On Mon, Jul 26, 2021 at 7:25 PM Ranbir via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
On Mon, 2021-07-26 at 16:38 +0000, Sam Morris via FreeIPA-users
wrote:
> If you are running SELinux in enforcing mode then it's possible that
> your script is being confined by the certmonger_t domain, which could
> prevent your file copy from working.
>
> You can search for AVC denials related to certmonger_t with the
> command:
>
> # ausearch --interpret --context certmonger_t
Drat! I briefly considered selinux as being the culprit, but I didn't
delve into it, at all. I don't know why. Here's one of the denials:
type=PROCTITLE msg=audit(2021-07-26 00:16:16.758:5255) :
proctitle=/usr/sbin/certmonger -S -p /run/certmonger.pid -n -d2
type=SYSCALL msg=audit(2021-07-26 00:16:16.758:5255) : arch=x86_64
syscall=execve success=no exit=EACCES(Permission denied)
a0=0x7ffe1d3ee2e0 a1=0x564a48565c60 a2=0x564a48577110 a3=0x564a4857c1c0
items=0 ppid=30743 pid=109480 auid=unset uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
ses=unset comm=certmonger exe=/usr/sbin/certmonger
subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(2021-07-26 00:16:16.758:5255) : avc: denied {
execute } for pid=109480 comm=certmonger name=podman dev="dm-0"
ino=7421320 scontext=system_u:system_r:certmonger_t:s0
tcontext=system_u:object_r:container_runtime_exec_t:s0 tclass=file
permissive=0
This is easier to read:
type=AVC msg=audit(1627272976.758:5255): avc: denied { execute } for
pid=109480 comm="certmonger" name="podman" dev="dm-0"
ino=7421320
scontext=system_u:system_r:certmonger_t:s0
tcontext=system_u:object_r:container_runtime_exec_t:s0 tclass=file
permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
> If you see output corresponding to the time certmonger ran your script
> then you're probably hitting this issue. You can also look at the
Also what?! Also WHAAAAT?! lol (your reply was cut off)
> The way I solved it was to set things up so that the script runs in the
> certmonger_unconfined_t domain, which will allow the script to do
> anything. The way to do this is change the file context of the script
> to certmonger_unconfined_exec_t. I wrote up some notes about how to do
> this here:
Unfortunately, that didn't work.
Is there an selinux boolean I need to enable to allow certmonger to
execute podman?
I don't think so but:
https://bugzilla.redhat.com/show_bug.cgi?id=1777368#c4
contains a list of macros that might be useful in your policy module.
Please continue to post results on the list!
Thanks
François
--
Ranbir
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure