search

fedora-selinux / selinux-policy

selinux-policy for Fedora is a large patch off the mainline
GNU General Public License v2.0
156 stars 157 forks source link

Allow fido services connect to postgres database #2062

Closed zpytela closed 1 month ago

zpytela commented 4 months ago

The commit addresses the following AVC denial and subsequently raised ones: type=PROCTITLE msg=audit(03/12/2024 00:43:15.243:1724) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server type=SYSCALL msg=audit(03/12/2024 00:43:15.243:1724) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xa a1=0x7f3bd0009e60 a2=0x10 a3=0x7f3be1d9b100 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null) type=AVC msg=audit(03/12/2024 00:43:15.243:1724) : avc: denied { name_connect } for pid=24579 comm=r2d2-worker-0 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1

packit-as-a-service[bot] commented 3 months ago

Cockpit tests failed for commit 3bdc61b6ff9e06bfe4e0475bcbc64bdc1fe6acb2. @martinpitt, @jelly, @mvollmer please check.

packit-as-a-service[bot] commented 3 months ago

Cockpit tests failed for commit a9a0e6dcf8fea0dee7024d6f8e620921519b1d86. @martinpitt, @jelly, @mvollmer please check.

martinpitt commented 3 months ago

The rawhide test failed because TestLogin.testSELinuxRestrictedUser caused this SELinux rejection:

type=AVC msg=audit(04/04/2024 20:19:05.912:415) : avc:  denied  { create } for  pid=1 comm=systemd scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=netlink_netfilter_socket permissive=0

However, that is totally coincidental -- that test doesn't actively fiddle with pid 1 and firewall, it's probably background activity that just happened at that time. The previous run has the same failure but in TestLogin.testPamAccess.

The journal doesn't have much activity around that message though.

zpytela commented 3 months ago

The rawhide test failed because TestLogin.testSELinuxRestrictedUser caused this SELinux rejection:

type=AVC msg=audit(04/04/2024 20:19:05.912:415) : avc:  denied  { create } for  pid=1 comm=systemd scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=netlink_netfilter_socket permissive=0

However, that is totally coincidental -- that test doesn't actively fiddle with pid 1 and firewall, it's probably background activity that just happened at that time. The previous run has the same failure but in TestLogin.testPamAccess.

The journal doesn't have much activity around that message though.

That's funny as this permission has actually been allowed since 4 months ago.