Project

General

Profile

Bug #34807

Updated by Ewoud Kohl van Wijngaarden almost 2 years ago

When using systemd-resolved (on EL7): 
 <pre> 
 $ ls -lZ /etc/resolv.conf 
 lrwxrwxrwx. root root system_u:object_r:net_conf_t:s0    /etc/resolv.conf -> /run/systemd/resolve/resolv.conf 
 </pre> 

 And on EL8: 
 <pre> 
 $ ls -lZ /etc/resolv.conf  
 lrwxrwxrwx. 1 root root system_u:object_r:net_conf_t:s0 37 Feb 14    2021 /etc/resolv.conf -> /run/systemd/resolve/stub-resolv.conf 
 </pre> 

 In audit.log: 
 <pre> 
 type=AVC msg=audit(1650708282.685:1292): avc:    denied    { read } for    pid=1776 comm="diagnostic_con*" name="resolv.conf" dev="dm-0" ino=1308498 scontext=system_u:system_r:foreman_rails_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=lnk_file permissive=0 
 </pre> 

 audit2allow comes up with: 
 <pre> 
 allow foreman_rails_t net_conf_t:lnk_file read; 
 </pre> 

 The result is that Foreman can't do any name resolution, which is needed to reach out to external services, such as Foreman Proxies.

Back