Project

General

Profile

Bug #34807

Access to /etc/resolv.conf is denied when using systemd-resolved

Added by Ewoud Kohl van Wijngaarden 11 months ago. Updated 4 months ago.

Status:
Closed
Priority:
Normal
Category:
General Foreman
Target version:
Difficulty:
Triaged:
Yes
Bugzilla link:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

When using systemd-resolved (on EL7):

$ ls -lZ /etc/resolv.conf
lrwxrwxrwx. root root system_u:object_r:net_conf_t:s0  /etc/resolv.conf -> /run/systemd/resolve/resolv.conf

And on EL8:

$ ls -lZ /etc/resolv.conf 
lrwxrwxrwx. 1 root root system_u:object_r:net_conf_t:s0 37 Feb 14  2021 /etc/resolv.conf -> /run/systemd/resolve/stub-resolv.conf

In audit.log:

type=AVC msg=audit(1650708282.685:1292): avc:  denied  { read } for  pid=1776 comm="diagnostic_con*" name="resolv.conf" dev="dm-0" ino=1308498 scontext=system_u:system_r:foreman_rails_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=lnk_file permissive=0

audit2allow comes up with:

allow foreman_rails_t net_conf_t:lnk_file read;

The result is that Foreman can't do any name resolution, which is needed to reach out to external services, such as Foreman Proxies.

Associated revisions

Revision 9898d227 (diff)
Added by Ewoud Kohl van Wijngaarden 7 months ago

Fixes #34807 - Compatibility with systemd-resolved

When using systemd-resolved the file /etc/resolv.conf is labeled as
net_conf_t. At least on EL7 this gave denials and resulted in not being
allowed to perform any name resolution, which is needed to connect to
Foreman Proxies and other external services.

History

#1 Updated by Ewoud Kohl van Wijngaarden 11 months ago

  • Description updated (diff)

#2 Updated by The Foreman Bot 11 months ago

  • Assignee set to Ewoud Kohl van Wijngaarden
  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman-selinux/pull/142 added

#3 Updated by Amit Upadhye 10 months ago

  • Target version changed from 3.2.1 to 3.2.2

#4 Updated by The Foreman Bot 7 months ago

  • Fixed in Releases 3.5.0 added

#5 Updated by Ewoud Kohl van Wijngaarden 7 months ago

  • Status changed from Ready For Testing to Closed

#6 Updated by Ewoud Kohl van Wijngaarden 7 months ago

  • Target version changed from 3.2.2 to 3.5.0

#7 Updated by Ewoud Kohl van Wijngaarden 4 months ago

  • Triaged changed from No to Yes

Also available in: Atom PDF