Uploaded image for project: 'Satellite'
  1. Satellite
  2. SAT-14331

Access to /etc/resolv.conf file is denied by selinux for Puma Webserver when it's a symlink or systemd-resolved is explicitly being used

XMLWordPrintable

    • Moderate
    • None

      Description of problem:

      SELinux denies access to read the /etc/resolv.conf file by Puma webserver when Satellite needs to perform a DNS resolution before trying to initiate a connection to subscription.rhsm.redhat.com or cdn.redhat.com.

      This is only observed when /etc/resolv.conf is a symlink of a different file ( or systemd-resolved is explicitly being used )

      Version-Release number of selected component (if applicable):

      Satellite 6.11 ( on RHEL 7 or RHEL 8 )

      How reproducible:

      Always

      Steps to Reproduce:
      1. Install a Satellite 6.11 and Import a manifest file.

      2. Ensure that /etc/resolv.conf has valid DNS server entries and there are no issues with resolving the DNS for rhsm or cdn URLs.

      3. Execute the following steps:

      1. cp -par /etc/resolv.conf /etc/resolv.conf_orig
      2. cat /etc/resolv.conf > /etc/resolv.conf.manual
      3. rm /etc/resolv.conf
      4. cd /etc/
      5. ln -s resolv.conf.manual resolv.conf
      6. restorecon -RFv /etc/resolv.conf
      7. semanage fcontext -a -t etc_t "/etc/resolv.conf.manual"
      8. restorecon -Fv /etc/resolv.conf.manual
      9. ls -l /etc/resolv.conf* -Z

      Final output:
      ~~
      lrwxrwxrwx. root root system_u:object_r:net_conf_t:s0 /etc/resolv.conf -> resolv.conf.manual
      rw-rr-. root root system_u:object_r:etc_t:s0 /etc/resolv.conf.manual
      rw-rr-. root root system_u:object_r:net_conf_t:s0 /etc/resolv.conf_orig
      ~~

      4. Go to Satellite UI --> Content --> Subscriptions page and observe the behavior

      Actual results:

      GUI:

      Failed to open TCP connection to subscription.rhsm.redhat.com:443 (getaddrinfo: Name or service not known)

      production.log:

      2022-11-30T08:05:38 [E|app|bcac0446] Katello::HttpErrors::BadRequest: Failed to open TCP connection to subscription.rhsm.redhat.com:443 (getaddrinfo: Name or service not known)
      bcac0446 | /usr/share/gems/gems/katello-4.3.0.50/app/controllers/katello/api/v2/api_controller.rb:262:in `rescue in check_upstream_connection'
      bcac0446 | /usr/share/gems/gems/katello-4.3.0.50/app/controllers/katello/api/v2/api_controller.rb:259:in `check_upstream_connection'

      audit.log:

      type=AVC msg=audit(1669729383.473:15447): avc: denied

      { read }

      for pid=2064 comm=70756D612073727620747020303031 name="resolv.conf" dev="dm-0" ino=1224904 scontext=system_u:system_r:foreman_rails_t:s0 tcontext=unconfined_u:object_r:net_conf_t:s0 tclass=lnk_file permissive=0

      Expected results:

      No such DNS issues and selinux denials.

      Additional info:

      The same issue would happen when someone uses systemd-resolved on RHEL 7 or RHEL 8 based Sat.

      It only can be worked around by three ways:

      A) Use nslookup to find the info and Put the IP\Hostname details for subscription.rhsm.redhat.com and cdn.redhat.com in /etc/hosts file

      B) Or Run seliux is permissive mode

      C) Or else ensure that /etc/resolv.conf is not a symlink to any other file and have net_conf_t context.

              ekohlvan@redhat.com Ewoud Kohl van Wijngaarden
              jira-bugzilla-migration RH Bugzilla Integration
              Adam Ruzicka Adam Ruzicka
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: