Bug 2063195

Commit to backport:
commit dc53081a9d62404d6ce075321a54bb720a2dc69d (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date:   Wed May 18 20:45:14 2022 +0200

    Label /var/cache/insights with insights_client_cache_t

This also gets avc denials when trying to look up cert-api.access.redhat.com with the following denial message


 avc:  denied  { write } for  pid=148559 comm="platform-python" laddr=172.31.0.8 lport=48971 faddr=172.31.0.1 fport=53 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=udp_socket permissive=0

(In reply to Charles Surett from comment #2)
> This also gets avc denials when trying to look up cert-api.access.redhat.com
> with the following denial message
> 
> 
>  avc:  denied  { write } for  pid=148559 comm="platform-python"
> laddr=172.31.0.8 lport=48971 faddr=172.31.0.1 fport=53
> scontext=system_u:system_r:insights_client_t:s0
> tcontext=system_u:system_r:insights_client_t:s0 tclass=udp_socket
> permissive=0

This one is expected be fixed as a part of bz#2087069

(In reply to Zdenek Pytela from comment #3)
> (In reply to Charles Surett from comment #2)
> > This also gets avc denials when trying to look up cert-api.access.redhat.com
> > with the following denial message
> > 
> > 
> >  avc:  denied  { write } for  pid=148559 comm="platform-python"
> > laddr=172.31.0.8 lport=48971 faddr=172.31.0.1 fport=53
> > scontext=system_u:system_r:insights_client_t:s0
> > tcontext=system_u:system_r:insights_client_t:s0 tclass=udp_socket
> > permissive=0
> 
> This one is expected be fixed as a part of bz#2087069

It actually was bz#2073395, there is a build selinux-policy-3.14.3-98.el8 which addresses it.

Created attachment 1885492 [details]
insights-journal-rhel-8

RHEL 8 : Insights related journal entries

Created attachment 1885493 [details]
insights-journal-rhel-9

RHEL 9 : Insights related journal entries

$ systemctl list-unit-files | grep insights

insights-client-results.path               enabled  
insights-client-boot.service               disabled 
insights-client-results.service            static   
insights-client.service                    static   
insights-client.timer                      enabled

Enabling/Starting insights-client-boot.service fails.

For my AWS systems with RHEL8.6 I needed all below rules to have a SELinux clean run of insights-client from systemd
~~~
allow insights_client_t gconf_home_t:dir search;
allow insights_client_t hostname_exec_t:file { getattr open read execute };
allow insights_client_t systemd_notify_exec_t:file { getattr open read execute };
~~~

The PR attached to this BZ includes on the gconf_home_t, can you please confirm that the proposed fix will also fix all the other 2 rules?

The permission are in the current policy version:

rhel87# rpm -q selinux-policy
selinux-policy-3.14.3-105.el8.noarch

rhel87# sesearch -A -s insights_client_t -t gconf_home_t -c dir -p search
allow insights_client_t file_type:dir { getattr ioctl lock open read search };
allow insights_client_t gconf_home_t:dir { getattr open search };
allow insights_client_t non_security_file_type:dir { getattr ioctl lock open read search };

rhel87# sesearch -A -s insights_client_t -t hostname_exec_t -c file -p getattr,open,read,execute
allow insights_client_t exec_type:file { execute execute_no_trans getattr ioctl lock map open read };
allow insights_client_t hostname_exec_t:file { execute execute_no_trans getattr ioctl lock map open read };
allow insights_client_t non_security_file_type:file { getattr ioctl lock open read };

rhel87#
rhel87# sesearch -A -s insights_client_t -t systemd_notify_exec_t -c file -p getattr,open,read,execute
allow insights_client_t exec_type:file { execute execute_no_trans getattr ioctl lock map open read };
allow insights_client_t non_security_file_type:file { getattr ioctl lock open read };

It is important though to test actual scenarios as implementation in the policy may not be that straightforward, e. g. include transitions.

The BZ mentions 'Fixed In Version: selinux-policy-3.14.3-99.el8'. The above results are from selinux-policy-3.14.3-105.el8.noarch.
The above results are for RHEL8.7 and i need RHEL8.6-EUS.

It is now already 3+ months since RHEL8.6 is out this major issue is still not fixed.

(In reply to Peter Vreman from comment #19)
> The BZ mentions 'Fixed In Version: selinux-policy-3.14.3-99.el8'. The above
> results are from selinux-policy-3.14.3-105.el8.noarch.
> The above results are for RHEL8.7 and i need RHEL8.6-EUS.
This is a RHEL 8.7 bz so I checked the latest package available.
I've just also checked in RHEL 8.6.z with selinux-policy-3.14.3-95.el8_6.3 the results are the same as the policy was backported completely, the same applies to 9.1 and 9.0.z.

> It is now already 3+ months since RHEL8.6 is out this major issue is still
> not fixed.
The PR attached to this bz contains just an initial commit before it was fully reproduced with different scenarios.
The actual fix contained 36 commits and also a change in the insights-client package.
I am sorry it took quite a long time to gather all relevant information, spread into multiple bugzillas, and deliver a fix for all of them. he issue as such was more convoluted than expected.

The RHEL 8.6 bz is in the verified state since August 5th.
https://bugzilla.redhat.com/show_bug.cgi?id=2103606

(In reply to Zdenek Pytela from comment #20)
> (In reply to Peter Vreman from comment #19)
> > The BZ mentions 'Fixed In Version: selinux-policy-3.14.3-99.el8'. The above
> > results are from selinux-policy-3.14.3-105.el8.noarch.
> > The above results are for RHEL8.7 and i need RHEL8.6-EUS.
> This is a RHEL 8.7 bz so I checked the latest package available.
> I've just also checked in RHEL 8.6.z with selinux-policy-3.14.3-95.el8_6.3
> the results are the same as the policy was backported completely, the same
> applies to 9.1 and 9.0.z.
> 
> > It is now already 3+ months since RHEL8.6 is out this major issue is still
> > not fixed.
> The PR attached to this bz contains just an initial commit before it was
> fully reproduced with different scenarios.
> The actual fix contained 36 commits and also a change in the insights-client
> package.
> I am sorry it took quite a long time to gather all relevant information,
> spread into multiple bugzillas, and deliver a fix for all of them. he issue
> as such was more convoluted than expected.
> 
> The RHEL 8.6 bz is in the verified state since August 5th.
> https://bugzilla.redhat.com/show_bug.cgi?id=2103606

When will selinux-policy-3.14.3-95.el8_6.3 be available, Zdenek ? The latest I see is selinux-policy-3.14.3-95.el8_6.1, which I have installed. As of today nothing changed ... the issues are still occurring.

insights-client-results.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: insights-client-results.service: Failed with result 'exit-code'.
systemd[1]: Failed to start Check for insights from Red Hat Cloud Services.

SELinux is preventing /usr/libexec/platform-python3.6 from search access on the directory .local.
SELinux is preventing /usr/libexec/platform-python3.6 from open access on the file /var/log/insights-client/insights-client.log.

$ sudo dnf list installed | grep selinux-policy
selinux-policy.noarch                                    3.14.3-95.el8_6.1
selinux-policy-targeted.noarch                           3.14.3-95.el8_6.1

(In reply to Christian Labisch from comment #21)
> When will selinux-policy-3.14.3-95.el8_6.3 be available, Zdenek ? The latest
> I see is selinux-policy-3.14.3-95.el8_6.1, which I have installed. As of
> today nothing changed ... the issues are still occurring.

The next RHEL 8.6 batch update has 2022-09-13 as a release date, but an earlier (async) update was requested. I can keep you informed if you wish.

(In reply to Zdenek Pytela from comment #22)
> (In reply to Christian Labisch from comment #21)
> > When will selinux-policy-3.14.3-95.el8_6.3 be available, Zdenek ? The latest
> > I see is selinux-policy-3.14.3-95.el8_6.1, which I have installed. As of
> > today nothing changed ... the issues are still occurring.
> 
> The next RHEL 8.6 batch update has 2022-09-13 as a release date, but an
> earlier (async) update was requested. I can keep you informed if you wish.

Thank you, Zdenek ! Not necessary to inform me, I check for updates on a daily basis. The earlier the new version ships, the better ... :)

Sharing just in case that selinux-policy-3.14.3-95.el8_6.4 has been released as an update for RHEL 8.6.

(In reply to Zdenek Pytela from comment #24)
> Sharing just in case that selinux-policy-3.14.3-95.el8_6.4 has been released
> as an update for RHEL 8.6.

Thank you, Zdenek ! :) Here are the latest messages after having installed the new selinux-policy builds.

RHEL 8.6 : selinux-policy 3.14.3-95.el8_6.4 ->

Failed to start Check for insights from Red Hat Cloud Services.
SELinux is preventing /usr/libexec/platform-python3.6 from rename access on the file insights-client.log.
SELinux is preventing /usr/libexec/platform-python3.6 from unlink access on the file insights-client.log.3

RHEL 9.0 : selinux-policy 34.1.29-1.el9_0.2 ->

Failed to start Check for insights from Red Hat Cloud Services.
SELinux is preventing /usr/bin/python3.9 from write access on the file insights-client.pid.
SELinux is preventing /usr/bin/python3.9 from rename access on the file insights-client.log.

FYI,

I have selinux-policy-3.14.3-95.el8_6.4.noarch installed and audit log is full with insights_client_t related entries. I will attach a file instead posting it all here

Created attachment 1908611 [details]
output of ausearch -m avc -ts yesterday

Even with the latest selinux-policy rpm mentioned above, the following error is logged in /var/log/insights-client/insights-client.log

2022-09-22 21:34:56,210    DEBUG insights.client.archive Deleting previous archive /var/tmp/insights-client/insights-archive-709_dedr
2022-09-22 21:34:56,210    ERROR insights.client.phase.v1 Fatal error
Traceback (most recent call last):
  File "/var/lib/insights/last_stable.egg/insights/client/phase/v1.py", line 32, in _f
    func(client, config)
  File "/var/lib/insights/last_stable.egg/insights/client/phase/v1.py", line 314, in collect_and_output
    insights_archive = client.collect()
  File "/var/lib/insights/last_stable.egg/insights/client/__init__.py", line 72, in _init_connection
    return func(self, *args, **kwargs)
  File "/var/lib/insights/last_stable.egg/insights/client/__init__.py", line 392, in collect
    tar_file = client.collect(self.config)
  File "/var/lib/insights/last_stable.egg/insights/client/client.py", line 294, in collect
    archive = InsightsArchive(config)
  File "/var/lib/insights/last_stable.egg/insights/client/archive.py", line 49, in __init__
    self.tmp_dir = tempfile.mkdtemp(dir=constants.insights_tmp_path, prefix='insights-archive-')
  File "/usr/lib64/python3.6/tempfile.py", line 370, in mkdtemp
    _os.mkdir(file, 0o700)
PermissionError: [Errno 13] Permission denied: '/var/tmp/insights-client/insights-archive-fx6qh0qz'
2022-09-22 21:34:56,537    DEBUG insights_client Attempt failed.


Which in turn causes the Insights Advisory: "System is not able to get the latest recommendations and may miss bug fixes when the Insights Client Core egg file is outdated"

Adding the following contexts:

require {
        type firewalld_t;
        type syslogd_var_run_t;
        type ipp_port_t;
        type lvm_control_t;
        type krb5_keytab_t;
        type certmonger_t;
        type random_device_t;
        type var_run_t;
        type devlog_t;
        type node_t;
        type semanage_store_t;
        type insights_client_etc_t;
        type admin_home_t;
        type vsock_device_t;
        type insights_client_t;
        class file { create getattr link map read unlink write };
        class tcp_socket name_connect;
        class process setrlimit;
        class vsock_socket create;
        class sock_file write;
        class dbus send_msg;
        class chr_file { read write };
        class udp_socket node_bind;
}

#============= insights_client_t ==============

allow insights_client_t admin_home_t:file { create link unlink write };
allow insights_client_t certmonger_t:dbus send_msg;
allow insights_client_t devlog_t:sock_file write;
allow insights_client_t firewalld_t:dbus send_msg;
allow insights_client_t insights_client_etc_t:file create;
allow insights_client_t ipp_port_t:tcp_socket name_connect;
allow insights_client_t krb5_keytab_t:file getattr;
allow insights_client_t lvm_control_t:chr_file { read write };
allow insights_client_t node_t:udp_socket node_bind;
allow insights_client_t random_device_t:chr_file read;
allow insights_client_t self:process setrlimit;
allow insights_client_t self:vsock_socket create;
allow insights_client_t semanage_store_t:file read;
#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow insights_client_t syslogd_var_run_t:file map;
allow insights_client_t var_run_t:file { unlink write };
allow insights_client_t vsock_device_t:chr_file read;

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7691