolv.conf.manual resolv.conf
# restorecon -RFv /etc/resolv.conf
# semanage fcontext -a -t etc_t "/etc/resolv.conf.manual"
# restorecon -Fv /etc/resolv.conf.manual
# ls -l /etc/resolv.conf*  -Z

Final output:
~~
lrwxrwxrwx. root root system_u:object_r:net_conf_t:s0  /etc/resolv.conf -> resolv.conf.manual
-rw-r--r--. root root system_u:object_r:etc_t:s0       /etc/resolv.conf.manual
-rw-r--r--. root root system_u:object_r:net_conf_t:s0  /etc/resolv.conf_orig
~~

4. Go to Satellite UI --> Content --> Subscriptions page and observe the behavior


Actual results:

GUI:

Failed to open TCP connection to subscription.rhsm.redhat.com:443 (getaddrinfo: Name or service not known)


production.log:

2022-11-30T08:05:38 [E|app|bcac0446] Katello::HttpErrors::BadRequest: Failed to open TCP connection to subscription.rhsm.redhat.com:443 (getaddrinfo: Name or service not known)
 bcac0446 | /usr/share/gems/gems/katello-4.3.0.50/app/controllers/katello/api/v2/api_controller.rb:262:in `rescue in check_upstream_connection'
 bcac0446 | /usr/share/gems/gems/katello-4.3.0.50/app/controllers/katello/api/v2/api_controller.rb:259:in `check_upstream_connection'


audit.log:

type=AVC msg=audit(1669729383.473:15447): avc:  denied  { read } for  pid=2064 comm=70756D612073727620747020303031 name="resolv.conf" dev="dm-0" ino=1224904 scontext=system_u:system_r:foreman_rails_t:s0 tcontext=unconfined_u:object_r:net_conf_t:s0 tclass=lnk_file permissive=0


Expected results:

No such DNS issues and selinux denials. 


Additional info:

The same issue would happen when someone uses systemd-resolved on RHEL 7 or RHEL 8 based Sat.

It only can be worked around by three ways:

A) Use nslookup to find the info and Put the IP\Hostname details for subscription.rhsm.redhat.com and cdn.redhat.com in /etc/hosts file

B) Or Run seliux is permissive mode

C) Or else ensure that /etc/resolv.conf is not a symlink to any other file and have net_conf_t context.

Comment 3 Sayan Das 2022-12-08 11:24:36 UTC

FYI, I tested this using Hardlink instead of softlink, and that works fine as long as both hardlink and original file has the net_conf_t context.

Comment 4 Bryan Kearney 2022-12-08 12:03:30 UTC

Upstream bug assigned to ekohlvan

Comment 5 Bryan Kearney 2022-12-08 12:03:32 UTC

Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/34807 has been resolved.

Comment 6 Adam Ruzicka 2023-01-03 12:41:42 UTC

Took a fresh 6.13 snap 4 and followed steps from #0. I have not encountered any denials nor have I noticed any odd behavior, the rule allowing foreman_rails_t to read symlinks labeled with net_conf_t is present. Moving to verified.

# rpm -q satellite foreman-selinux
satellite-6.13.0-2.stream.el8sat.noarch
foreman-selinux-3.5.1-1.el8sat.noarch

# sesearch -t net_conf_t --allow | grep foreman_rails_t
allow foreman_rails_t net_conf_t:file { getattr ioctl lock open read };
allow foreman_rails_t net_conf_t:lnk_file read;

Comment 10 errata-xmlrpc 2023-05-03 13:23:38 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.13 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:2097

Note You need to log in before you can comment on or make changes to this bug.