On Mon, Jul 26, 2021 at 7:25 PM Ranbir via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> On Mon, 2021-07-26 at 16:38 +0000, Sam Morris via FreeIPA-users wrote:
> > If you are running SELinux in enforcing mode then it's possible that
> > your script is being confined by the certmonger_t domain, which could
> > prevent your file copy from working.
> >
> > You can search for AVC denials related to certmonger_t with the
> > command:
> >
> > # ausearch --interpret --context certmonger_t
>
>
> Drat! I briefly considered selinux as being the culprit, but I didn't
> delve into it, at all. I don't know why. Here's one of the denials:
>
> type=PROCTITLE msg=audit(2021-07-26 00:16:16.758:5255) :
> proctitle=/usr/sbin/certmonger -S -p /run/certmonger.pid -n -d2
> type=SYSCALL msg=audit(2021-07-26 00:16:16.758:5255) : arch=x86_64
> syscall=execve success=no exit=EACCES(Permission denied)
> a0=0x7ffe1d3ee2e0 a1=0x564a48565c60 a2=0x564a48577110 a3=0x564a4857c1c0
> items=0 ppid=30743 pid=109480 auid=unset uid=root gid=root euid=root
> suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
> ses=unset comm=certmonger exe=/usr/sbin/certmonger
> subj=system_u:system_r:certmonger_t:s0 key=(null)
> type=AVC msg=audit(2021-07-26 00:16:16.758:5255) : avc:  denied  {
> execute } for  pid=109480 comm=certmonger name=podman dev="dm-0"
> ino=7421320 scontext=system_u:system_r:certmonger_t:s0
> tcontext=system_u:object_r:container_runtime_exec_t:s0 tclass=file
> permissive=0
>
>
> This is easier to read:
>
> type=AVC msg=audit(1627272976.758:5255): avc:  denied  { execute } for
> pid=109480 comm="certmonger" name="podman" dev="dm-0" ino=7421320
> scontext=system_u:system_r:certmonger_t:s0
> tcontext=system_u:object_r:container_runtime_exec_t:s0 tclass=file
> permissive=0
>
>         Was caused by:
>                 Missing type enforcement (TE) allow rule.
>
>
> > If you see output corresponding to the time certmonger ran your script
> > then you're probably hitting this issue. You can also look at the
>
>
> Also what?! Also WHAAAAT?! lol (your reply was cut off)
>
>
> > The way I solved it was to set things up so that the script runs in the
> > certmonger_unconfined_t domain, which will allow the script to do
> > anything. The way to do this is change the file context of the script
> > to certmonger_unconfined_exec_t. I wrote up some notes about how to do
> > this here:
>
> Unfortunately, that didn't work.
>
> Is there an selinux boolean I need to enable to allow certmonger to
> execute podman?
>

I don't think so but:
https://bugzilla.redhat.com/show_bug.cgi?id=1777368#c4
contains a list of macros that might be useful in your policy module.
Please continue to post results on the list!

Thanks
François


>
>
> --
> Ranbir
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to