Cockpit: cockpit-tls: connect(/run/cockpit/wsinstance/https-factory.sock) failed

Created on 23 Nov 2019  路  9Comments  路  Source: cockpit-project/cockpit

Cockpit version: 207
OS: Fedora 31


Throws an error on server if accessing cockpit with https://ip:9090 from browser.

systemd[1]: Starting Cockpit Web Service...
systemd[1]: Started Cockpit Web Service.
cockpit-tls[1117]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
cockpit-tls[1117]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
cockpit-tls[1117]: cockpit-tls: connect(/run/cockpit/wsinstance/https-factory.sock) failed: Permission denied
> ls -laZ /run/cockpit/wsinstance/https-factory.sock
srw-------. 1 cockpit-ws cockpit-ws system_u:object_r:cockpit_var_run_t:s0 0 /run/cockpit/wsinstance/https-factory.sock

>ps aux | grep -i cockpit
cockpit-ws              1440  0.0  0.0   8512  4096 ?        Ss   cockpit-tls

It runs when I disable SELINUX:

/etc/sysconfig/selinux
   SELINUX=permissive
>cat /var/log/audit/audit.log | grep -i /https-factory.sock
type=AVC msg=audit: avc:  denied  { connectto } for  pid=1080 comm="cockpit-tls" path="/run/cockpit/wsinstance/https-factory.sock" scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1

I've upgraded from Fedora 29 to Fedora 31.

Does anyone know how to fix it? Thanks.

question

Most helpful comment

This just got posted as https://bugzilla.redhat.com/show_bug.cgi?id=1777001 with a solution. Apparently https://github.com/fedora-selinux/selinux-policy-contrib/pull/161 still hasn't made it to Fedora 31 yet.

Please run the following to fix it locally:

sudo dnf install policycoreutils-python-utils
sudo dnf reinstall cockpit-ws

After that it should work. I'll fix the dependency for today's release.

All 9 comments

What's your selinux-policy-targeted version? This was fixed in https://github.com/fedora-selinux/selinux-policy-contrib/pull/114 and landed in Fedora 31 months ago.

Name         : selinux-policy-targeted
Version      : 3.14.4
Release      : 40.fc31
Architecture : noarch
Size         : 50 M
Source       : selinux-policy-3.14.4-40.fc31.src.rpm
Repository   : @System
From repo    : updates
Summary      : SELinux targeted base policy
URL          : https://github.com/fedora-selinux/selinux-policy
License      : GPLv2+
Description  : SELinux Reference policy targeted base module.

I'm having the same problem, running fedora 31 on a raspberry pi 3.

type=AVC msg=audit(1574680880.801:335): avc:  denied  { connectto } for  pid=2317 comm="cockpit-tls" path="/run/cockpit/wsinstance/https-factory.sock" scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0
Name         : selinux-policy-targeted
Version      : 3.14.4
Release      : 42.fc31
Architecture : noarch
Size         : 50 M
Source       : selinux-policy-3.14.4-42.fc31.src.rpm
Repository   : @System
From repo    : updates-testing
Summary      : SELinux targeted base policy
URL          : https://github.com/fedora-selinux/selinux-policy
License      : GPLv2+
Description  : SELinux Reference policy targeted base module.

So for both of you the problem is that the violation says the target context for accessing https-factory.sock is

tcontext=system_u:system_r:unconfined_service_t:s0

although your ls -lZ says otherwise:

system_u:object_r:cockpit_var_run_t:s0

The latter is correct. At the moment I have no idea why that would happen.

@ColinKinloch : What is your situation? Did you also update from an earlier Fedora? How/when exactly? I either need a way to reproduce this (like starting from some standard Fedora VM image and doing some steps), or could I get temporary SSH access to these boxes to investigate this more closely? (my public SSH key)

In my case it was a relatively recent installation of this image after fiddling with rootless podman containers:

https://dl.fedoraproject.org/pub/fedora-secondary/releases/31/Spins/aarch64/images/Fedora-Minimal-31-1.9.aarch64.raw.xz

I had the same problem with just the fedora and updates repo and then with the updates-testing repo added.

ls -laZ /run/cockpit/wsinstance/https-factory.sock outputs:

srw-------. 1 cockpit-ws cockpit-ws system_u:object_r:cockpit_var_run_t:s0 0 Nov 26 13:22 /run/cockpit/wsinstance/https-factory.sock

This just got posted as https://bugzilla.redhat.com/show_bug.cgi?id=1777001 with a solution. Apparently https://github.com/fedora-selinux/selinux-policy-contrib/pull/161 still hasn't made it to Fedora 31 yet.

Please run the following to fix it locally:

sudo dnf install policycoreutils-python-utils
sudo dnf reinstall cockpit-ws

After that it should work. I'll fix the dependency for today's release.

@martinpitt , thanks! Works.

I've activated SELINUX. Called:

dnf update
dnf install policycoreutils-python-utils
dnf reinstall cockpit-ws

Same here on a new installed Fedora 31 Cloud Base Image.

After

sudo dnf install cockpit
sudo systemctl enable --now cockpit.socket

as suggested here https://cockpit-project.org/running

it was needed to also apply

dnf install policycoreutils-python-utils
dnf reinstall cockpit-ws

to make cockpit accessable.

@martinpitt Thanks!

In 5.7.9-200.fc32.x86_64 # with SELinux disabled I'm getting these errors:

sestatus
SELinux status:                 disabled

Package policycoreutils-python-utils-3.0-2.fc32.noarch is already installed.

Jul 20 20:08:39 myserver systemd[1]: Starting Cockpit Web Service...
Jul 20 20:08:39 myserver remotectl[1922081]: /usr/bin/chcon: can't apply partial context to unlabeled file '/etc/cockpit/ws-certs.
d/0-self-signed.cert'
Jul 20 20:08:39 myserver remotectl[1922080]: remotectl: couldn't change SELinux type context 'etc_t' for certificate: /etc/cockpit
/ws-certs.d/0-self-signed.cert: Child process exited with code 1
Jul 20 20:08:39 myserver systemd[1]: Started Cockpit Web Service.
Jul 20 20:08:39 myserver systemd[1]: Started Cockpit Web Service http-redirect instance.
Jul 20 20:08:39 myserver cockpit-ws[1922085]: received invalid HTTP request line
Jul 20 20:08:43 myserver kernel: Lockdown: pmdakvm: debugfs access is restricted; see man kernel_lockdown.7
Jul 20 20:09:09 myserver cockpit-ws[1922085]: received invalid HTTP request line
Jul 20 20:09:15 myserver kernel: RPC: fragment too large: 1735489335
Jul 20 20:09:17 myserver systemd[1]: Started Cockpit Web Service https instance factory (PID 1922082/UID 970).
Jul 20 20:09:17 myserver systemd[1]: Starting Socket for Cockpit Web Service https instance e3b0c44298fc1c149afbf4c8996fb92427ae41
e4649b934ca495991b7852b855.
Jul 20 20:09:17 myserver cockpit-tls[1922082]: cockpit-tls: connect(https@e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b
7852b855.sock) failed on the first attempt: Permission denied
Jul 20 20:09:17 myserver systemd[1]: Started Cockpit Web Service https instance factory (PID 1922082/UID 970).
Jul 20 20:09:17 myserver cockpit-tls[1922082]: cockpit-tls: gnutls_handshake failed: A packet with illegal or unsupported version was received.
Jul 20 20:09:17 myserver systemd[1]: Started Cockpit Web Service https instance factory (PID 1922082/UID 970).
Jul 20 20:09:17 myserver cockpit-tls[1922082]: cockpit-tls: gnutls_handshake failed: A packet with illegal or unsupported version was received.
Jul 20 20:09:17 myserver cockpit-tls[1922082]: cockpit-tls: gnutls_handshake failed: A packet with illegal or unsupported version was received.
Jul 20 20:09:17 myserver cockpit-tls[1922082]: cockpit-tls: gnutls_handshake failed: A packet with illegal or unsupported version was received.
Jul 20 20:09:17 myserver cockpit-tls[1922082]: cockpit-tls: connect(https@e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b
7852b855.sock) failed on the first attempt: Permission denied
Jul 20 20:09:17 myserver systemd[1]: Started Cockpit Web Service https instance factory (PID 1922082/UID 970).
Jul 20 20:09:17 myserver cockpit-tls[1922082]: cockpit-tls: gnutls_handshake failed: A packet with illegal or unsupported version
was received.
Jul 20 20:09:17 myserver systemd[1]: Started Cockpit Web Service https instance factory (PID 1922082/UID 970).
Jul 20 20:09:17 myserver cockpit-tls[1922082]: cockpit-tls: gnutls_handshake failed: A packet with illegal or unsupported version
was received.
Jul 20 20:09:17 myserver cockpit-tls[1922082]: cockpit-tls: gnutls_handshake failed: A packet with illegal or unsupported version
was received.
Jul 20 20:09:17 myserver cockpit-tls[1922082]: cockpit-tls: gnutls_handshake failed: A packet with illegal or unsupported version was received.
Jul 20 20:09:17 myserver systemd[1]: Started Cockpit Web Service https instance factory (PID 1922082/UID 970).
Jul 20 20:09:17 myserver cockpit-tls[1922082]: cockpit-tls: gnutls_handshake failed: A packet with illegal or unsupported version was received.
Jul 20 20:09:17 myserver cockpit-tls[1922082]: cockpit-tls: gnutls_handshake failed: A packet with illegal or unsupported version was received.
Jul 20 20:09:17 myserver systemd[1]: Listening on Socket for Cockpit Web Service https instance e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855.
Jul 20 20:09:17 myserver systemd[1]: Started Cockpit Web Service https instance e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855.
Jul 20 20:09:17 myserver systemd[1]: [email protected]: Succeeded.
Jul 20 20:09:17 myserver systemd[1]: [email protected]: Succeeded.
Jul 20 20:09:17 myserver systemd[1]: [email protected]: Succeeded.
Jul 20 20:09:17 myserver systemd[1]: [email protected]: Succeeded.
Jul 20 20:09:17 myserver cockpit-ws[1922085]: couldn't read from connection: Error performing TLS handshake: A packet with illegal or unsupported version was received.
Jul 20 20:09:23 myserver kernel: RPC: fragment too large: 369295616
Jul 20 20:09:23 myserver kernel: RPC: fragment too large: 369295618
Jul 20 20:09:23 myserver kernel: RPC: fragment too large: 369295618

Was this page helpful?
0 / 5 - 0 ratings