Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-28814

Selinux blocked FDO DB connection

    • None
    • Critical
    • ZStream
    • 1
    • rhel-sst-security-selinux
    • ssg_security
    • 2
    • False
    • Hide

      None

      Show
      None
    • Yes
    • CY24Q2
    • Approved Blocker
    • None
    • None
    • Known Issue
    • Hide
      .Missing rules in the SELinux policy block permissions to SQL databases

      Missing permission rules from the SELinux policy block connections to SQL databases. Consequently, the FIDO Device Onboard (FDO) services `fdo-manufacturing-server.service`, `fdo-owner-onboarding-server.service`, and `fdo-rendezvous-server.service` cannot connect with FDO databases, such as PostgreSQL and SQLite. Therefore, the system cannot start the FDO by using the supported databases for credentials and other parameters, such as storing ownership vouchers.

      You can work around this problem by performing the following steps:

      . Create a new file named `local_fdo_update.cil` and enter the missing SELinux policy rules:
      +
      ----
      (allow fdo_t etc_t (file (write)))
      (allow fdo_t fdo_conf_t (file (append create rename setattr unlink write )))
      (allow fdo_t fdo_var_lib_t (dir (add_name remove_name write )))
      (allow fdo_t fdo_var_lib_t (file (create setattr unlink write )))
      (allow fdo_t krb5_keytab_t (dir (search)))
      (allow fdo_t postgresql_port_t (tcp_socket (name_connect)))
      (allow fdo_t sssd_t (unix_stream_socket (connectto)))
      (allow fdo_t sssd_var_run_t (sock_file (write)))
      ----

      . Install the policy module package:
      +
      ----
      # semodule -i local_fdo_update.cil
      ----

      As a consequence, FDO can connect with the PostgreSQL database and also fix problems related to SQLite permissions over `/var/lib/fdo/`, where the SQLite database files are expected to be located.
      Show
      .Missing rules in the SELinux policy block permissions to SQL databases Missing permission rules from the SELinux policy block connections to SQL databases. Consequently, the FIDO Device Onboard (FDO) services `fdo-manufacturing-server.service`, `fdo-owner-onboarding-server.service`, and `fdo-rendezvous-server.service` cannot connect with FDO databases, such as PostgreSQL and SQLite. Therefore, the system cannot start the FDO by using the supported databases for credentials and other parameters, such as storing ownership vouchers. You can work around this problem by performing the following steps: . Create a new file named `local_fdo_update.cil` and enter the missing SELinux policy rules: + ---- (allow fdo_t etc_t (file (write))) (allow fdo_t fdo_conf_t (file (append create rename setattr unlink write ))) (allow fdo_t fdo_var_lib_t (dir (add_name remove_name write ))) (allow fdo_t fdo_var_lib_t (file (create setattr unlink write ))) (allow fdo_t krb5_keytab_t (dir (search))) (allow fdo_t postgresql_port_t (tcp_socket (name_connect))) (allow fdo_t sssd_t (unix_stream_socket (connectto))) (allow fdo_t sssd_var_run_t (sock_file (write))) ---- . Install the policy module package: + ---- # semodule -i local_fdo_update.cil ---- As a consequence, FDO can connect with the PostgreSQL database and also fix problems related to SQLite permissions over `/var/lib/fdo/`, where the SQLite database files are expected to be located.
    • Done
    • None

      FDO services fdo-manufacturing-server.service, fdo-owner-onboarding-server.service, fdo-rendezvous-server.service can't connect with postgres db. Selinux blocked the connection.

      Selinux log:

       

      [admin@rhel-9-4-240312122721 ~]$ sudo ausearch -m avc -m user_avc -m selinux_err -i
      ----
      type=PROCTITLE msg=audit(03/12/2024 00:43:15.243:1724) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
      type=SYSCALL msg=audit(03/12/2024 00:43:15.243:1724) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xa a1=0x7f3bd0009e60 a2=0x10 a3=0x7f3be1d9b100 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
      type=AVC msg=audit(03/12/2024 00:43:15.243:1724) : avc:  denied  { name_connect } for  pid=24579 comm=r2d2-worker-0 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
      ----
      type=PROCTITLE msg=audit(03/12/2024 00:43:15.243:1725) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
      type=SYSCALL msg=audit(03/12/2024 00:43:15.243:1725) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xb a1=0x7f3bc40095b0 a2=0x10 a3=0x7f3be1b9a100 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-1 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
      type=AVC msg=audit(03/12/2024 00:43:15.243:1725) : avc:  denied  { name_connect } for  pid=24579 comm=r2d2-worker-1 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
      ----
      type=PROCTITLE msg=audit(03/12/2024 00:43:15.249:1726) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
      type=SYSCALL msg=audit(03/12/2024 00:43:15.249:1726) : arch=x86_64 syscall=openat success=no exit=ENOENT(No such file or directory) a0=AT_FDCWD a1=0x7f3bc800b5a0 a2=O_RDONLY a3=0x0 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
      type=AVC msg=audit(03/12/2024 00:43:15.249:1726) : avc:  denied  { search } for  pid=24579 comm=r2d2-worker-2 name=krb5 dev="vda4" ino=25166781 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1 
      ----
      type=PROCTITLE msg=audit(03/12/2024 00:43:15.250:1727) : proctitle=/usr/libexec/fdo/fdo-manufacturing-server 
      type=SYSCALL msg=audit(03/12/2024 00:43:15.250:1727) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xd a1=0x7f4a54e0d9f0 a2=0x6e a3=0x7f4a4400f3f0 items=0 ppid=1 pid=24584 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-manufacturing-server subj=system_u:system_r:fdo_t:s0 key=(null) 
      type=AVC msg=audit(03/12/2024 00:43:15.250:1727) : avc:  denied  { connectto } for  pid=24584 comm=r2d2-worker-0 path=/run/.heim_org.h5l.kcm-socket scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1 
      type=AVC msg=audit(03/12/2024 00:43:15.250:1727) : avc:  denied  { write } for  pid=24584 comm=r2d2-worker-0 name=.heim_org.h5l.kcm-socket dev="tmpfs" ino=951 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1 
      ----
      type=PROCTITLE msg=audit(03/12/2024 00:43:15.250:1728) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
      type=SYSCALL msg=audit(03/12/2024 00:43:15.250:1728) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xd a1=0x7f3be19989f0 a2=0x6e a3=0x7f3bc800cb80 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
      type=AVC msg=audit(03/12/2024 00:43:15.250:1728) : avc:  denied  { write } for  pid=24579 comm=r2d2-worker-2 name=.heim_org.h5l.kcm-socket dev="tmpfs" ino=951 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1 
      ----
      type=PROCTITLE msg=audit(03/12/2024 00:43:15.372:1730) : proctitle=/usr/libexec/fdo/fdo-manufacturing-server 
      type=SYSCALL msg=audit(03/12/2024 00:43:15.372:1730) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xd a1=0x7f4a54e0d620 a2=0x6e a3=0x0 items=0 ppid=1 pid=24584 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-manufacturing-server subj=system_u:system_r:fdo_t:s0 key=(null) 
      type=AVC msg=audit(03/12/2024 00:43:15.372:1730) : avc:  denied  { connectto } for  pid=24584 comm=r2d2-worker-0 path=/run/.heim_org.h5l.kcm-socket scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1 
      ----
      type=PROCTITLE msg=audit(03/12/2024 00:44:15.427:1852) : proctitle=/usr/libexec/fdo/fdo-owner-onboarding-server 
      type=SYSCALL msg=audit(03/12/2024 00:44:15.427:1852) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xa a1=0x7f69c800d1c0 a2=0x10 a3=0x7f69d037d100 items=0 ppid=1 pid=24578 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-owner-onboarding-server subj=system_u:system_r:fdo_t:s0 key=(null) 
      type=AVC msg=audit(03/12/2024 00:44:15.427:1852) : avc:  denied  { name_connect } for  pid=24578 comm=r2d2-worker-2 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
      ----
      type=PROCTITLE msg=audit(03/12/2024 00:44:15.427:1853) : proctitle=/usr/libexec/fdo/fdo-owner-onboarding-server 
      type=SYSCALL msg=audit(03/12/2024 00:44:15.427:1853) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xb a1=0x7f69ac009ce0 a2=0x10 a3=0x7f69d057e100 items=0 ppid=1 pid=24578 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-owner-onboarding-server subj=system_u:system_r:fdo_t:s0 key=(null) 
      type=AVC msg=audit(03/12/2024 00:44:15.427:1853) : avc:  denied  { name_connect } for  pid=24578 comm=r2d2-worker-0 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
      ----
      type=PROCTITLE msg=audit(03/12/2024 00:44:15.427:1854) : proctitle=/usr/libexec/fdo/fdo-owner-onboarding-server 
      type=SYSCALL msg=audit(03/12/2024 00:44:15.427:1854) : arch=x86_64 syscall=openat success=no exit=ENOENT(No such file or directory) a0=AT_FDCWD a1=0x7f69ac008a60 a2=O_RDONLY a3=0x0 items=0 ppid=1 pid=24578 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-owner-onboarding-server subj=system_u:system_r:fdo_t:s0 key=(null) 
      type=AVC msg=audit(03/12/2024 00:44:15.427:1854) : avc:  denied  { search } for  pid=24578 comm=r2d2-worker-0 name=krb5 dev="vda4" ino=25166781 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1 
      ----
      type=PROCTITLE msg=audit(03/12/2024 00:44:15.427:1855) : proctitle=/usr/libexec/fdo/fdo-owner-onboarding-server 
      type=SYSCALL msg=audit(03/12/2024 00:44:15.427:1855) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xd a1=0x7f69d057d9f0 a2=0x6e a3=0x7f69ac00a970 items=0 ppid=1 pid=24578 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-owner-onboarding-server subj=system_u:system_r:fdo_t:s0 key=(null) 
      type=AVC msg=audit(03/12/2024 00:44:15.427:1855) : avc:  denied  { write } for  pid=24578 comm=r2d2-worker-0 name=.heim_org.h5l.kcm-socket dev="tmpfs" ino=951 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1 
      ----
      type=PROCTITLE msg=audit(03/12/2024 00:45:15.517:1939) : proctitle=/usr/libexec/fdo/fdo-owner-onboarding-server 
      type=SYSCALL msg=audit(03/12/2024 00:45:15.517:1939) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xa a1=0x7f69c801fb00 a2=0x10 a3=0x7f69d077f100 items=0 ppid=1 pid=24578 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-owner-onboarding-server subj=system_u:system_r:fdo_t:s0 key=(null) 
      type=AVC msg=audit(03/12/2024 00:45:15.517:1939) : avc:  denied  { name_connect } for  pid=24578 comm=r2d2-worker-2 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
      ----
      type=PROCTITLE msg=audit(03/12/2024 00:45:15.518:1940) : proctitle=/usr/libexec/fdo/fdo-owner-onboarding-server 
      type=SYSCALL msg=audit(03/12/2024 00:45:15.518:1940) : arch=x86_64 syscall=openat success=no exit=ENOENT(No such file or directory) a0=AT_FDCWD a1=0x7f69ac00a4d0 a2=O_RDONLY a3=0x0 items=0 ppid=1 pid=24578 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-owner-onboarding-server subj=system_u:system_r:fdo_t:s0 key=(null) 
      type=AVC msg=audit(03/12/2024 00:45:15.518:1940) : avc:  denied  { search } for  pid=24578 comm=r2d2-worker-0 name=krb5 dev="vda4" ino=25166781 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1 
      ----
      type=PROCTITLE msg=audit(03/12/2024 00:45:15.518:1941) : proctitle=/usr/libexec/fdo/fdo-owner-onboarding-server 
      type=SYSCALL msg=audit(03/12/2024 00:45:15.518:1941) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xc a1=0x7f69d077e9f0 a2=0x6e a3=0x0 items=0 ppid=1 pid=24578 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-owner-onboarding-server subj=system_u:system_r:fdo_t:s0 key=(null) 
      type=AVC msg=audit(03/12/2024 00:45:15.518:1941) : avc:  denied  { connectto } for  pid=24578 comm=r2d2-worker-2 path=/run/.heim_org.h5l.kcm-socket scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1 
      type=AVC msg=audit(03/12/2024 00:45:15.518:1941) : avc:  denied  { write } for  pid=24578 comm=r2d2-worker-2 name=.heim_org.h5l.kcm-socket dev="tmpfs" ino=951 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1 
      ----
      type=PROCTITLE msg=audit(03/12/2024 00:46:15.593:2018) : proctitle=/usr/libexec/fdo/fdo-manufacturing-server 
      type=SYSCALL msg=audit(03/12/2024 00:46:15.593:2018) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xa a1=0x7f4a4400d830 a2=0x10 a3=0x7f4a54e0e100 items=0 ppid=1 pid=24584 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-manufacturing-server subj=system_u:system_r:fdo_t:s0 key=(null) 
      type=AVC msg=audit(03/12/2024 00:46:15.593:2018) : avc:  denied  { name_connect } for  pid=24584 comm=r2d2-worker-2 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
      ----
      type=PROCTITLE msg=audit(03/12/2024 00:46:15.593:2019) : proctitle=/usr/libexec/fdo/fdo-manufacturing-server 
      type=SYSCALL msg=audit(03/12/2024 00:46:15.593:2019) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xc a1=0x7f4a3800a970 a2=0x10 a3=0x7f4a54c0d100 items=0 ppid=1 pid=24584 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-1 exe=/usr/libexec/fdo/fdo-manufacturing-server subj=system_u:system_r:fdo_t:s0 key=(null) 
      type=AVC msg=audit(03/12/2024 00:46:15.593:2019) : avc:  denied  { name_connect } for  pid=24584 comm=r2d2-worker-1 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
      ----
      type=PROCTITLE msg=audit(03/12/2024 00:46:15.593:2020) : proctitle=/usr/libexec/fdo/fdo-manufacturing-server 
      type=SYSCALL msg=audit(03/12/2024 00:46:15.593:2020) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xb a1=0x7f4a3c0098d0 a2=0x10 a3=0x7f4a54a09100 items=0 ppid=1 pid=24584 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-manufacturing-server subj=system_u:system_r:fdo_t:s0 key=(null) 
      type=AVC msg=audit(03/12/2024 00:46:15.593:2020) : avc:  denied  { name_connect } for  pid=24584 comm=r2d2-worker-0 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
      ----
      type=PROCTITLE msg=audit(03/12/2024 00:46:15.593:2021) : proctitle=/usr/libexec/fdo/fdo-manufacturing-server 
      type=SYSCALL msg=audit(03/12/2024 00:46:15.593:2021) : arch=x86_64 syscall=openat success=no exit=ENOENT(No such file or directory) a0=AT_FDCWD a1=0x7f4a38023230 a2=O_RDONLY a3=0x0 items=0 ppid=1 pid=24584 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-1 exe=/usr/libexec/fdo/fdo-manufacturing-server subj=system_u:system_r:fdo_t:s0 key=(null) 
      type=AVC msg=audit(03/12/2024 00:46:15.593:2021) : avc:  denied  { search } for  pid=24584 comm=r2d2-worker-1 name=krb5 dev="vda4" ino=25166781 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1 
      ----
      type=PROCTITLE msg=audit(03/12/2024 00:46:15.594:2022) : proctitle=/usr/libexec/fdo/fdo-manufacturing-server 
      type=SYSCALL msg=audit(03/12/2024 00:46:15.594:2022) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xd a1=0x7f4a54c0c9f0 a2=0x6e a3=0x7f4a559fac80 items=0 ppid=1 pid=24584 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-1 exe=/usr/libexec/fdo/fdo-manufacturing-server subj=system_u:system_r:fdo_t:s0 key=(null) 
      type=AVC msg=audit(03/12/2024 00:46:15.594:2022) : avc:  denied  { connectto } for  pid=24584 comm=r2d2-worker-1 path=/run/.heim_org.h5l.kcm-socket scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1 
      type=AVC msg=audit(03/12/2024 00:46:15.594:2022) : avc:  denied  { write } for  pid=24584 comm=r2d2-worker-1 name=.heim_org.h5l.kcm-socket dev="tmpfs" ino=951 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1 
      ----
      type=PROCTITLE msg=audit(03/12/2024 00:46:15.598:2023) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
      type=SYSCALL msg=audit(03/12/2024 00:46:15.598:2023) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xa a1=0x7f3bc800a820 a2=0x10 a3=0x7f3be1b9a100 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
      type=AVC msg=audit(03/12/2024 00:46:15.598:2023) : avc:  denied  { name_connect } for  pid=24579 comm=r2d2-worker-0 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
      ----
      type=PROCTITLE msg=audit(03/12/2024 00:47:15.670:2101) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
      type=SYSCALL msg=audit(03/12/2024 00:47:15.670:2101) : arch=x86_64 syscall=openat success=no exit=ENOENT(No such file or directory) a0=AT_FDCWD a1=0x7f3bc40160a0 a2=O_RDONLY a3=0x0 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
      type=AVC msg=audit(03/12/2024 00:47:15.670:2101) : avc:  denied  { search } for  pid=24579 comm=r2d2-worker-0 name=krb5 dev="vda4" ino=25166781 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1 
      ----
      type=PROCTITLE msg=audit(03/12/2024 00:47:15.671:2102) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
      type=SYSCALL msg=audit(03/12/2024 00:47:15.671:2102) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xd a1=0x7f3be1b999f0 a2=0x6e a3=0x0 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
      type=AVC msg=audit(03/12/2024 00:47:15.671:2102) : avc:  denied  { connectto } for  pid=24579 comm=r2d2-worker-2 path=/run/.heim_org.h5l.kcm-socket scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1 
      type=AVC msg=audit(03/12/2024 00:47:15.671:2102) : avc:  denied  { write } for  pid=24579 comm=r2d2-worker-2 name=.heim_org.h5l.kcm-socket dev="tmpfs" ino=951 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1 
      ----
      type=PROCTITLE msg=audit(03/12/2024 00:47:15.678:2103) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
      type=SYSCALL msg=audit(03/12/2024 00:47:15.678:2103) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xd a1=0x7f3bc800a820 a2=0x10 a3=0x7f3be1b9a100 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
      type=AVC msg=audit(03/12/2024 00:47:15.678:2103) : avc:  denied  { name_connect } for  pid=24579 comm=r2d2-worker-2 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
      ----
      type=PROCTITLE msg=audit(03/12/2024 00:48:15.747:2195) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
      type=SYSCALL msg=audit(03/12/2024 00:48:15.747:2195) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xa a1=0x7f3bc8038840 a2=0x10 a3=0x7f3be1b9a100 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
      type=AVC msg=audit(03/12/2024 00:48:15.747:2195) : avc:  denied  { name_connect } for  pid=24579 comm=r2d2-worker-2 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
      ----
      type=PROCTITLE msg=audit(03/12/2024 00:48:15.747:2196) : proctitle=/usr/libexec/fdo/fdo-manufacturing-server 
      type=SYSCALL msg=audit(03/12/2024 00:48:15.747:2196) : arch=x86_64 syscall=openat success=no exit=ENOENT(No such file or directory) a0=AT_FDCWD a1=0x7f4a4400e600 a2=O_RDONLY a3=0x0 items=0 ppid=1 pid=24584 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-1 exe=/usr/libexec/fdo/fdo-manufacturing-server subj=system_u:system_r:fdo_t:s0 key=(null) 
      type=AVC msg=audit(03/12/2024 00:48:15.747:2196) : avc:  denied  { search } for  pid=24584 comm=r2d2-worker-1 name=krb5 dev="vda4" ino=25166781 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1 
      ----
      type=PROCTITLE msg=audit(03/12/2024 00:48:15.748:2197) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
      type=SYSCALL msg=audit(03/12/2024 00:48:15.748:2197) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xf a1=0x7f3be1d9a9f0 a2=0x6e a3=0x7f3be29fac80 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-1 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
      type=AVC msg=audit(03/12/2024 00:48:15.748:2197) : avc:  denied  { write } for  pid=24579 comm=r2d2-worker-1 name=.heim_org.h5l.kcm-socket dev="tmpfs" ino=951 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1 
      ----
      type=PROCTITLE msg=audit(03/12/2024 00:48:15.748:2198) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
      type=SYSCALL msg=audit(03/12/2024 00:48:15.748:2198) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xd a1=0x7f3be1b999f0 a2=0x6e a3=0x11 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
      type=AVC msg=audit(03/12/2024 00:48:15.748:2198) : avc:  denied  { connectto } for  pid=24579 comm=r2d2-worker-2 path=/run/.heim_org.h5l.kcm-socket scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1 

       

      Please provide the package NVR for which bug is seen:

      selinux-policy-38.1.33-1.el9.noarch
      selinux-policy-targeted-38.1.33-1.el9.noarch

      fdo-manufacturing-server-0.5.0-2.el9.x86_64
      fdo-owner-cli-0.5.0-2.el9.x86_64
      fdo-owner-onboarding-server-0.5.0-2.el9.x86_64
      fdo-rendezvous-server-0.5.0-2.el9.x86_64
      fdo-client-0.5.0-2.el9.x86_64
      fdo-init-0.5.0-2.el9.x86_64
      fdo-admin-cli-0.5.0-2.el9.x86_64

      How reproducible:

      Steps to reproduce

      1. Deploy a PSI openstack VM with RHEL 9.4 installed (nested virtualization supported)
      2. git clone -b postgres https://github.com/henrywang/rhel-edge.git

      3. cd rhel-edge

      4. DOWNLOAD_NODE=<compose url> ./ostree-simplified-installer.sh

      Expected results

      Success without error

      Actual results

      selinux blocked db connection.

        1. fdo-denials.log
          2.47 MB
        2. journalctl-fdo.txt
          29 kB
        3. run-onboarding-dir.log
          2 kB

              rhn-support-zpytela Zdenek Pytela
              xiaofwan@redhat.com Xiaofeng Wang
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Jan Fiala Jan Fiala
              Votes:
              0 Vote for this issue
              Watchers:
              17 Start watching this issue

                Created:
                Updated: