Actions
Bug #34807
closed
Access to /etc/resolv.conf is denied when using systemd-resolved
Status:
Closed
Priority:
Normal
Assignee:
Category:
General Foreman
Target version:
Difficulty:
Triaged:
Yes
Description
When using systemd-resolved (on EL7):
$ ls -lZ /etc/resolv.conf lrwxrwxrwx. root root system_u:object_r:net_conf_t:s0 /etc/resolv.conf -> /run/systemd/resolve/resolv.conf
And on EL8:
$ ls -lZ /etc/resolv.conf lrwxrwxrwx. 1 root root system_u:object_r:net_conf_t:s0 37 Feb 14 2021 /etc/resolv.conf -> /run/systemd/resolve/stub-resolv.conf
In audit.log:
type=AVC msg=audit(1650708282.685:1292): avc: denied { read } for pid=1776 comm="diagnostic_con*" name="resolv.conf" dev="dm-0" ino=1308498 scontext=system_u:system_r:foreman_rails_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=lnk_file permissive=0
audit2allow comes up with:
allow foreman_rails_t net_conf_t:lnk_file read;
The result is that Foreman can't do any name resolution, which is needed to reach out to external services, such as Foreman Proxies.
Updated by Ewoud Kohl van Wijngaarden about 3 years ago
- Description updated (diff)
Updated by The Foreman Bot about 3 years ago
- Status changed from New to Ready For Testing
- Assignee set to Ewoud Kohl van Wijngaarden
- Pull request https://github.com/theforeman/foreman-selinux/pull/142 added
Updated by Amit Upadhye almost 3 years ago
- Target version changed from 3.2.1 to 3.2.2
Updated by Ewoud Kohl van Wijngaarden almost 3 years ago
- Status changed from Ready For Testing to Closed
Applied in changeset 9898d22722373c4f01a952fb3af14da4ce468317.
Updated by Ewoud Kohl van Wijngaarden over 2 years ago
- Target version changed from 3.2.2 to 3.5.0
Updated by Ewoud Kohl van Wijngaarden over 2 years ago
- Triaged changed from No to Yes
Actions