Bug #34807
Updated by Ewoud Kohl van Wijngaarden over 2 years ago
When using systemd-resolved (on EL7):
<pre>
$ ls -lZ /etc/resolv.conf
lrwxrwxrwx. root root system_u:object_r:net_conf_t:s0 /etc/resolv.conf -> /run/systemd/resolve/resolv.conf
</pre>
And on EL8:
<pre>
$ ls -lZ /etc/resolv.conf
lrwxrwxrwx. 1 root root system_u:object_r:net_conf_t:s0 37 Feb 14 2021 /etc/resolv.conf -> /run/systemd/resolve/stub-resolv.conf
</pre>
In audit.log:
<pre>
type=AVC msg=audit(1650708282.685:1292): avc: denied { read } for pid=1776 comm="diagnostic_con*" name="resolv.conf" dev="dm-0" ino=1308498 scontext=system_u:system_r:foreman_rails_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=lnk_file permissive=0
</pre>
audit2allow comes up with:
<pre>
allow foreman_rails_t net_conf_t:lnk_file read;
</pre>
The result is that Foreman can't do any name resolution, which is needed to reach out to external services, such as Foreman Proxies.