Loading...

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: rhel-9.5
Affects Version/s: rhel-9.4
Component/s: selinux-policy
Labels:
None

Severity:
Blocker
Epic Link:
SELINUX-3400
Keywords:

ZStream
sprint_count:
1

Pool Team:

sst_security_selinux
Sub-System Group:

ssg_security

Story Points:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Sprint:
CY24Q2
Release Blocker:
Approved Blocker
Target Backport Versions:

rhel-9.4.z

Preliminary Testing:
None

Release Note Type:
Known Issue
Release Note Text:

Hide
.Missing rules in the SELinux policy block permissions to SQL databases

Missing permission rules from the SELinux policy block connections to SQL databases. Consequently, the FIDO Device Onboard (FDO) services `fdo-manufacturing-server.service`, `fdo-owner-onboarding-server.service`, and `fdo-rendezvous-server.service` cannot connect with FDO databases, such as PostgreSQL and SQLite. Therefore, the system cannot start the FDO by using the supported databases for credentials and other parameters, such as storing ownership vouchers.

You can work around this problem by performing the following steps:

. Create a new file named `local_fdo_update.cil` and enter the missing SELinux policy rules:
+
----
(allow fdo_t etc_t (file (write)))
(allow fdo_t fdo_conf_t (file (append create rename setattr unlink write )))
(allow fdo_t fdo_var_lib_t (dir (add_name remove_name write )))
(allow fdo_t fdo_var_lib_t (file (create setattr unlink write )))
(allow fdo_t krb5_keytab_t (dir (search)))
(allow fdo_t postgresql_port_t (tcp_socket (name_connect)))
(allow fdo_t sssd_t (unix_stream_socket (connectto)))
(allow fdo_t sssd_var_run_t (sock_file (write)))
----

. Install the policy module package:
+
----
# semodule -i local_fdo_update.cil
----

As a consequence, FDO can connect with the PostgreSQL database and also fix problems related to SQLite permissions over `/var/lib/fdo/`, where the SQLite database files are expected to be located.

Show
.Missing rules in the SELinux policy block permissions to SQL databases Missing permission rules from the SELinux policy block connections to SQL databases. Consequently, the FIDO Device Onboard (FDO) services `fdo-manufacturing-server.service`, `fdo-owner-onboarding-server.service`, and `fdo-rendezvous-server.service` cannot connect with FDO databases, such as PostgreSQL and SQLite. Therefore, the system cannot start the FDO by using the supported databases for credentials and other parameters, such as storing ownership vouchers. You can work around this problem by performing the following steps: . Create a new file named `local_fdo_update.cil` and enter the missing SELinux policy rules: + ---- (allow fdo_t etc_t (file (write))) (allow fdo_t fdo_conf_t (file (append create rename setattr unlink write ))) (allow fdo_t fdo_var_lib_t (dir (add_name remove_name write ))) (allow fdo_t fdo_var_lib_t (file (create setattr unlink write ))) (allow fdo_t krb5_keytab_t (dir (search))) (allow fdo_t postgresql_port_t (tcp_socket (name_connect))) (allow fdo_t sssd_t (unix_stream_socket (connectto))) (allow fdo_t sssd_var_run_t (sock_file (write))) ---- . Install the policy module package: + ---- # semodule -i local_fdo_update.cil ---- As a consequence, FDO can connect with the PostgreSQL database and also fix problems related to SQLite permissions over `/var/lib/fdo/`, where the SQLite database files are expected to be located.
Release Note Status:
Done

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

FDO services fdo-manufacturing-server.service, fdo-owner-onboarding-server.service, fdo-rendezvous-server.service can't connect with postgres db. Selinux blocked the connection.

Selinux log:

[admin@rhel-9-4-240312122721 ~]$ sudo ausearch -m avc -m user_avc -m selinux_err -i
----
type=PROCTITLE msg=audit(03/12/2024 00:43:15.243:1724) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
type=SYSCALL msg=audit(03/12/2024 00:43:15.243:1724) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xa a1=0x7f3bd0009e60 a2=0x10 a3=0x7f3be1d9b100 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:43:15.243:1724) : avc:  denied  { name_connect } for  pid=24579 comm=r2d2-worker-0 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:43:15.243:1725) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
type=SYSCALL msg=audit(03/12/2024 00:43:15.243:1725) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xb a1=0x7f3bc40095b0 a2=0x10 a3=0x7f3be1b9a100 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-1 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:43:15.243:1725) : avc:  denied  { name_connect } for  pid=24579 comm=r2d2-worker-1 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:43:15.249:1726) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
type=SYSCALL msg=audit(03/12/2024 00:43:15.249:1726) : arch=x86_64 syscall=openat success=no exit=ENOENT(No such file or directory) a0=AT_FDCWD a1=0x7f3bc800b5a0 a2=O_RDONLY a3=0x0 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:43:15.249:1726) : avc:  denied  { search } for  pid=24579 comm=r2d2-worker-2 name=krb5 dev="vda4" ino=25166781 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:43:15.250:1727) : proctitle=/usr/libexec/fdo/fdo-manufacturing-server 
type=SYSCALL msg=audit(03/12/2024 00:43:15.250:1727) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xd a1=0x7f4a54e0d9f0 a2=0x6e a3=0x7f4a4400f3f0 items=0 ppid=1 pid=24584 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-manufacturing-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:43:15.250:1727) : avc:  denied  { connectto } for  pid=24584 comm=r2d2-worker-0 path=/run/.heim_org.h5l.kcm-socket scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1 
type=AVC msg=audit(03/12/2024 00:43:15.250:1727) : avc:  denied  { write } for  pid=24584 comm=r2d2-worker-0 name=.heim_org.h5l.kcm-socket dev="tmpfs" ino=951 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:43:15.250:1728) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
type=SYSCALL msg=audit(03/12/2024 00:43:15.250:1728) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xd a1=0x7f3be19989f0 a2=0x6e a3=0x7f3bc800cb80 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:43:15.250:1728) : avc:  denied  { write } for  pid=24579 comm=r2d2-worker-2 name=.heim_org.h5l.kcm-socket dev="tmpfs" ino=951 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:43:15.372:1730) : proctitle=/usr/libexec/fdo/fdo-manufacturing-server 
type=SYSCALL msg=audit(03/12/2024 00:43:15.372:1730) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xd a1=0x7f4a54e0d620 a2=0x6e a3=0x0 items=0 ppid=1 pid=24584 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-manufacturing-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:43:15.372:1730) : avc:  denied  { connectto } for  pid=24584 comm=r2d2-worker-0 path=/run/.heim_org.h5l.kcm-socket scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:44:15.427:1852) : proctitle=/usr/libexec/fdo/fdo-owner-onboarding-server 
type=SYSCALL msg=audit(03/12/2024 00:44:15.427:1852) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xa a1=0x7f69c800d1c0 a2=0x10 a3=0x7f69d037d100 items=0 ppid=1 pid=24578 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-owner-onboarding-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:44:15.427:1852) : avc:  denied  { name_connect } for  pid=24578 comm=r2d2-worker-2 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:44:15.427:1853) : proctitle=/usr/libexec/fdo/fdo-owner-onboarding-server 
type=SYSCALL msg=audit(03/12/2024 00:44:15.427:1853) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xb a1=0x7f69ac009ce0 a2=0x10 a3=0x7f69d057e100 items=0 ppid=1 pid=24578 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-owner-onboarding-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:44:15.427:1853) : avc:  denied  { name_connect } for  pid=24578 comm=r2d2-worker-0 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:44:15.427:1854) : proctitle=/usr/libexec/fdo/fdo-owner-onboarding-server 
type=SYSCALL msg=audit(03/12/2024 00:44:15.427:1854) : arch=x86_64 syscall=openat success=no exit=ENOENT(No such file or directory) a0=AT_FDCWD a1=0x7f69ac008a60 a2=O_RDONLY a3=0x0 items=0 ppid=1 pid=24578 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-owner-onboarding-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:44:15.427:1854) : avc:  denied  { search } for  pid=24578 comm=r2d2-worker-0 name=krb5 dev="vda4" ino=25166781 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:44:15.427:1855) : proctitle=/usr/libexec/fdo/fdo-owner-onboarding-server 
type=SYSCALL msg=audit(03/12/2024 00:44:15.427:1855) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xd a1=0x7f69d057d9f0 a2=0x6e a3=0x7f69ac00a970 items=0 ppid=1 pid=24578 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-owner-onboarding-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:44:15.427:1855) : avc:  denied  { write } for  pid=24578 comm=r2d2-worker-0 name=.heim_org.h5l.kcm-socket dev="tmpfs" ino=951 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:45:15.517:1939) : proctitle=/usr/libexec/fdo/fdo-owner-onboarding-server 
type=SYSCALL msg=audit(03/12/2024 00:45:15.517:1939) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xa a1=0x7f69c801fb00 a2=0x10 a3=0x7f69d077f100 items=0 ppid=1 pid=24578 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-owner-onboarding-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:45:15.517:1939) : avc:  denied  { name_connect } for  pid=24578 comm=r2d2-worker-2 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:45:15.518:1940) : proctitle=/usr/libexec/fdo/fdo-owner-onboarding-server 
type=SYSCALL msg=audit(03/12/2024 00:45:15.518:1940) : arch=x86_64 syscall=openat success=no exit=ENOENT(No such file or directory) a0=AT_FDCWD a1=0x7f69ac00a4d0 a2=O_RDONLY a3=0x0 items=0 ppid=1 pid=24578 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-owner-onboarding-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:45:15.518:1940) : avc:  denied  { search } for  pid=24578 comm=r2d2-worker-0 name=krb5 dev="vda4" ino=25166781 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:45:15.518:1941) : proctitle=/usr/libexec/fdo/fdo-owner-onboarding-server 
type=SYSCALL msg=audit(03/12/2024 00:45:15.518:1941) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xc a1=0x7f69d077e9f0 a2=0x6e a3=0x0 items=0 ppid=1 pid=24578 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-owner-onboarding-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:45:15.518:1941) : avc:  denied  { connectto } for  pid=24578 comm=r2d2-worker-2 path=/run/.heim_org.h5l.kcm-socket scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1 
type=AVC msg=audit(03/12/2024 00:45:15.518:1941) : avc:  denied  { write } for  pid=24578 comm=r2d2-worker-2 name=.heim_org.h5l.kcm-socket dev="tmpfs" ino=951 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:46:15.593:2018) : proctitle=/usr/libexec/fdo/fdo-manufacturing-server 
type=SYSCALL msg=audit(03/12/2024 00:46:15.593:2018) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xa a1=0x7f4a4400d830 a2=0x10 a3=0x7f4a54e0e100 items=0 ppid=1 pid=24584 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-manufacturing-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:46:15.593:2018) : avc:  denied  { name_connect } for  pid=24584 comm=r2d2-worker-2 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:46:15.593:2019) : proctitle=/usr/libexec/fdo/fdo-manufacturing-server 
type=SYSCALL msg=audit(03/12/2024 00:46:15.593:2019) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xc a1=0x7f4a3800a970 a2=0x10 a3=0x7f4a54c0d100 items=0 ppid=1 pid=24584 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-1 exe=/usr/libexec/fdo/fdo-manufacturing-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:46:15.593:2019) : avc:  denied  { name_connect } for  pid=24584 comm=r2d2-worker-1 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:46:15.593:2020) : proctitle=/usr/libexec/fdo/fdo-manufacturing-server 
type=SYSCALL msg=audit(03/12/2024 00:46:15.593:2020) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xb a1=0x7f4a3c0098d0 a2=0x10 a3=0x7f4a54a09100 items=0 ppid=1 pid=24584 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-manufacturing-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:46:15.593:2020) : avc:  denied  { name_connect } for  pid=24584 comm=r2d2-worker-0 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:46:15.593:2021) : proctitle=/usr/libexec/fdo/fdo-manufacturing-server 
type=SYSCALL msg=audit(03/12/2024 00:46:15.593:2021) : arch=x86_64 syscall=openat success=no exit=ENOENT(No such file or directory) a0=AT_FDCWD a1=0x7f4a38023230 a2=O_RDONLY a3=0x0 items=0 ppid=1 pid=24584 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-1 exe=/usr/libexec/fdo/fdo-manufacturing-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:46:15.593:2021) : avc:  denied  { search } for  pid=24584 comm=r2d2-worker-1 name=krb5 dev="vda4" ino=25166781 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:46:15.594:2022) : proctitle=/usr/libexec/fdo/fdo-manufacturing-server 
type=SYSCALL msg=audit(03/12/2024 00:46:15.594:2022) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xd a1=0x7f4a54c0c9f0 a2=0x6e a3=0x7f4a559fac80 items=0 ppid=1 pid=24584 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-1 exe=/usr/libexec/fdo/fdo-manufacturing-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:46:15.594:2022) : avc:  denied  { connectto } for  pid=24584 comm=r2d2-worker-1 path=/run/.heim_org.h5l.kcm-socket scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1 
type=AVC msg=audit(03/12/2024 00:46:15.594:2022) : avc:  denied  { write } for  pid=24584 comm=r2d2-worker-1 name=.heim_org.h5l.kcm-socket dev="tmpfs" ino=951 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:46:15.598:2023) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
type=SYSCALL msg=audit(03/12/2024 00:46:15.598:2023) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xa a1=0x7f3bc800a820 a2=0x10 a3=0x7f3be1b9a100 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:46:15.598:2023) : avc:  denied  { name_connect } for  pid=24579 comm=r2d2-worker-0 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:47:15.670:2101) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
type=SYSCALL msg=audit(03/12/2024 00:47:15.670:2101) : arch=x86_64 syscall=openat success=no exit=ENOENT(No such file or directory) a0=AT_FDCWD a1=0x7f3bc40160a0 a2=O_RDONLY a3=0x0 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:47:15.670:2101) : avc:  denied  { search } for  pid=24579 comm=r2d2-worker-0 name=krb5 dev="vda4" ino=25166781 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:47:15.671:2102) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
type=SYSCALL msg=audit(03/12/2024 00:47:15.671:2102) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xd a1=0x7f3be1b999f0 a2=0x6e a3=0x0 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:47:15.671:2102) : avc:  denied  { connectto } for  pid=24579 comm=r2d2-worker-2 path=/run/.heim_org.h5l.kcm-socket scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1 
type=AVC msg=audit(03/12/2024 00:47:15.671:2102) : avc:  denied  { write } for  pid=24579 comm=r2d2-worker-2 name=.heim_org.h5l.kcm-socket dev="tmpfs" ino=951 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:47:15.678:2103) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
type=SYSCALL msg=audit(03/12/2024 00:47:15.678:2103) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xd a1=0x7f3bc800a820 a2=0x10 a3=0x7f3be1b9a100 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:47:15.678:2103) : avc:  denied  { name_connect } for  pid=24579 comm=r2d2-worker-2 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:48:15.747:2195) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
type=SYSCALL msg=audit(03/12/2024 00:48:15.747:2195) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xa a1=0x7f3bc8038840 a2=0x10 a3=0x7f3be1b9a100 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:48:15.747:2195) : avc:  denied  { name_connect } for  pid=24579 comm=r2d2-worker-2 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:48:15.747:2196) : proctitle=/usr/libexec/fdo/fdo-manufacturing-server 
type=SYSCALL msg=audit(03/12/2024 00:48:15.747:2196) : arch=x86_64 syscall=openat success=no exit=ENOENT(No such file or directory) a0=AT_FDCWD a1=0x7f4a4400e600 a2=O_RDONLY a3=0x0 items=0 ppid=1 pid=24584 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-1 exe=/usr/libexec/fdo/fdo-manufacturing-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:48:15.747:2196) : avc:  denied  { search } for  pid=24584 comm=r2d2-worker-1 name=krb5 dev="vda4" ino=25166781 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:48:15.748:2197) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
type=SYSCALL msg=audit(03/12/2024 00:48:15.748:2197) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xf a1=0x7f3be1d9a9f0 a2=0x6e a3=0x7f3be29fac80 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-1 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:48:15.748:2197) : avc:  denied  { write } for  pid=24579 comm=r2d2-worker-1 name=.heim_org.h5l.kcm-socket dev="tmpfs" ino=951 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:48:15.748:2198) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
type=SYSCALL msg=audit(03/12/2024 00:48:15.748:2198) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xd a1=0x7f3be1b999f0 a2=0x6e a3=0x11 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:48:15.748:2198) : avc:  denied  { connectto } for  pid=24579 comm=r2d2-worker-2 path=/run/.heim_org.h5l.kcm-socket scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1

Please provide the package NVR for which bug is seen:

selinux-policy-38.1.33-1.el9.noarch
selinux-policy-targeted-38.1.33-1.el9.noarch

fdo-manufacturing-server-0.5.0-2.el9.x86_64
fdo-owner-cli-0.5.0-2.el9.x86_64
fdo-owner-onboarding-server-0.5.0-2.el9.x86_64
fdo-rendezvous-server-0.5.0-2.el9.x86_64
fdo-client-0.5.0-2.el9.x86_64
fdo-init-0.5.0-2.el9.x86_64
fdo-admin-cli-0.5.0-2.el9.x86_64

How reproducible:

Steps to reproduce

Deploy a PSI openstack VM with RHEL 9.4 installed (nested virtualization supported)
git clone -b postgres https://github.com/henrywang/rhel-edge.git
cd rhel-edge
DOWNLOAD_NODE=<compose url> ./ostree-simplified-installer.sh

Expected results

Success without error

Actual results

selinux blocked db connection.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

fdo-denials.log
2.47 MB
2024/03/25 7:15 AM
journalctl-fdo.txt
29 kB
2024/04/12 10:38 AM
run-onboarding-dir.log
2 kB
2024/04/11 4:17 PM

Details

Description

FDO services fdo-manufacturing-server.service, fdo-owner-onboarding-server.service, fdo-rendezvous-server.service can't connect with postgres db. Selinux blocked the connection.

Please provide the package NVR for which bug is seen:

How reproducible:

Steps to reproduce

Expected results

Actual results

Attachments

Attachments

Activity

People

Dates