On Mon, 2021-07-26 at 16:38 +0000, Sam Morris via FreeIPA-users
wrote:
type=PROCTITLE msg=audit(2021-07-26 00:16:16.758:5255) :
proctitle=/usr/sbin/certmonger -S -p /run/certmonger.pid -n -d2
type=SYSCALL msg=audit(2021-07-26 00:16:16.758:5255) : arch=x86_64
syscall=execve success=no exit=EACCES(Permission denied)
a0=0x7ffe1d3ee2e0 a1=0x564a48565c60 a2=0x564a48577110 a3=0x564a4857c1c0
items=0 ppid=30743 pid=109480 auid=unset uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
ses=unset comm=certmonger exe=/usr/sbin/certmonger
subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(2021-07-26 00:16:16.758:5255) : avc: denied {
execute } for pid=109480 comm=certmonger name=podman dev="dm-0"
ino=7421320 scontext=system_u:system_r:certmonger_t:s0
tcontext=system_u:object_r:container_runtime_exec_t:s0 tclass=file
permissive=0
Hm... so that means (I think) that certmonger_t is not allowed to execute things labelled
with container_runtime_exec_t.
I'm surprised setting your script to certmonger_unconfined_exec_t didn't help - -
can you try the ausearch command after doing so & confirm that your script is now
running in the certmonger_unconfined_t domain?
There's another approach: set the certmonger_t domain to permissive mode (where it no
longer confines at all). Details at <
https://danwalsh.livejournal.com/24537.html>,
but it's a larger hammer than should be needed for this nail...
--
Sam Morris <
https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9