Project

General

Profile

Bug #34807

Access to /etc/resolv.conf is denied when using systemd-resolved

Added by Ewoud Kohl van Wijngaarden 2 months ago. Updated about 1 month ago.

Status:
Ready For Testing
Priority:
Normal
Category:
General Foreman
Target version:
Difficulty:
Triaged:
No
Bugzilla link:
Fixed in Releases:
Found in Releases:

Description

When using systemd-resolved (on EL7):

$ ls -lZ /etc/resolv.conf
lrwxrwxrwx. root root system_u:object_r:net_conf_t:s0  /etc/resolv.conf -> /run/systemd/resolve/resolv.conf

And on EL8:

$ ls -lZ /etc/resolv.conf 
lrwxrwxrwx. 1 root root system_u:object_r:net_conf_t:s0 37 Feb 14  2021 /etc/resolv.conf -> /run/systemd/resolve/stub-resolv.conf

In audit.log:

type=AVC msg=audit(1650708282.685:1292): avc:  denied  { read } for  pid=1776 comm="diagnostic_con*" name="resolv.conf" dev="dm-0" ino=1308498 scontext=system_u:system_r:foreman_rails_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=lnk_file permissive=0

audit2allow comes up with:

allow foreman_rails_t net_conf_t:lnk_file read;

The result is that Foreman can't do any name resolution, which is needed to reach out to external services, such as Foreman Proxies.

History

#1 Updated by Ewoud Kohl van Wijngaarden 2 months ago

  • Description updated (diff)

#2 Updated by The Foreman Bot 2 months ago

  • Assignee set to Ewoud Kohl van Wijngaarden
  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman-selinux/pull/142 added

#3 Updated by Amit Upadhye about 1 month ago

  • Target version changed from 3.2.1 to 3.2.2

Also available in: Atom PDF