Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Selinux blocked FDO pgsql DB connection #644

Open
nullr0ute opened this issue Mar 12, 2024 · 5 comments
Open

Selinux blocked FDO pgsql DB connection #644

nullr0ute opened this issue Mar 12, 2024 · 5 comments
Assignees
@nullr0ute
Labels
bug Something isn't working dependencies Pull requests that update a dependency file distro Distro related things such as packaging manufacturing Anything to do with the manufacturing client/service/APIs/protocol onboarding Anything to do with the onboarding service rendevous Anything to do with the rendevous service services-configurations RFEs for services configuration

Comments

@nullr0ute
Copy link
Contributor

nullr0ute commented Mar 12, 2024
edited
Loading

FDO services fdo-manufacturing-server.service, fdo-owner-onboarding-server.service, fdo-rendezvous-server.service can't connect with postgres db. Selinux blocked the connection.

Selinux log:

----
type=PROCTITLE msg=audit(03/12/2024 00:43:15.243:1724) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
type=SYSCALL msg=audit(03/12/2024 00:43:15.243:1724) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xa a1=0x7f3bd0009e60 a2=0x10 a3=0x7f3be1d9b100 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:43:15.243:1724) : avc:  denied  { name_connect } for  pid=24579 comm=r2d2-worker-0 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:43:15.243:1725) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
type=SYSCALL msg=audit(03/12/2024 00:43:15.243:1725) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xb a1=0x7f3bc40095b0 a2=0x10 a3=0x7f3be1b9a100 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-1 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:43:15.243:1725) : avc:  denied  { name_connect } for  pid=24579 comm=r2d2-worker-1 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:43:15.249:1726) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
type=SYSCALL msg=audit(03/12/2024 00:43:15.249:1726) : arch=x86_64 syscall=openat success=no exit=ENOENT(No such file or directory) a0=AT_FDCWD a1=0x7f3bc800b5a0 a2=O_RDONLY a3=0x0 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:43:15.249:1726) : avc:  denied  { search } for  pid=24579 comm=r2d2-worker-2 name=krb5 dev="vda4" ino=25166781 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:43:15.250:1727) : proctitle=/usr/libexec/fdo/fdo-manufacturing-server 
type=SYSCALL msg=audit(03/12/2024 00:43:15.250:1727) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xd a1=0x7f4a54e0d9f0 a2=0x6e a3=0x7f4a4400f3f0 items=0 ppid=1 pid=24584 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-manufacturing-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:43:15.250:1727) : avc:  denied  { connectto } for  pid=24584 comm=r2d2-worker-0 path=/run/.heim_org.h5l.kcm-socket scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1 
type=AVC msg=audit(03/12/2024 00:43:15.250:1727) : avc:  denied  { write } for  pid=24584 comm=r2d2-worker-0 name=.heim_org.h5l.kcm-socket dev="tmpfs" ino=951 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:43:15.250:1728) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
type=SYSCALL msg=audit(03/12/2024 00:43:15.250:1728) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xd a1=0x7f3be19989f0 a2=0x6e a3=0x7f3bc800cb80 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:43:15.250:1728) : avc:  denied  { write } for  pid=24579 comm=r2d2-worker-2 name=.heim_org.h5l.kcm-socket dev="tmpfs" ino=951 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:43:15.372:1730) : proctitle=/usr/libexec/fdo/fdo-manufacturing-server 
type=SYSCALL msg=audit(03/12/2024 00:43:15.372:1730) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xd a1=0x7f4a54e0d620 a2=0x6e a3=0x0 items=0 ppid=1 pid=24584 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-manufacturing-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:43:15.372:1730) : avc:  denied  { connectto } for  pid=24584 comm=r2d2-worker-0 path=/run/.heim_org.h5l.kcm-socket scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:44:15.427:1852) : proctitle=/usr/libexec/fdo/fdo-owner-onboarding-server 
type=SYSCALL msg=audit(03/12/2024 00:44:15.427:1852) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xa a1=0x7f69c800d1c0 a2=0x10 a3=0x7f69d037d100 items=0 ppid=1 pid=24578 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-owner-onboarding-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:44:15.427:1852) : avc:  denied  { name_connect } for  pid=24578 comm=r2d2-worker-2 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:44:15.427:1853) : proctitle=/usr/libexec/fdo/fdo-owner-onboarding-server 
type=SYSCALL msg=audit(03/12/2024 00:44:15.427:1853) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xb a1=0x7f69ac009ce0 a2=0x10 a3=0x7f69d057e100 items=0 ppid=1 pid=24578 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-owner-onboarding-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:44:15.427:1853) : avc:  denied  { name_connect } for  pid=24578 comm=r2d2-worker-0 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:44:15.427:1854) : proctitle=/usr/libexec/fdo/fdo-owner-onboarding-server 
type=SYSCALL msg=audit(03/12/2024 00:44:15.427:1854) : arch=x86_64 syscall=openat success=no exit=ENOENT(No such file or directory) a0=AT_FDCWD a1=0x7f69ac008a60 a2=O_RDONLY a3=0x0 items=0 ppid=1 pid=24578 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-owner-onboarding-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:44:15.427:1854) : avc:  denied  { search } for  pid=24578 comm=r2d2-worker-0 name=krb5 dev="vda4" ino=25166781 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:44:15.427:1855) : proctitle=/usr/libexec/fdo/fdo-owner-onboarding-server 
type=SYSCALL msg=audit(03/12/2024 00:44:15.427:1855) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xd a1=0x7f69d057d9f0 a2=0x6e a3=0x7f69ac00a970 items=0 ppid=1 pid=24578 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-owner-onboarding-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:44:15.427:1855) : avc:  denied  { write } for  pid=24578 comm=r2d2-worker-0 name=.heim_org.h5l.kcm-socket dev="tmpfs" ino=951 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:45:15.517:1939) : proctitle=/usr/libexec/fdo/fdo-owner-onboarding-server 
type=SYSCALL msg=audit(03/12/2024 00:45:15.517:1939) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xa a1=0x7f69c801fb00 a2=0x10 a3=0x7f69d077f100 items=0 ppid=1 pid=24578 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-owner-onboarding-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:45:15.517:1939) : avc:  denied  { name_connect } for  pid=24578 comm=r2d2-worker-2 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:45:15.518:1940) : proctitle=/usr/libexec/fdo/fdo-owner-onboarding-server 
type=SYSCALL msg=audit(03/12/2024 00:45:15.518:1940) : arch=x86_64 syscall=openat success=no exit=ENOENT(No such file or directory) a0=AT_FDCWD a1=0x7f69ac00a4d0 a2=O_RDONLY a3=0x0 items=0 ppid=1 pid=24578 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-owner-onboarding-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:45:15.518:1940) : avc:  denied  { search } for  pid=24578 comm=r2d2-worker-0 name=krb5 dev="vda4" ino=25166781 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:45:15.518:1941) : proctitle=/usr/libexec/fdo/fdo-owner-onboarding-server 
type=SYSCALL msg=audit(03/12/2024 00:45:15.518:1941) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xc a1=0x7f69d077e9f0 a2=0x6e a3=0x0 items=0 ppid=1 pid=24578 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-owner-onboarding-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:45:15.518:1941) : avc:  denied  { connectto } for  pid=24578 comm=r2d2-worker-2 path=/run/.heim_org.h5l.kcm-socket scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1 
type=AVC msg=audit(03/12/2024 00:45:15.518:1941) : avc:  denied  { write } for  pid=24578 comm=r2d2-worker-2 name=.heim_org.h5l.kcm-socket dev="tmpfs" ino=951 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:46:15.593:2018) : proctitle=/usr/libexec/fdo/fdo-manufacturing-server 
type=SYSCALL msg=audit(03/12/2024 00:46:15.593:2018) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xa a1=0x7f4a4400d830 a2=0x10 a3=0x7f4a54e0e100 items=0 ppid=1 pid=24584 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-manufacturing-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:46:15.593:2018) : avc:  denied  { name_connect } for  pid=24584 comm=r2d2-worker-2 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:46:15.593:2019) : proctitle=/usr/libexec/fdo/fdo-manufacturing-server 
type=SYSCALL msg=audit(03/12/2024 00:46:15.593:2019) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xc a1=0x7f4a3800a970 a2=0x10 a3=0x7f4a54c0d100 items=0 ppid=1 pid=24584 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-1 exe=/usr/libexec/fdo/fdo-manufacturing-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:46:15.593:2019) : avc:  denied  { name_connect } for  pid=24584 comm=r2d2-worker-1 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:46:15.593:2020) : proctitle=/usr/libexec/fdo/fdo-manufacturing-server 
type=SYSCALL msg=audit(03/12/2024 00:46:15.593:2020) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xb a1=0x7f4a3c0098d0 a2=0x10 a3=0x7f4a54a09100 items=0 ppid=1 pid=24584 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-manufacturing-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:46:15.593:2020) : avc:  denied  { name_connect } for  pid=24584 comm=r2d2-worker-0 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:46:15.593:2021) : proctitle=/usr/libexec/fdo/fdo-manufacturing-server 
type=SYSCALL msg=audit(03/12/2024 00:46:15.593:2021) : arch=x86_64 syscall=openat success=no exit=ENOENT(No such file or directory) a0=AT_FDCWD a1=0x7f4a38023230 a2=O_RDONLY a3=0x0 items=0 ppid=1 pid=24584 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-1 exe=/usr/libexec/fdo/fdo-manufacturing-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:46:15.593:2021) : avc:  denied  { search } for  pid=24584 comm=r2d2-worker-1 name=krb5 dev="vda4" ino=25166781 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:46:15.594:2022) : proctitle=/usr/libexec/fdo/fdo-manufacturing-server 
type=SYSCALL msg=audit(03/12/2024 00:46:15.594:2022) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xd a1=0x7f4a54c0c9f0 a2=0x6e a3=0x7f4a559fac80 items=0 ppid=1 pid=24584 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-1 exe=/usr/libexec/fdo/fdo-manufacturing-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:46:15.594:2022) : avc:  denied  { connectto } for  pid=24584 comm=r2d2-worker-1 path=/run/.heim_org.h5l.kcm-socket scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1 
type=AVC msg=audit(03/12/2024 00:46:15.594:2022) : avc:  denied  { write } for  pid=24584 comm=r2d2-worker-1 name=.heim_org.h5l.kcm-socket dev="tmpfs" ino=951 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:46:15.598:2023) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
type=SYSCALL msg=audit(03/12/2024 00:46:15.598:2023) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xa a1=0x7f3bc800a820 a2=0x10 a3=0x7f3be1b9a100 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:46:15.598:2023) : avc:  denied  { name_connect } for  pid=24579 comm=r2d2-worker-0 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:47:15.670:2101) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
type=SYSCALL msg=audit(03/12/2024 00:47:15.670:2101) : arch=x86_64 syscall=openat success=no exit=ENOENT(No such file or directory) a0=AT_FDCWD a1=0x7f3bc40160a0 a2=O_RDONLY a3=0x0 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:47:15.670:2101) : avc:  denied  { search } for  pid=24579 comm=r2d2-worker-0 name=krb5 dev="vda4" ino=25166781 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:47:15.671:2102) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
type=SYSCALL msg=audit(03/12/2024 00:47:15.671:2102) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xd a1=0x7f3be1b999f0 a2=0x6e a3=0x0 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:47:15.671:2102) : avc:  denied  { connectto } for  pid=24579 comm=r2d2-worker-2 path=/run/.heim_org.h5l.kcm-socket scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1 
type=AVC msg=audit(03/12/2024 00:47:15.671:2102) : avc:  denied  { write } for  pid=24579 comm=r2d2-worker-2 name=.heim_org.h5l.kcm-socket dev="tmpfs" ino=951 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:47:15.678:2103) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
type=SYSCALL msg=audit(03/12/2024 00:47:15.678:2103) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xd a1=0x7f3bc800a820 a2=0x10 a3=0x7f3be1b9a100 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:47:15.678:2103) : avc:  denied  { name_connect } for  pid=24579 comm=r2d2-worker-2 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:48:15.747:2195) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
type=SYSCALL msg=audit(03/12/2024 00:48:15.747:2195) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xa a1=0x7f3bc8038840 a2=0x10 a3=0x7f3be1b9a100 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:48:15.747:2195) : avc:  denied  { name_connect } for  pid=24579 comm=r2d2-worker-2 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:48:15.747:2196) : proctitle=/usr/libexec/fdo/fdo-manufacturing-server 
type=SYSCALL msg=audit(03/12/2024 00:48:15.747:2196) : arch=x86_64 syscall=openat success=no exit=ENOENT(No such file or directory) a0=AT_FDCWD a1=0x7f4a4400e600 a2=O_RDONLY a3=0x0 items=0 ppid=1 pid=24584 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-1 exe=/usr/libexec/fdo/fdo-manufacturing-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:48:15.747:2196) : avc:  denied  { search } for  pid=24584 comm=r2d2-worker-1 name=krb5 dev="vda4" ino=25166781 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:48:15.748:2197) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
type=SYSCALL msg=audit(03/12/2024 00:48:15.748:2197) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xf a1=0x7f3be1d9a9f0 a2=0x6e a3=0x7f3be29fac80 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-1 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:48:15.748:2197) : avc:  denied  { write } for  pid=24579 comm=r2d2-worker-1 name=.heim_org.h5l.kcm-socket dev="tmpfs" ino=951 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:48:15.748:2198) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
type=SYSCALL msg=audit(03/12/2024 00:48:15.748:2198) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xd a1=0x7f3be1b999f0 a2=0x6e a3=0x11 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:48:15.748:2198) : avc:  denied  { connectto } for  pid=24579 comm=r2d2-worker-2 path=/run/.heim_org.h5l.kcm-socket scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1

This is from downstream SELinux blocking ticket
@nullr0ute nullr0ute self-assigned this Mar 12, 2024
@nullr0ute nullr0ute added bug Something isn't working dependencies Pull requests that update a dependency file services-configurations RFEs for services configuration manufacturing Anything to do with the manufacturing client/service/APIs/protocol rendevous Anything to do with the rendevous service onboarding Anything to do with the onboarding service distro Distro related things such as packaging labels Mar 12, 2024
@runcom
Copy link
Contributor

runcom commented Mar 12, 2024

the question here is why we're not catching this stuff in CI - our CI should resemble what xiaofeng tests too and this could have been caught earlier

@nullr0ute
Copy link
Contributor Author

Can you also run setsebool httpd_can_network_connect_db 1 on the FDO host to see if that helps with the issue?

@nullr0ute
Copy link
Contributor Author

the question here is why we're not catching this stuff in CI - our CI should resemble what xiaofeng tests too and this could have been caught earlier

I don't believe we have pgsql in CI yet do we? And sqlite doesn't require TCP/IP connections.

@runcom
Copy link
Contributor

runcom commented Mar 12, 2024

I don't believe we have pgsql in CI yet do we? And sqlite doesn't require TCP/IP connections.

we need to have a smoke test for postgres too or that path is completely untested for users (we can't rely on external tests either), let's get some new issues filed 🕺

@miabbott miabbott mentioned this issue Mar 13, 2024
Closed
@7flying
Copy link
Contributor

7flying commented Mar 19, 2024

we do have and e2e postgresql test but made using containers

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nullr0ute nullr0ute

Labels
bug Something isn't working dependencies Pull requests that update a dependency file distro Distro related things such as packaging manufacturing Anything to do with the manufacturing client/service/APIs/protocol onboarding Anything to do with the onboarding service rendevous Anything to do with the rendevous service services-configurations RFEs for services configuration
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@runcom @nullr0ute @7flying