On Mon, Jul 26, 2021 at 7:25 PM Ranbir via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
> On Mon, 2021-07-26 at 16:38 +0000, Sam Morris via FreeIPA-users wrote: > > If you are running SELinux in enforcing mode then it's possible that > > your script is being confined by the certmonger_t domain, which could > > prevent your file copy from working. > > > > You can search for AVC denials related to certmonger_t with the > > command: > > > > # ausearch --interpret --context certmonger_t > > > Drat! I briefly considered selinux as being the culprit, but I didn't > delve into it, at all. I don't know why. Here's one of the denials: > > type=PROCTITLE msg=audit(2021-07-26 00:16:16.758:5255) : > proctitle=/usr/sbin/certmonger -S -p /run/certmonger.pid -n -d2 > type=SYSCALL msg=audit(2021-07-26 00:16:16.758:5255) : arch=x86_64 > syscall=execve success=no exit=EACCES(Permission denied) > a0=0x7ffe1d3ee2e0 a1=0x564a48565c60 a2=0x564a48577110 a3=0x564a4857c1c0 > items=0 ppid=30743 pid=109480 auid=unset uid=root gid=root euid=root > suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) > ses=unset comm=certmonger exe=/usr/sbin/certmonger > subj=system_u:system_r:certmonger_t:s0 key=(null) > type=AVC msg=audit(2021-07-26 00:16:16.758:5255) : avc: denied { > execute } for pid=109480 comm=certmonger name=podman dev="dm-0" > ino=7421320 scontext=system_u:system_r:certmonger_t:s0 > tcontext=system_u:object_r:container_runtime_exec_t:s0 tclass=file > permissive=0 > > > This is easier to read: > > type=AVC msg=audit(1627272976.758:5255): avc: denied { execute } for > pid=109480 comm="certmonger" name="podman" dev="dm-0" ino=7421320 > scontext=system_u:system_r:certmonger_t:s0 > tcontext=system_u:object_r:container_runtime_exec_t:s0 tclass=file > permissive=0 > > Was caused by: > Missing type enforcement (TE) allow rule. > > > > If you see output corresponding to the time certmonger ran your script > > then you're probably hitting this issue. You can also look at the > > > Also what?! Also WHAAAAT?! lol (your reply was cut off) > > > > The way I solved it was to set things up so that the script runs in the > > certmonger_unconfined_t domain, which will allow the script to do > > anything. The way to do this is change the file context of the script > > to certmonger_unconfined_exec_t. I wrote up some notes about how to do > > this here: > > Unfortunately, that didn't work. > > Is there an selinux boolean I need to enable to allow certmonger to > execute podman? > I don't think so but: https://bugzilla.redhat.com/show_bug.cgi?id=1777368#c4 contains a list of macros that might be useful in your policy module. Please continue to post results on the list! Thanks François > > > -- > Ranbir > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure