On Mon, 2021-07-26 at 16:38 +0000, Sam Morris via FreeIPA-users wrote:
If you are running SELinux in enforcing mode then it's possible
that
your script is being confined by the certmonger_t domain, which could
prevent your file copy from working.
You can search for AVC denials related to certmonger_t with the
command:
# ausearch --interpret --context certmonger_t
Drat! I briefly considered selinux as being the culprit, but I didn't
delve into it, at all. I don't know why. Here's one of the denials:
type=PROCTITLE msg=audit(2021-07-26 00:16:16.758:5255) :
proctitle=/usr/sbin/certmonger -S -p /run/certmonger.pid -n -d2
type=SYSCALL msg=audit(2021-07-26 00:16:16.758:5255) : arch=x86_64
syscall=execve success=no exit=EACCES(Permission denied)
a0=0x7ffe1d3ee2e0 a1=0x564a48565c60 a2=0x564a48577110 a3=0x564a4857c1c0
items=0 ppid=30743 pid=109480 auid=unset uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
ses=unset comm=certmonger exe=/usr/sbin/certmonger
subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(2021-07-26 00:16:16.758:5255) : avc: denied {
execute } for pid=109480 comm=certmonger name=podman dev="dm-0"
ino=7421320 scontext=system_u:system_r:certmonger_t:s0
tcontext=system_u:object_r:container_runtime_exec_t:s0 tclass=file
permissive=0
This is easier to read:
type=AVC msg=audit(1627272976.758:5255): avc: denied { execute } for
pid=109480 comm="certmonger" name="podman" dev="dm-0"
ino=7421320
scontext=system_u:system_r:certmonger_t:s0
tcontext=system_u:object_r:container_runtime_exec_t:s0 tclass=file
permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
If you see output corresponding to the time certmonger ran your
script
then you're probably hitting this issue. You can also look at the
Also what?! Also WHAAAAT?! lol (your reply was cut off)
The way I solved it was to set things up so that the script runs in
the
certmonger_unconfined_t domain, which will allow the script to do
anything. The way to do this is change the file context of the script
to certmonger_unconfined_exec_t. I wrote up some notes about how to do
this here:
Unfortunately, that didn't work.
Is there an selinux boolean I need to enable to allow certmonger to
execute podman?
--
Ranbir