-
Bug
-
Resolution: Unresolved
-
Major
-
rhel-9.4
-
None
-
Critical
-
ZStream
-
1
-
rhel-sst-security-selinux
-
ssg_security
-
2
-
False
-
-
Yes
-
CY24Q2
-
Approved Blocker
-
None
-
None
-
Known Issue
-
-
Done
-
None
FDO services fdo-manufacturing-server.service, fdo-owner-onboarding-server.service, fdo-rendezvous-server.service can't connect with postgres db. Selinux blocked the connection.
Selinux log:
[admin@rhel-9-4-240312122721 ~]$ sudo ausearch -m avc -m user_avc -m selinux_err -i ---- type=PROCTITLE msg=audit(03/12/2024 00:43:15.243:1724) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server type=SYSCALL msg=audit(03/12/2024 00:43:15.243:1724) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xa a1=0x7f3bd0009e60 a2=0x10 a3=0x7f3be1d9b100 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) type=AVC msg=audit(03/12/2024 00:43:15.243:1724) : avc: denied { name_connect } for pid=24579 comm=r2d2-worker-0 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 ---- type=PROCTITLE msg=audit(03/12/2024 00:43:15.243:1725) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server type=SYSCALL msg=audit(03/12/2024 00:43:15.243:1725) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xb a1=0x7f3bc40095b0 a2=0x10 a3=0x7f3be1b9a100 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-1 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) type=AVC msg=audit(03/12/2024 00:43:15.243:1725) : avc: denied { name_connect } for pid=24579 comm=r2d2-worker-1 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 ---- type=PROCTITLE msg=audit(03/12/2024 00:43:15.249:1726) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server type=SYSCALL msg=audit(03/12/2024 00:43:15.249:1726) : arch=x86_64 syscall=openat success=no exit=ENOENT(No such file or directory) a0=AT_FDCWD a1=0x7f3bc800b5a0 a2=O_RDONLY a3=0x0 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) type=AVC msg=audit(03/12/2024 00:43:15.249:1726) : avc: denied { search } for pid=24579 comm=r2d2-worker-2 name=krb5 dev="vda4" ino=25166781 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1 ---- type=PROCTITLE msg=audit(03/12/2024 00:43:15.250:1727) : proctitle=/usr/libexec/fdo/fdo-manufacturing-server type=SYSCALL msg=audit(03/12/2024 00:43:15.250:1727) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xd a1=0x7f4a54e0d9f0 a2=0x6e a3=0x7f4a4400f3f0 items=0 ppid=1 pid=24584 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-manufacturing-server subj=system_u:system_r:fdo_t:s0 key=(null) type=AVC msg=audit(03/12/2024 00:43:15.250:1727) : avc: denied { connectto } for pid=24584 comm=r2d2-worker-0 path=/run/.heim_org.h5l.kcm-socket scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1 type=AVC msg=audit(03/12/2024 00:43:15.250:1727) : avc: denied { write } for pid=24584 comm=r2d2-worker-0 name=.heim_org.h5l.kcm-socket dev="tmpfs" ino=951 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1 ---- type=PROCTITLE msg=audit(03/12/2024 00:43:15.250:1728) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server type=SYSCALL msg=audit(03/12/2024 00:43:15.250:1728) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xd a1=0x7f3be19989f0 a2=0x6e a3=0x7f3bc800cb80 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) type=AVC msg=audit(03/12/2024 00:43:15.250:1728) : avc: denied { write } for pid=24579 comm=r2d2-worker-2 name=.heim_org.h5l.kcm-socket dev="tmpfs" ino=951 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1 ---- type=PROCTITLE msg=audit(03/12/2024 00:43:15.372:1730) : proctitle=/usr/libexec/fdo/fdo-manufacturing-server type=SYSCALL msg=audit(03/12/2024 00:43:15.372:1730) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xd a1=0x7f4a54e0d620 a2=0x6e a3=0x0 items=0 ppid=1 pid=24584 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-manufacturing-server subj=system_u:system_r:fdo_t:s0 key=(null) type=AVC msg=audit(03/12/2024 00:43:15.372:1730) : avc: denied { connectto } for pid=24584 comm=r2d2-worker-0 path=/run/.heim_org.h5l.kcm-socket scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1 ---- type=PROCTITLE msg=audit(03/12/2024 00:44:15.427:1852) : proctitle=/usr/libexec/fdo/fdo-owner-onboarding-server type=SYSCALL msg=audit(03/12/2024 00:44:15.427:1852) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xa a1=0x7f69c800d1c0 a2=0x10 a3=0x7f69d037d100 items=0 ppid=1 pid=24578 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-owner-onboarding-server subj=system_u:system_r:fdo_t:s0 key=(null) type=AVC msg=audit(03/12/2024 00:44:15.427:1852) : avc: denied { name_connect } for pid=24578 comm=r2d2-worker-2 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 ---- type=PROCTITLE msg=audit(03/12/2024 00:44:15.427:1853) : proctitle=/usr/libexec/fdo/fdo-owner-onboarding-server type=SYSCALL msg=audit(03/12/2024 00:44:15.427:1853) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xb a1=0x7f69ac009ce0 a2=0x10 a3=0x7f69d057e100 items=0 ppid=1 pid=24578 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-owner-onboarding-server subj=system_u:system_r:fdo_t:s0 key=(null) type=AVC msg=audit(03/12/2024 00:44:15.427:1853) : avc: denied { name_connect } for pid=24578 comm=r2d2-worker-0 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 ---- type=PROCTITLE msg=audit(03/12/2024 00:44:15.427:1854) : proctitle=/usr/libexec/fdo/fdo-owner-onboarding-server type=SYSCALL msg=audit(03/12/2024 00:44:15.427:1854) : arch=x86_64 syscall=openat success=no exit=ENOENT(No such file or directory) a0=AT_FDCWD a1=0x7f69ac008a60 a2=O_RDONLY a3=0x0 items=0 ppid=1 pid=24578 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-owner-onboarding-server subj=system_u:system_r:fdo_t:s0 key=(null) type=AVC msg=audit(03/12/2024 00:44:15.427:1854) : avc: denied { search } for pid=24578 comm=r2d2-worker-0 name=krb5 dev="vda4" ino=25166781 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1 ---- type=PROCTITLE msg=audit(03/12/2024 00:44:15.427:1855) : proctitle=/usr/libexec/fdo/fdo-owner-onboarding-server type=SYSCALL msg=audit(03/12/2024 00:44:15.427:1855) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xd a1=0x7f69d057d9f0 a2=0x6e a3=0x7f69ac00a970 items=0 ppid=1 pid=24578 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-owner-onboarding-server subj=system_u:system_r:fdo_t:s0 key=(null) type=AVC msg=audit(03/12/2024 00:44:15.427:1855) : avc: denied { write } for pid=24578 comm=r2d2-worker-0 name=.heim_org.h5l.kcm-socket dev="tmpfs" ino=951 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1 ---- type=PROCTITLE msg=audit(03/12/2024 00:45:15.517:1939) : proctitle=/usr/libexec/fdo/fdo-owner-onboarding-server type=SYSCALL msg=audit(03/12/2024 00:45:15.517:1939) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xa a1=0x7f69c801fb00 a2=0x10 a3=0x7f69d077f100 items=0 ppid=1 pid=24578 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-owner-onboarding-server subj=system_u:system_r:fdo_t:s0 key=(null) type=AVC msg=audit(03/12/2024 00:45:15.517:1939) : avc: denied { name_connect } for pid=24578 comm=r2d2-worker-2 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 ---- type=PROCTITLE msg=audit(03/12/2024 00:45:15.518:1940) : proctitle=/usr/libexec/fdo/fdo-owner-onboarding-server type=SYSCALL msg=audit(03/12/2024 00:45:15.518:1940) : arch=x86_64 syscall=openat success=no exit=ENOENT(No such file or directory) a0=AT_FDCWD a1=0x7f69ac00a4d0 a2=O_RDONLY a3=0x0 items=0 ppid=1 pid=24578 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-owner-onboarding-server subj=system_u:system_r:fdo_t:s0 key=(null) type=AVC msg=audit(03/12/2024 00:45:15.518:1940) : avc: denied { search } for pid=24578 comm=r2d2-worker-0 name=krb5 dev="vda4" ino=25166781 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1 ---- type=PROCTITLE msg=audit(03/12/2024 00:45:15.518:1941) : proctitle=/usr/libexec/fdo/fdo-owner-onboarding-server type=SYSCALL msg=audit(03/12/2024 00:45:15.518:1941) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xc a1=0x7f69d077e9f0 a2=0x6e a3=0x0 items=0 ppid=1 pid=24578 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-owner-onboarding-server subj=system_u:system_r:fdo_t:s0 key=(null) type=AVC msg=audit(03/12/2024 00:45:15.518:1941) : avc: denied { connectto } for pid=24578 comm=r2d2-worker-2 path=/run/.heim_org.h5l.kcm-socket scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1 type=AVC msg=audit(03/12/2024 00:45:15.518:1941) : avc: denied { write } for pid=24578 comm=r2d2-worker-2 name=.heim_org.h5l.kcm-socket dev="tmpfs" ino=951 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1 ---- type=PROCTITLE msg=audit(03/12/2024 00:46:15.593:2018) : proctitle=/usr/libexec/fdo/fdo-manufacturing-server type=SYSCALL msg=audit(03/12/2024 00:46:15.593:2018) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xa a1=0x7f4a4400d830 a2=0x10 a3=0x7f4a54e0e100 items=0 ppid=1 pid=24584 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-manufacturing-server subj=system_u:system_r:fdo_t:s0 key=(null) type=AVC msg=audit(03/12/2024 00:46:15.593:2018) : avc: denied { name_connect } for pid=24584 comm=r2d2-worker-2 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 ---- type=PROCTITLE msg=audit(03/12/2024 00:46:15.593:2019) : proctitle=/usr/libexec/fdo/fdo-manufacturing-server type=SYSCALL msg=audit(03/12/2024 00:46:15.593:2019) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xc a1=0x7f4a3800a970 a2=0x10 a3=0x7f4a54c0d100 items=0 ppid=1 pid=24584 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-1 exe=/usr/libexec/fdo/fdo-manufacturing-server subj=system_u:system_r:fdo_t:s0 key=(null) type=AVC msg=audit(03/12/2024 00:46:15.593:2019) : avc: denied { name_connect } for pid=24584 comm=r2d2-worker-1 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 ---- type=PROCTITLE msg=audit(03/12/2024 00:46:15.593:2020) : proctitle=/usr/libexec/fdo/fdo-manufacturing-server type=SYSCALL msg=audit(03/12/2024 00:46:15.593:2020) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xb a1=0x7f4a3c0098d0 a2=0x10 a3=0x7f4a54a09100 items=0 ppid=1 pid=24584 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-manufacturing-server subj=system_u:system_r:fdo_t:s0 key=(null) type=AVC msg=audit(03/12/2024 00:46:15.593:2020) : avc: denied { name_connect } for pid=24584 comm=r2d2-worker-0 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 ---- type=PROCTITLE msg=audit(03/12/2024 00:46:15.593:2021) : proctitle=/usr/libexec/fdo/fdo-manufacturing-server type=SYSCALL msg=audit(03/12/2024 00:46:15.593:2021) : arch=x86_64 syscall=openat success=no exit=ENOENT(No such file or directory) a0=AT_FDCWD a1=0x7f4a38023230 a2=O_RDONLY a3=0x0 items=0 ppid=1 pid=24584 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-1 exe=/usr/libexec/fdo/fdo-manufacturing-server subj=system_u:system_r:fdo_t:s0 key=(null) type=AVC msg=audit(03/12/2024 00:46:15.593:2021) : avc: denied { search } for pid=24584 comm=r2d2-worker-1 name=krb5 dev="vda4" ino=25166781 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1 ---- type=PROCTITLE msg=audit(03/12/2024 00:46:15.594:2022) : proctitle=/usr/libexec/fdo/fdo-manufacturing-server type=SYSCALL msg=audit(03/12/2024 00:46:15.594:2022) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xd a1=0x7f4a54c0c9f0 a2=0x6e a3=0x7f4a559fac80 items=0 ppid=1 pid=24584 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-1 exe=/usr/libexec/fdo/fdo-manufacturing-server subj=system_u:system_r:fdo_t:s0 key=(null) type=AVC msg=audit(03/12/2024 00:46:15.594:2022) : avc: denied { connectto } for pid=24584 comm=r2d2-worker-1 path=/run/.heim_org.h5l.kcm-socket scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1 type=AVC msg=audit(03/12/2024 00:46:15.594:2022) : avc: denied { write } for pid=24584 comm=r2d2-worker-1 name=.heim_org.h5l.kcm-socket dev="tmpfs" ino=951 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1 ---- type=PROCTITLE msg=audit(03/12/2024 00:46:15.598:2023) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server type=SYSCALL msg=audit(03/12/2024 00:46:15.598:2023) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xa a1=0x7f3bc800a820 a2=0x10 a3=0x7f3be1b9a100 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) type=AVC msg=audit(03/12/2024 00:46:15.598:2023) : avc: denied { name_connect } for pid=24579 comm=r2d2-worker-0 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 ---- type=PROCTITLE msg=audit(03/12/2024 00:47:15.670:2101) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server type=SYSCALL msg=audit(03/12/2024 00:47:15.670:2101) : arch=x86_64 syscall=openat success=no exit=ENOENT(No such file or directory) a0=AT_FDCWD a1=0x7f3bc40160a0 a2=O_RDONLY a3=0x0 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) type=AVC msg=audit(03/12/2024 00:47:15.670:2101) : avc: denied { search } for pid=24579 comm=r2d2-worker-0 name=krb5 dev="vda4" ino=25166781 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1 ---- type=PROCTITLE msg=audit(03/12/2024 00:47:15.671:2102) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server type=SYSCALL msg=audit(03/12/2024 00:47:15.671:2102) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xd a1=0x7f3be1b999f0 a2=0x6e a3=0x0 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) type=AVC msg=audit(03/12/2024 00:47:15.671:2102) : avc: denied { connectto } for pid=24579 comm=r2d2-worker-2 path=/run/.heim_org.h5l.kcm-socket scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1 type=AVC msg=audit(03/12/2024 00:47:15.671:2102) : avc: denied { write } for pid=24579 comm=r2d2-worker-2 name=.heim_org.h5l.kcm-socket dev="tmpfs" ino=951 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1 ---- type=PROCTITLE msg=audit(03/12/2024 00:47:15.678:2103) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server type=SYSCALL msg=audit(03/12/2024 00:47:15.678:2103) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xd a1=0x7f3bc800a820 a2=0x10 a3=0x7f3be1b9a100 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) type=AVC msg=audit(03/12/2024 00:47:15.678:2103) : avc: denied { name_connect } for pid=24579 comm=r2d2-worker-2 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 ---- type=PROCTITLE msg=audit(03/12/2024 00:48:15.747:2195) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server type=SYSCALL msg=audit(03/12/2024 00:48:15.747:2195) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xa a1=0x7f3bc8038840 a2=0x10 a3=0x7f3be1b9a100 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) type=AVC msg=audit(03/12/2024 00:48:15.747:2195) : avc: denied { name_connect } for pid=24579 comm=r2d2-worker-2 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 ---- type=PROCTITLE msg=audit(03/12/2024 00:48:15.747:2196) : proctitle=/usr/libexec/fdo/fdo-manufacturing-server type=SYSCALL msg=audit(03/12/2024 00:48:15.747:2196) : arch=x86_64 syscall=openat success=no exit=ENOENT(No such file or directory) a0=AT_FDCWD a1=0x7f4a4400e600 a2=O_RDONLY a3=0x0 items=0 ppid=1 pid=24584 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-1 exe=/usr/libexec/fdo/fdo-manufacturing-server subj=system_u:system_r:fdo_t:s0 key=(null) type=AVC msg=audit(03/12/2024 00:48:15.747:2196) : avc: denied { search } for pid=24584 comm=r2d2-worker-1 name=krb5 dev="vda4" ino=25166781 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1 ---- type=PROCTITLE msg=audit(03/12/2024 00:48:15.748:2197) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server type=SYSCALL msg=audit(03/12/2024 00:48:15.748:2197) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xf a1=0x7f3be1d9a9f0 a2=0x6e a3=0x7f3be29fac80 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-1 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) type=AVC msg=audit(03/12/2024 00:48:15.748:2197) : avc: denied { write } for pid=24579 comm=r2d2-worker-1 name=.heim_org.h5l.kcm-socket dev="tmpfs" ino=951 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1 ---- type=PROCTITLE msg=audit(03/12/2024 00:48:15.748:2198) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server type=SYSCALL msg=audit(03/12/2024 00:48:15.748:2198) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xd a1=0x7f3be1b999f0 a2=0x6e a3=0x11 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) type=AVC msg=audit(03/12/2024 00:48:15.748:2198) : avc: denied { connectto } for pid=24579 comm=r2d2-worker-2 path=/run/.heim_org.h5l.kcm-socket scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1
Please provide the package NVR for which bug is seen:
selinux-policy-38.1.33-1.el9.noarch
selinux-policy-targeted-38.1.33-1.el9.noarch
fdo-manufacturing-server-0.5.0-2.el9.x86_64
fdo-owner-cli-0.5.0-2.el9.x86_64
fdo-owner-onboarding-server-0.5.0-2.el9.x86_64
fdo-rendezvous-server-0.5.0-2.el9.x86_64
fdo-client-0.5.0-2.el9.x86_64
fdo-init-0.5.0-2.el9.x86_64
fdo-admin-cli-0.5.0-2.el9.x86_64
How reproducible:
Steps to reproduce
- Deploy a PSI openstack VM with RHEL 9.4 installed (nested virtualization supported)
- git clone -b postgres https://github.com/henrywang/rhel-edge.git
cd rhel-edge
DOWNLOAD_NODE=<compose url> ./ostree-simplified-installer.sh
Expected results
Success without error
Actual results
selinux blocked db connection.