search

fdo-rs / fido-device-onboard-rs

An implementation of the FIDO Device Onboard (FDO) spec written in Rust.
BSD 3-Clause "New" or "Revised" License
59 stars 33 forks source link

Selinux blocked FDO pgsql DB connection #644

Open nullr0ute opened 6 months ago

nullr0ute commented 6 months ago

FDO services fdo-manufacturing-server.service, fdo-owner-onboarding-server.service, fdo-rendezvous-server.service can't connect with postgres db. Selinux blocked the connection.

Selinux log:

----
type=PROCTITLE msg=audit(03/12/2024 00:43:15.243:1724) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
type=SYSCALL msg=audit(03/12/2024 00:43:15.243:1724) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xa a1=0x7f3bd0009e60 a2=0x10 a3=0x7f3be1d9b100 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:43:15.243:1724) : avc:  denied  { name_connect } for  pid=24579 comm=r2d2-worker-0 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:43:15.243:1725) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
type=SYSCALL msg=audit(03/12/2024 00:43:15.243:1725) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xb a1=0x7f3bc40095b0 a2=0x10 a3=0x7f3be1b9a100 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-1 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:43:15.243:1725) : avc:  denied  { name_connect } for  pid=24579 comm=r2d2-worker-1 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:43:15.249:1726) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
type=SYSCALL msg=audit(03/12/2024 00:43:15.249:1726) : arch=x86_64 syscall=openat success=no exit=ENOENT(No such file or directory) a0=AT_FDCWD a1=0x7f3bc800b5a0 a2=O_RDONLY a3=0x0 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:43:15.249:1726) : avc:  denied  { search } for  pid=24579 comm=r2d2-worker-2 name=krb5 dev="vda4" ino=25166781 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:43:15.250:1727) : proctitle=/usr/libexec/fdo/fdo-manufacturing-server 
type=SYSCALL msg=audit(03/12/2024 00:43:15.250:1727) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xd a1=0x7f4a54e0d9f0 a2=0x6e a3=0x7f4a4400f3f0 items=0 ppid=1 pid=24584 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-manufacturing-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:43:15.250:1727) : avc:  denied  { connectto } for  pid=24584 comm=r2d2-worker-0 path=/run/.heim_org.h5l.kcm-socket scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1 
type=AVC msg=audit(03/12/2024 00:43:15.250:1727) : avc:  denied  { write } for  pid=24584 comm=r2d2-worker-0 name=.heim_org.h5l.kcm-socket dev="tmpfs" ino=951 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:43:15.250:1728) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
type=SYSCALL msg=audit(03/12/2024 00:43:15.250:1728) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xd a1=0x7f3be19989f0 a2=0x6e a3=0x7f3bc800cb80 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:43:15.250:1728) : avc:  denied  { write } for  pid=24579 comm=r2d2-worker-2 name=.heim_org.h5l.kcm-socket dev="tmpfs" ino=951 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:43:15.372:1730) : proctitle=/usr/libexec/fdo/fdo-manufacturing-server 
type=SYSCALL msg=audit(03/12/2024 00:43:15.372:1730) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xd a1=0x7f4a54e0d620 a2=0x6e a3=0x0 items=0 ppid=1 pid=24584 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-manufacturing-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:43:15.372:1730) : avc:  denied  { connectto } for  pid=24584 comm=r2d2-worker-0 path=/run/.heim_org.h5l.kcm-socket scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:44:15.427:1852) : proctitle=/usr/libexec/fdo/fdo-owner-onboarding-server 
type=SYSCALL msg=audit(03/12/2024 00:44:15.427:1852) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xa a1=0x7f69c800d1c0 a2=0x10 a3=0x7f69d037d100 items=0 ppid=1 pid=24578 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-owner-onboarding-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:44:15.427:1852) : avc:  denied  { name_connect } for  pid=24578 comm=r2d2-worker-2 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:44:15.427:1853) : proctitle=/usr/libexec/fdo/fdo-owner-onboarding-server 
type=SYSCALL msg=audit(03/12/2024 00:44:15.427:1853) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xb a1=0x7f69ac009ce0 a2=0x10 a3=0x7f69d057e100 items=0 ppid=1 pid=24578 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-owner-onboarding-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:44:15.427:1853) : avc:  denied  { name_connect } for  pid=24578 comm=r2d2-worker-0 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:44:15.427:1854) : proctitle=/usr/libexec/fdo/fdo-owner-onboarding-server 
type=SYSCALL msg=audit(03/12/2024 00:44:15.427:1854) : arch=x86_64 syscall=openat success=no exit=ENOENT(No such file or directory) a0=AT_FDCWD a1=0x7f69ac008a60 a2=O_RDONLY a3=0x0 items=0 ppid=1 pid=24578 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-owner-onboarding-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:44:15.427:1854) : avc:  denied  { search } for  pid=24578 comm=r2d2-worker-0 name=krb5 dev="vda4" ino=25166781 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:44:15.427:1855) : proctitle=/usr/libexec/fdo/fdo-owner-onboarding-server 
type=SYSCALL msg=audit(03/12/2024 00:44:15.427:1855) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xd a1=0x7f69d057d9f0 a2=0x6e a3=0x7f69ac00a970 items=0 ppid=1 pid=24578 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-owner-onboarding-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:44:15.427:1855) : avc:  denied  { write } for  pid=24578 comm=r2d2-worker-0 name=.heim_org.h5l.kcm-socket dev="tmpfs" ino=951 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:45:15.517:1939) : proctitle=/usr/libexec/fdo/fdo-owner-onboarding-server 
type=SYSCALL msg=audit(03/12/2024 00:45:15.517:1939) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xa a1=0x7f69c801fb00 a2=0x10 a3=0x7f69d077f100 items=0 ppid=1 pid=24578 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-owner-onboarding-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:45:15.517:1939) : avc:  denied  { name_connect } for  pid=24578 comm=r2d2-worker-2 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:45:15.518:1940) : proctitle=/usr/libexec/fdo/fdo-owner-onboarding-server 
type=SYSCALL msg=audit(03/12/2024 00:45:15.518:1940) : arch=x86_64 syscall=openat success=no exit=ENOENT(No such file or directory) a0=AT_FDCWD a1=0x7f69ac00a4d0 a2=O_RDONLY a3=0x0 items=0 ppid=1 pid=24578 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-owner-onboarding-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:45:15.518:1940) : avc:  denied  { search } for  pid=24578 comm=r2d2-worker-0 name=krb5 dev="vda4" ino=25166781 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:45:15.518:1941) : proctitle=/usr/libexec/fdo/fdo-owner-onboarding-server 
type=SYSCALL msg=audit(03/12/2024 00:45:15.518:1941) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xc a1=0x7f69d077e9f0 a2=0x6e a3=0x0 items=0 ppid=1 pid=24578 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-owner-onboarding-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:45:15.518:1941) : avc:  denied  { connectto } for  pid=24578 comm=r2d2-worker-2 path=/run/.heim_org.h5l.kcm-socket scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1 
type=AVC msg=audit(03/12/2024 00:45:15.518:1941) : avc:  denied  { write } for  pid=24578 comm=r2d2-worker-2 name=.heim_org.h5l.kcm-socket dev="tmpfs" ino=951 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:46:15.593:2018) : proctitle=/usr/libexec/fdo/fdo-manufacturing-server 
type=SYSCALL msg=audit(03/12/2024 00:46:15.593:2018) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xa a1=0x7f4a4400d830 a2=0x10 a3=0x7f4a54e0e100 items=0 ppid=1 pid=24584 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-manufacturing-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:46:15.593:2018) : avc:  denied  { name_connect } for  pid=24584 comm=r2d2-worker-2 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:46:15.593:2019) : proctitle=/usr/libexec/fdo/fdo-manufacturing-server 
type=SYSCALL msg=audit(03/12/2024 00:46:15.593:2019) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xc a1=0x7f4a3800a970 a2=0x10 a3=0x7f4a54c0d100 items=0 ppid=1 pid=24584 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-1 exe=/usr/libexec/fdo/fdo-manufacturing-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:46:15.593:2019) : avc:  denied  { name_connect } for  pid=24584 comm=r2d2-worker-1 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:46:15.593:2020) : proctitle=/usr/libexec/fdo/fdo-manufacturing-server 
type=SYSCALL msg=audit(03/12/2024 00:46:15.593:2020) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xb a1=0x7f4a3c0098d0 a2=0x10 a3=0x7f4a54a09100 items=0 ppid=1 pid=24584 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-manufacturing-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:46:15.593:2020) : avc:  denied  { name_connect } for  pid=24584 comm=r2d2-worker-0 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:46:15.593:2021) : proctitle=/usr/libexec/fdo/fdo-manufacturing-server 
type=SYSCALL msg=audit(03/12/2024 00:46:15.593:2021) : arch=x86_64 syscall=openat success=no exit=ENOENT(No such file or directory) a0=AT_FDCWD a1=0x7f4a38023230 a2=O_RDONLY a3=0x0 items=0 ppid=1 pid=24584 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-1 exe=/usr/libexec/fdo/fdo-manufacturing-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:46:15.593:2021) : avc:  denied  { search } for  pid=24584 comm=r2d2-worker-1 name=krb5 dev="vda4" ino=25166781 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:46:15.594:2022) : proctitle=/usr/libexec/fdo/fdo-manufacturing-server 
type=SYSCALL msg=audit(03/12/2024 00:46:15.594:2022) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xd a1=0x7f4a54c0c9f0 a2=0x6e a3=0x7f4a559fac80 items=0 ppid=1 pid=24584 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-1 exe=/usr/libexec/fdo/fdo-manufacturing-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:46:15.594:2022) : avc:  denied  { connectto } for  pid=24584 comm=r2d2-worker-1 path=/run/.heim_org.h5l.kcm-socket scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1 
type=AVC msg=audit(03/12/2024 00:46:15.594:2022) : avc:  denied  { write } for  pid=24584 comm=r2d2-worker-1 name=.heim_org.h5l.kcm-socket dev="tmpfs" ino=951 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:46:15.598:2023) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
type=SYSCALL msg=audit(03/12/2024 00:46:15.598:2023) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xa a1=0x7f3bc800a820 a2=0x10 a3=0x7f3be1b9a100 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:46:15.598:2023) : avc:  denied  { name_connect } for  pid=24579 comm=r2d2-worker-0 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:47:15.670:2101) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
type=SYSCALL msg=audit(03/12/2024 00:47:15.670:2101) : arch=x86_64 syscall=openat success=no exit=ENOENT(No such file or directory) a0=AT_FDCWD a1=0x7f3bc40160a0 a2=O_RDONLY a3=0x0 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:47:15.670:2101) : avc:  denied  { search } for  pid=24579 comm=r2d2-worker-0 name=krb5 dev="vda4" ino=25166781 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:47:15.671:2102) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
type=SYSCALL msg=audit(03/12/2024 00:47:15.671:2102) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xd a1=0x7f3be1b999f0 a2=0x6e a3=0x0 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:47:15.671:2102) : avc:  denied  { connectto } for  pid=24579 comm=r2d2-worker-2 path=/run/.heim_org.h5l.kcm-socket scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1 
type=AVC msg=audit(03/12/2024 00:47:15.671:2102) : avc:  denied  { write } for  pid=24579 comm=r2d2-worker-2 name=.heim_org.h5l.kcm-socket dev="tmpfs" ino=951 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:47:15.678:2103) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
type=SYSCALL msg=audit(03/12/2024 00:47:15.678:2103) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xd a1=0x7f3bc800a820 a2=0x10 a3=0x7f3be1b9a100 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:47:15.678:2103) : avc:  denied  { name_connect } for  pid=24579 comm=r2d2-worker-2 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:48:15.747:2195) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
type=SYSCALL msg=audit(03/12/2024 00:48:15.747:2195) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xa a1=0x7f3bc8038840 a2=0x10 a3=0x7f3be1b9a100 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:48:15.747:2195) : avc:  denied  { name_connect } for  pid=24579 comm=r2d2-worker-2 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:48:15.747:2196) : proctitle=/usr/libexec/fdo/fdo-manufacturing-server 
type=SYSCALL msg=audit(03/12/2024 00:48:15.747:2196) : arch=x86_64 syscall=openat success=no exit=ENOENT(No such file or directory) a0=AT_FDCWD a1=0x7f4a4400e600 a2=O_RDONLY a3=0x0 items=0 ppid=1 pid=24584 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-1 exe=/usr/libexec/fdo/fdo-manufacturing-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:48:15.747:2196) : avc:  denied  { search } for  pid=24584 comm=r2d2-worker-1 name=krb5 dev="vda4" ino=25166781 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:48:15.748:2197) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
type=SYSCALL msg=audit(03/12/2024 00:48:15.748:2197) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xf a1=0x7f3be1d9a9f0 a2=0x6e a3=0x7f3be29fac80 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-1 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:48:15.748:2197) : avc:  denied  { write } for  pid=24579 comm=r2d2-worker-1 name=.heim_org.h5l.kcm-socket dev="tmpfs" ino=951 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1 
----
type=PROCTITLE msg=audit(03/12/2024 00:48:15.748:2198) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server 
type=SYSCALL msg=audit(03/12/2024 00:48:15.748:2198) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xd a1=0x7f3be1b999f0 a2=0x6e a3=0x11 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-2 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(03/12/2024 00:48:15.748:2198) : avc:  denied  { connectto } for  pid=24579 comm=r2d2-worker-2 path=/run/.heim_org.h5l.kcm-socket scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1

This is from downstream SELinux blocking ticket

runcom commented 6 months ago

the question here is why we're not catching this stuff in CI - our CI should resemble what xiaofeng tests too and this could have been caught earlier

nullr0ute commented 6 months ago

Can you also run setsebool httpd_can_network_connect_db 1 on the FDO host to see if that helps with the issue?

nullr0ute commented 6 months ago

the question here is why we're not catching this stuff in CI - our CI should resemble what xiaofeng tests too and this could have been caught earlier

I don't believe we have pgsql in CI yet do we? And sqlite doesn't require TCP/IP connections.

runcom commented 6 months ago

I don't believe we have pgsql in CI yet do we? And sqlite doesn't require TCP/IP connections.

we need to have a smoke test for postgres too or that path is completely untested for users (we can't rely on external tests either), let's get some new issues filed 🕺

7flying commented 6 months ago

we do have and e2e postgresql test but made using containers