Bug #34807: Access to /etc/resolv.conf is denied when using systemd-resolved - SELinux - Foreman

Bug #34807

Access to /etc/resolv.conf is denied when using systemd-resolved

Added by Ewoud Kohl van Wijngaarden 11 months ago. Updated 4 months ago.

Status:

Closed

Priority:

Normal

Assignee:

Ewoud Kohl van Wijngaarden

Category:

General Foreman

Target version:

Foreman - 3.5.0

Difficulty:

Triaged:

Yes

Bugzilla link:

Pull request:

https://github.com/theforeman/foreman-selinux/pull/142

Fixed in Releases:

Foreman - 3.5.0

Found in Releases:

Foreman - 3.2.0

Red Hat JIRA:

Description

When using systemd-resolved (on EL7):

$ ls -lZ /etc/resolv.conf
lrwxrwxrwx. root root system_u:object_r:net_conf_t:s0  /etc/resolv.conf -> /run/systemd/resolve/resolv.conf

And on EL8:

$ ls -lZ /etc/resolv.conf 
lrwxrwxrwx. 1 root root system_u:object_r:net_conf_t:s0 37 Feb 14  2021 /etc/resolv.conf -> /run/systemd/resolve/stub-resolv.conf

In audit.log:

type=AVC msg=audit(1650708282.685:1292): avc:  denied  { read } for  pid=1776 comm="diagnostic_con*" name="resolv.conf" dev="dm-0" ino=1308498 scontext=system_u:system_r:foreman_rails_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=lnk_file permissive=0

audit2allow comes up with:

allow foreman_rails_t net_conf_t:lnk_file read;

The result is that Foreman can't do any name resolution, which is needed to reach out to external services, such as Foreman Proxies.

Associated revisions

Revision 9898d227 (diff)
Added by Ewoud Kohl van Wijngaarden 7 months ago

Fixes #34807 - Compatibility with systemd-resolved

When using systemd-resolved the file /etc/resolv.conf is labeled as
net_conf_t. At least on EL7 this gave denials and resulted in not being
allowed to perform any name resolution, which is needed to connect to
Foreman Proxies and other external services.