Bug 2062136
Summary: | insights-client-results.service gets selinux denials and permission denied | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 9 | Reporter: | Marius Vollmer <mvollmer> | |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
Severity: | high | Docs Contact: | ||
Priority: | high | |||
Version: | 9.0 | CC: | arthur, gchamoul, john.sincock, link, lvrabec, mmalik, pakotvan, ssekidde | |
Target Milestone: | rc | Keywords: | AutoVerified, Triaged | |
Target Release: | 9.1 | |||
Hardware: | Unspecified | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | selinux-policy-34.1.34-1.el9 | Doc Type: | No Doc Update | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 2063195 (view as bug list) | Environment: | ||
Last Closed: | 2022-11-15 11:13:14 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 2022191, 2063195, 2070323, 2070584, 2070588, 2070595, 2109244 |
Description
Marius Vollmer
2022-03-09 08:58:41 UTC
I believe our special insights-client.conf might be responsible for this: Mar 09 03:42:57 rhel-9-0-127-0-0-2-2201 insights-client[21919]: ('Connection aborted.', PermissionError(13, 'Permission denied')) The rest look like they would happen with any configuration. "setenforce 0" makes it all work. "systemctl start insights-client" with "setenforce 0" produces an enormous amount of audit messages. I think the insights-client.service is locked down way too much to do its work, but we don't really test that in our Cockpit integration tests, we only test "insights-client --register". Commit to backport: commit dc53081a9d62404d6ce075321a54bb720a2dc69d (HEAD -> rawhide, upstream/rawhide) Author: Zdenek Pytela <zpytela> Date: Wed May 18 20:45:14 2022 +0200 Label /var/cache/insights with insights_client_cache_t Two additional commits: commit 8a8304e2450ca0469ec11dba65fb5e861290d9b7 (HEAD -> rawhide, upstream/rawhide) Author: Zdenek Pytela <zpytela> Date: Thu May 19 12:02:41 2022 +0200 Allow insights-client manage gpg admin home content commit 2fb3759dc63754b1a24530e092ec5a5750ac2983 Author: Zdenek Pytela <zpytela> Date: Thu May 19 12:02:14 2022 +0200 Add the gpg_manage_admin_home_content() interface I am also seeing these warnings on EL8: type=AVC msg=audit(1658977094.28:30589): avc: denied { open } for pid=1356008 comm="rhsmcertd-worke" path="/etc/insights-client/machine-id" dev="dm-0" ino=6295833 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:insights_client_etc_t:s0 tclass=file permissive=1 Like almost every other Red Hat product or service, this is a massive PITA. This rhsmcertd, and the insights client and everything related to them, are utter garbage. Do you people not understand, that if selinux is spamming logs with nonsense warnings that should not occur, then warnings that SHOULD stand out, instead get buried. This mess is UNACCEPTABLE. Clean it up. Thank you. With the newest update, we now see these messages: # insights-client --version Client: 3.1.7 Core: 3.0.292-1 # rpmquery selinux-policy-targeted selinux-policy-targeted-34.1.42-1.el9.noarch audit: type=1400 audit(1662419602.268:5): avc: denied { read } for pid=22327 comm="gpg" name="last_stable.egg.asc" dev="vda4" ino=25176989 scontext=system_u:system_r:gpg_t:s0 tcontext=unconfined_u:object_r:insights_client_var_lib_t:s0 tclass=file permissive=1 audit: type=1400 audit(1662419602.268:6): avc: denied { open } for pid=22327 comm="gpg" path="/var/lib/insights/last_stable.egg.asc" dev="vda4" ino=25176989 scontext=system_u:system_r:gpg_t:s0 tcontext=unconfined_u:object_r:insights_client_var_lib_t:s0 tclass=file permissive=1 audit: type=1400 audit(1662419603.324:7): avc: denied { read } for pid=22362 comm="gpg" name="last_stable.egg.asc" dev="vda4" ino=25176989 scontext=system_u:system_r:gpg_t:s0 tcontext=unconfined_u:object_r:insights_client_var_lib_t:s0 tclass=file permissive=1 audit: type=1400 audit(1662419603.352:8): avc: denied { open } for pid=22362 comm="gpg" path="/var/lib/insights/last_stable.egg.asc" dev="vda4" ino=25176989 scontext=system_u:system_r:gpg_t:s0 tcontext=unconfined_u:object_r:insights_client_var_lib_t:s0 tclass=file permissive=1 audit: type=1400 audit(1662419642.140:9): avc: denied { write } for pid=22853 comm="virsh" name="virtqemud-sock-ro" dev="tmpfs" ino=1002 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=sock_file permissive=1 audit: type=1400 audit(1662419642.153:10): avc: denied { connectto } for pid=22853 comm="virsh" path="/run/libvirt/virtqemud-sock-ro" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 audit: type=1400 audit(1662419658.331:13): avc: denied { write } for pid=23097 comm="multipath" name="multipath" dev="vda4" ino=41972252 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:lvm_metadata_t:s0 tclass=dir permissive=1 audit: type=1400 audit(1662419658.345:14): avc: denied { add_name } for pid=23097 comm="multipath" name="bindings" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:lvm_metadata_t:s0 tclass=dir permissive=1 audit: type=1400 audit(1662419658.345:15): avc: denied { create } for pid=23097 comm="multipath" name="bindings" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:lvm_metadata_t:s0 tclass=file permissive=1 audit: type=1400 audit(1662419658.345:16): avc: denied { write } for pid=23097 comm="multipath" name="bindings" dev="vda4" ino=42089166 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:lvm_metadata_t:s0 tclass=file permissive=1 audit: type=1400 audit(1662419658.378:17): avc: denied { setrlimit } for pid=23097 comm="multipath" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=process permissive=1 audit: type=1400 audit(1662419658.445:18): avc: denied { read write } for pid=23097 comm="multipath" name="control" dev="devtmpfs" ino=130 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=1 audit: type=1400 audit(1662419658.446:19): avc: denied { open } for pid=23097 comm="multipath" path="/dev/mapper/control" dev="devtmpfs" ino=130 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=1 audit: type=1400 audit(1662419658.446:20): avc: denied { ioctl } for pid=23097 comm="multipath" path="/dev/mapper/control" dev="devtmpfs" ino=130 ioctlcmd=0xfd00 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=1 audit: type=1400 audit(1662419658.446:21): avc: denied { ipc_info } for pid=23097 comm="multipath" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=1 audit: type=1400 audit(1662419673.609:22): avc: denied { connectto } for pid=22470 comm="platform-python" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=1 audit: type=1400 audit(1662419705.020:23): avc: denied { map } for pid=23244 comm="journalctl" path="/var/log/journal/227513444fff487885ec02c30b0bf18e/system.journal" dev="vda4" ino=1718552 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1 audit: type=1400 audit(1662419708.164:24): avc: denied { setrlimit } for pid=23336 comm="podman" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=process permissive=1 audit: type=1400 audit(1662419708.262:25): avc: denied { write } for pid=23336 comm="podman" name="bolt_state.db" dev="vda4" ino=1663668 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:container_var_lib_t:s0 tclass=file permissive=1 audit: type=1400 audit(1662419708.273:26): avc: denied { map } for pid=23336 comm="podman" path="/var/lib/containers/storage/libpod/bolt_state.db" dev="vda4" ino=1663668 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:container_var_lib_t:s0 tclass=file permissive=1 audit: type=1400 audit(1662419708.273:27): avc: denied { mounton } for pid=23336 comm="podman" path="/var/lib/containers/storage/overlay" dev="vda4" ino=26193460 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:container_ro_file_t:s0 tclass=dir permissive=1 audit: type=1400 audit(1662419708.288:28): avc: denied { write } for pid=23336 comm="podman" name="overlay" dev="vda4" ino=26193460 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:container_ro_file_t:s0 tclass=dir permissive=1 audit: type=1400 audit(1662419708.288:29): avc: denied { mknod } for pid=23336 comm="podman" capability=27 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=capability permissive=1 audit: type=1400 audit(1662419708.288:30): avc: denied { add_name } for pid=23336 comm="podman" name="backingFsBlockDev.tmp" scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:container_ro_file_t:s0 tclass=dir permissive=1 audit: type=1400 audit(1662419708.288:31): avc: denied { create } for pid=23336 comm="podman" name="backingFsBlockDev.tmp" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=blk_file permissive=1 audit: type=1400 audit(1662419708.288:32): avc: denied { remove_name } for pid=23336 comm="podman" name="backingFsBlockDev.tmp" dev="vda4" ino=26553595 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:container_ro_file_t:s0 tclass=dir permissive=1 audit: type=1400 audit(1662419714.463:43): avc: denied { write } for pid=23458 comm="sealert" name="setroubleshoot_server" dev="tmpfs" ino=1378 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:setroubleshoot_var_run_t:s0 tclass=sock_file permissive=1 audit: type=1400 audit(1662419714.525:44): avc: denied { connectto } for pid=23458 comm="sealert" path="/run/setroubleshoot/setroubleshoot_server" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:setroubleshootd_t:s0 tclass=unix_stream_socket permissive=1 audit: type=1400 audit(1662419725.304:45): avc: denied { read } for pid=23930 comm="gpg" name="last_stable.egg.asc" dev="vda4" ino=25176989 scontext=system_u:system_r:gpg_t:s0 tcontext=unconfined_u:object_r:insights_client_var_lib_t:s0 tclass=file permissive=1 audit: type=1400 audit(1662419725.371:46): avc: denied { open } for pid=23930 comm="gpg" path="/var/lib/insights/last_stable.egg.asc" dev="vda4" ino=25176989 scontext=system_u:system_r:gpg_t:s0 tcontext=unconfined_u:object_r:insights_client_var_lib_t:s0 tclass=file permissive=1 Here is a new BZ which will address the findings listed in the comment#36: * https://bugzilla.redhat.com/show_bug.cgi?id=2124549 When you find any SELinux denials related to insights-client programs, please add them into BZ#2124549. Thank you. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:8283 |