Bug 2031853

Summary: [RfE] The insights client should not run as unconfined process
Product: Red Hat Enterprise Linux 8 Reporter: Thorsten Scherf <tscherf>
Component: selinux-policyAssignee: Nikola Knazekova <nknazeko>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 8.5CC: cmarinea, gchamoul, lvrabec, mmalik, nknazeko, ssekidde, vmojzis, zpytela
Target Milestone: rcKeywords: FutureFeature, Triaged
Target Release: 8.6Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-93.el8 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
: 2055823 (view as bug list) Environment:
Last Closed: 2022-05-10 15:15:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2055823    

Description Thorsten Scherf 2021-12-13 15:07:43 UTC 
Description of problem:
The insights client [1] that we ship as part of Red Hat Enterprise Linux currently runs as unconfined process:

# ps -eZ | grep unconfined_service_t
system_u:system_r:unconfined_service_t:s0 115618 ? 00:00:00 insights-client
[...]

We should provide a policy for the tool and make sure it runs in an confined domain.

[1] https://access.redhat.com/products/red-hat-insights

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
CIS benchmark recommends to not run any unconfined process (see "1.7.1.5 Ensure no unconfined services exist")
Comment 4 Zdenek Pytela 2022-02-11 15:48:15 UTC 
To backport:
commit e479d461525b1f8f923063494aa98ccea0584f51
Author: Nikola Knazekova <nknazeko>
Date:   Tue Feb 8 13:33:30 2022 +0100

    New policy for insight-client
Comment 20 errata-xmlrpc 2022-05-10 15:15:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1995