Bug 2087069

Summary:

After upgrading system to RHEL 8.6, insights-client fails to run when it's triggered via systemd

Product:

Red Hat Enterprise Linux 8

Reporter:

Riya Banerjee <ribanerj>

Component:

selinux-policy

Assignee:

Zdenek Pytela <zpytela>

Status:

CLOSED ERRATA

QA Contact:

Milos Malik <mmalik>

Severity:

urgent

Docs Contact:

Priority:

urgent

Version:

8.6

CC:

abhinn, achadha, afarley, anuk, cj, clnetbox, cmarinea, derek.tc.lee, draeath, fjansen, gchamoul, jangerrit.kootstra, jbreitwe, jkwek, john.sincock, jrichards2, lvrabec, marc.mccoombe, marc, matt.bebsz, matthew.lesieur, mgoyal, miabbott, mmalik, ngupta, pakotvan, paulds, perobins, peter.vreman, reynolds, sam, sebastien.girard, shivagup, ssekidde, stomsa, tony, vlblink, vvasilev, wouter, wpinheir, zpytela

Target Milestone:

Keywords:

Triaged, ZStream

Target Release:

8.7

Flags:

pm-rhel: mirror+

Hardware:

All

OS:

Linux

Whiteboard:

Fixed In Version:

selinux-policy-3.14.3-99.el8

Doc Type:

No Doc Update

Doc Text:

Story Points:

---

Clone Of:

Clones:

2089435 2103606 (view as bug list)

Environment:

Last Closed:

2022-11-08 10:44:16 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

2063195

Bug Blocks:

2089435, 2103606, 2119507, 2121125

Attachments:

Description	Flags
insights-journal-rhel-8	none
insights-journal-rhel-9	none

Description Riya Banerjee 2022-05-17 08:59:32 UTC

Description of problem:
After upgrading system to RHEL 8.6, insights-client fails to run when it is triggered via systemd. No issue when it is run manually from CLI.

Version-Release number of selected component (if applicable): 8.6


Status of insights-client service after the upgrade from 8.4 to 8.6:
~~~
# systemctl status insights-client.service
● insights-client.service - Insights Client
   Loaded: loaded (/usr/lib/systemd/system/insights-client.service; static; vendor preset: disabled)
   Active: failed (Result: exit-code) since Tue 2022-05-17 01:41:35 EDT; 2h 56min ago
     Docs: man:insights-client(8)
  Process: 83312 ExecStartPost=/bin/bash -c echo 1G >/dev/null 2>&1 > /sys/fs/cgroup/memory/system.slice/insights-client.service/memory.soft_limit_in_bytes (code=exited, status=0/SUCCESS)
  Process: 83311 ExecStartPost=/bin/bash -c echo 2G >/dev/null 2>&1 > /sys/fs/cgroup/memory/system.slice/insights-client.service/memory.memsw.limit_in_bytes (code=exited, status=0/SUCCESS)
  Process: 83310 ExecStart=/usr/bin/insights-client --retry 3 (code=exited, status=1/FAILURE)
 Main PID: 83310 (code=exited, status=1/FAILURE)

May 17 01:41:34 system1.redhat.com systemd[1]: Starting Insights Client...
May 17 01:41:34 system1.redhat.com systemd[1]: Started Insights Client.
May 17 01:41:35 system1.redhat.com insights-client[83310]: No GPG-verified eggs can be found
May 17 01:41:35 system1.redhat.com systemd[1]: insights-client.service: Main process exited, code=exited, status=1/FAILURE
May 17 01:41:35 system1.redhat.com systemd[1]: insights-client.service: Failed with result 'exit-code'.
~~~


Running insights-client from the CLI works:
~~~
# insights-client 
Starting to collect Insights data for XXXX
Uploading Insights data.
Successfully uploaded report from XXXX to account XXXX.
View details about this system on console.redhat.com:
https://console.redhat.com/insights/inventory/XXXX
~~~

Comment 8 Zdenek Pytela 2022-05-19 09:22:38 UTC

Commits to backport:
commit 6197cb94284ecfa1465e2b2bb7b45d6a1078e734 (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date:   Wed May 18 15:59:51 2022 +0200

    Allow insights-client search gconf homedir

commit aee08f8a99f2a82640e12e250d055cea4caf52be
Author: Zdenek Pytela <zpytela>
Date:   Wed May 18 15:52:09 2022 +0200

    Allow insights-client create and use unix_dgram_socket

Comment 9 Zdenek Pytela 2022-05-19 17:09:26 UTC

*** Bug 2088463 has been marked as a duplicate of this bug. ***

Comment 17 Zdenek Pytela 2022-05-30 15:28:41 UTC

*** Bug 2091407 has been marked as a duplicate of this bug. ***

Comment 19 Christian Labisch 2022-05-31 12:02:45 UTC

Created attachment 1885494 [details]
insights-journal-rhel-8

RHEL 8 : Insights related journal entries

Comment 20 Christian Labisch 2022-05-31 12:03:14 UTC

Created attachment 1885495 [details]
insights-journal-rhel-9

RHEL 9 : Insights related journal entries

Comment 21 Christian Labisch 2022-05-31 12:10:14 UTC

$ systemctl list-unit-files | grep insights

insights-client-results.path               enabled  
insights-client-boot.service               disabled 
insights-client-results.service            static   
insights-client.service                    static   
insights-client.timer                      enabled

Enabling/Starting insights-client-boot.service fails.

Comment 31 John 2022-07-28 06:29:37 UTC

Pathetic.

Comment 34 John 2022-07-29 04:31:18 UTC

When i start insights-client via systemctl, i get hundreds of these spamming logs.

...
Jul 29 14:20:58 audctstmr002 setroubleshoot[17424]: SELinux is preventing /usr/bin/netstat from read access on the file igmp.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that netstat should be allowed read access on the igmp file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'netstat' --raw | audit2allow -M my-netstat#012# semodule -X 300 -i my-netstat.pp#012
...
Jul 29 14:20:58 audctstmr002 setroubleshoot[17424]: SELinux is preventing /usr/libexec/platform-python3.6 from execute access on the file /usr/sbin/dmsetup. For complete SELinux messages run: sealert -l d9a4b5b8-f5b8-4de6-8f24-dcb0b4ff77e1
...
Jul 29 14:22:55 audctstmr002 setroubleshoot[17424]: SELinux is preventing /usr/bin/ls from getattr access on the file /usr/lib/systemd/system/systemd-timedated.service.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that ls should be allowed getattr access on the systemd-timedated.service file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'ls' --raw | audit2allow -M my-ls#012# semodule -X 300 -i my-ls.pp#012

...
etc

insights-client is running netstat, dmsetup, chkconfig, ls and many other progs, and they're all spamming /var/log/messages with spurious warnings (selinux is in permissive mode).

This is on a fully updated el8.6 vm:

# rpm -q selinux-policy insights-client
selinux-policy-3.14.3-95.el8.noarch
insights-client-3.1.7-5.el8.noarch

I've done a full filesystem autorelabel, and still this.
It's just hopeless. Utterly hopeless.

How is anyone supposed to notice any REAL issues in their logs, when things like this are spamming them full of such garbage?

What's the name of this thing again?
"Insights" isn't it.
Maybe change the name to "RRO" Red Hat Rootkit Obscurer, or "RHH" Red Hat Hacker Hider.

Comment 35 John 2022-07-29 04:47:07 UTC

I mean, just look at this:

[root@audctstmr002 07-29 14:42:57 ~]# cat /var/log/messages | grep "Jul 29 14:2" | grep setrouble | wc -l
4308

4300+ lines of logspam, from one run of insights-client.
How is this acceptable?

Or is it just me, have i got an se-linux broken VM?
Or, well, an se-linux broken VM template, which I've then cloned to create a bunch of broken VMs.

What is going on?

Comment 37 Sam Morris 2022-08-03 08:43:41 UTC

A workaround is to disable enforcement for insights_client_t:

# semanage permissive -a insights_client_t

Such local customizations can be be audited with:

# semanage export

Once selinux-policy is fixed, this can be undone with:

# semanage permissive -d insights_client_t

Comment 38 John 2022-08-03 08:47:30 UTC

permissive mode does not prevent the logs being spammed with 1000's of useless messages which drown out everything else.

Comment 45 Christian Labisch 2022-08-20 14:35:16 UTC

New issue : Since a few days rhcd.service causes close to 100 % CPU usage after starting a (RHEL 8 / RHEL 9) system.
setroubleshoot[2255]: SELinux is preventing /usr/bin/chronyc from 'read, write' accesses on the chr_file /dev/pts/1.

 PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND                                                                                                                 
1983 root      20   0  899380  43372  15212 S  99,3   0,2   0:40.85 rhc-worker-play

Comment 46 Zdenek Pytela 2022-08-22 08:38:43 UTC

Christian,

Can you attach audit.log or ausearch output?

  # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today

Also note we noe have bz#2119351 for new rhcd issues in RHEL 9, so if this is your case, please rather update there.

Comment 47 Christian Labisch 2022-08-22 09:50:26 UTC

(In reply to Zdenek Pytela from comment #46)
> Christian,
> 
> Can you attach audit.log or ausearch output?
> 
>   # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
> 
> Also note we noe have bz#2119351 for new rhcd issues in RHEL 9, so if this
> is your case, please rather update there.

Hi Zdenek,

What I reported occurs on all RHEL 8.6 and RHEL 9.0 systems. I can't access the bug you mentioned : You are not authorized to access bug #2119351.
As a workaround I had disabled rhcd.service, and after manually starting the service, CPU usage is extremely high and the fans are "running wild".
I have cleared /var/log/audit/audit.log, then started rhcd.service, and waited about 5 minutes to give you the exact information you asked me for.

$ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
----
type=PROCTITLE msg=audit(22.08.2022 11:35:41.535:261) : proctitle=/usr/bin/chronyc sources 
type=EXECVE msg=audit(22.08.2022 11:35:41.535:261) : argc=2 a0=/usr/bin/chronyc a1=sources 
type=SYSCALL msg=audit(22.08.2022 11:35:41.535:261) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7ffeb8105f8f a1=0x7ffeb81049e8 a2=0x7ffeb8104a00 a3=0x8 items=0 ppid=3294 pid=3295 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chronyc exe=/usr/bin/chronyc subj=system_u:system_r:chronyc_t:s0 key=(null) 
type=AVC msg=audit(22.08.2022 11:35:41.535:261) : avc:  denied  { read write } for  pid=3295 comm=chronyc path=/dev/pts/1 dev="devpts" ino=4 scontext=system_u:system_r:chronyc_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file permissive=0 
----
type=PROCTITLE msg=audit(22.08.2022 11:38:53.364:301) : proctitle=/usr/bin/chronyc sources 
type=EXECVE msg=audit(22.08.2022 11:38:53.364:301) : argc=2 a0=/usr/bin/chronyc a1=sources 
type=SYSCALL msg=audit(22.08.2022 11:38:53.364:301) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7ffd8a03ff8f a1=0x7ffd8a03e338 a2=0x7ffd8a03e350 a3=0x8 items=0 ppid=6444 pid=6445 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chronyc exe=/usr/bin/chronyc subj=system_u:system_r:chronyc_t:s0 key=(null) 
type=AVC msg=audit(22.08.2022 11:38:53.364:301) : avc:  denied  { read write } for  pid=6445 comm=chronyc path=/dev/pts/2 dev="devpts" ino=5 scontext=system_u:system_r:chronyc_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file permissive=0 
----
type=PROCTITLE msg=audit(22.08.2022 11:39:02.096:302) : proctitle=/usr/libexec/platform-python /usr/bin/insights-client --check-results 
type=SYSCALL msg=audit(22.08.2022 11:39:02.096:302) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7f39177c3550 a1=0x7fff821364c0 a2=0x7fff821364c0 a3=0x1 items=0 ppid=1 pid=7136 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=insights-client exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(22.08.2022 11:39:02.096:302) : avc:  denied  { search } for  pid=7136 comm=insights-client name=.local dev="dm-0" ino=100664796 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:gconf_home_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(22.08.2022 11:39:02.138:303) : proctitle=/usr/libexec/platform-python -c from insights.client import InsightsClient; print(InsightsClient(None, False).version()) 
type=SYSCALL msg=audit(22.08.2022 11:39:02.138:303) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7f52706bc190 a1=0x7ffe15cec400 a2=0x7ffe15cec400 a3=0x1 items=0 ppid=7136 pid=7140 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=platform-python exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(22.08.2022 11:39:02.138:303) : avc:  denied  { search } for  pid=7140 comm=platform-python name=.local dev="dm-0" ino=100664796 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:gconf_home_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(22.08.2022 11:39:02.214:304) : proctitle=/usr/libexec/platform-python -c from insights.client import InsightsClient; print(InsightsClient(None, False).version()) 
type=SYSCALL msg=audit(22.08.2022 11:39:02.214:304) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7f525fc35490 a1=0x7ffe15ce8db0 a2=0x7ffe15ce8db0 a3=0x1 items=0 ppid=7136 pid=7140 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=platform-python exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(22.08.2022 11:39:02.214:304) : avc:  denied  { search } for  pid=7140 comm=platform-python name=.local dev="dm-0" ino=100664796 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:gconf_home_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(22.08.2022 11:39:02.445:305) : proctitle=/usr/libexec/platform-python -c from insights.client import InsightsClient; print(InsightsClient(None, False).version()) 
type=SYSCALL msg=audit(22.08.2022 11:39:02.445:305) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7f8da2583be0 a1=0x7ffdd54f3bc0 a2=0x7ffdd54f3bc0 a3=0x1 items=0 ppid=7136 pid=7156 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=platform-python exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(22.08.2022 11:39:02.445:305) : avc:  denied  { search } for  pid=7156 comm=platform-python name=.local dev="dm-0" ino=100664796 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:gconf_home_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(22.08.2022 11:39:02.536:306) : proctitle=/usr/libexec/platform-python -c from insights.client import InsightsClient; print(InsightsClient(None, False).version()) 
type=SYSCALL msg=audit(22.08.2022 11:39:02.536:306) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7f8d90f57390 a1=0x7ffdd54f0570 a2=0x7ffdd54f0570 a3=0x1 items=0 ppid=7136 pid=7156 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=platform-python exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(22.08.2022 11:39:02.536:306) : avc:  denied  { search } for  pid=7156 comm=platform-python name=.local dev="dm-0" ino=100664796 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:gconf_home_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(22.08.2022 11:39:02.830:307) : proctitle=/usr/libexec/platform-python /usr/bin/insights-client --check-results 
type=SYSCALL msg=audit(22.08.2022 11:39:02.830:307) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7f39062dc790 a1=0x7fff82133560 a2=0x7fff82133560 a3=0x1 items=0 ppid=1 pid=7136 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=insights-client exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(22.08.2022 11:39:02.830:307) : avc:  denied  { search } for  pid=7136 comm=insights-client name=.local dev="dm-0" ino=100664796 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:gconf_home_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(22.08.2022 11:39:03.029:308) : proctitle=/usr/libexec/platform-python /usr/bin/insights-client --check-results 
type=SYSCALL msg=audit(22.08.2022 11:39:03.029:308) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f390171c910 a2=O_WRONLY|O_CREAT|O_APPEND|O_CLOEXEC a3=0x1b6 items=0 ppid=1 pid=7136 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=insights-client exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(22.08.2022 11:39:03.029:308) : avc:  denied  { open } for  pid=7136 comm=insights-client path=/var/log/insights-client/insights-client.log dev="dm-0" ino=70374993 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(22.08.2022 11:40:13.982:310) : proctitle=/usr/bin/chronyc sources 
type=EXECVE msg=audit(22.08.2022 11:40:13.982:310) : argc=2 a0=/usr/bin/chronyc a1=sources 
type=SYSCALL msg=audit(22.08.2022 11:40:13.982:310) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7ffe29c90f8f a1=0x7ffe29c90c68 a2=0x7ffe29c90c80 a3=0x8 items=0 ppid=7563 pid=7564 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chronyc exe=/usr/bin/chronyc subj=system_u:system_r:chronyc_t:s0 key=(null) 
type=AVC msg=audit(22.08.2022 11:40:13.982:310) : avc:  denied  { read write } for  pid=7564 comm=chronyc path=/dev/pts/1 dev="devpts" ino=4 scontext=system_u:system_r:chronyc_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file permissive=0 
----
type=PROCTITLE msg=audit(22.08.2022 11:40:16.234:311) : proctitle=/usr/libexec/platform-python /usr/bin/insights-client --check-results 
type=SYSCALL msg=audit(22.08.2022 11:40:16.234:311) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7f62ea862550 a1=0x7ffd0af8f5f0 a2=0x7ffd0af8f5f0 a3=0x1 items=0 ppid=1 pid=7993 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=insights-client exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(22.08.2022 11:40:16.234:311) : avc:  denied  { search } for  pid=7993 comm=insights-client name=.local dev="dm-0" ino=100664796 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:gconf_home_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(22.08.2022 11:40:16.277:312) : proctitle=/usr/libexec/platform-python -c from insights.client import InsightsClient; print(InsightsClient(None, False).version()) 
type=SYSCALL msg=audit(22.08.2022 11:40:16.277:312) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7ff9d1742190 a1=0x7fffd9162cb0 a2=0x7fffd9162cb0 a3=0x1 items=0 ppid=7993 pid=8001 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=platform-python exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(22.08.2022 11:40:16.277:312) : avc:  denied  { search } for  pid=8001 comm=platform-python name=.local dev="dm-0" ino=100664796 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:gconf_home_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(22.08.2022 11:40:16.355:313) : proctitle=/usr/libexec/platform-python -c from insights.client import InsightsClient; print(InsightsClient(None, False).version()) 
type=SYSCALL msg=audit(22.08.2022 11:40:16.355:313) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7ff9c0cbb490 a1=0x7fffd915f660 a2=0x7fffd915f660 a3=0x1 items=0 ppid=7993 pid=8001 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=platform-python exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(22.08.2022 11:40:16.355:313) : avc:  denied  { search } for  pid=8001 comm=platform-python name=.local dev="dm-0" ino=100664796 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:gconf_home_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(22.08.2022 11:40:16.585:314) : proctitle=/usr/libexec/platform-python -c from insights.client import InsightsClient; print(InsightsClient(None, False).version()) 
type=SYSCALL msg=audit(22.08.2022 11:40:16.585:314) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7fbc8c5b0be0 a1=0x7ffd3e33c150 a2=0x7ffd3e33c150 a3=0x1 items=0 ppid=7993 pid=8014 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=platform-python exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(22.08.2022 11:40:16.585:314) : avc:  denied  { search } for  pid=8014 comm=platform-python name=.local dev="dm-0" ino=100664796 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:gconf_home_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(22.08.2022 11:40:16.681:315) : proctitle=/usr/libexec/platform-python -c from insights.client import InsightsClient; print(InsightsClient(None, False).version()) 
type=SYSCALL msg=audit(22.08.2022 11:40:16.681:315) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7fbc7af84390 a1=0x7ffd3e338b00 a2=0x7ffd3e338b00 a3=0x1 items=0 ppid=7993 pid=8014 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=platform-python exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(22.08.2022 11:40:16.681:315) : avc:  denied  { search } for  pid=8014 comm=platform-python name=.local dev="dm-0" ino=100664796 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:gconf_home_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(22.08.2022 11:40:16.994:316) : proctitle=/usr/libexec/platform-python /usr/bin/insights-client --check-results 
type=SYSCALL msg=audit(22.08.2022 11:40:16.994:316) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7f62d937b7d0 a1=0x7ffd0af8c690 a2=0x7ffd0af8c690 a3=0x1 items=0 ppid=1 pid=7993 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=insights-client exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(22.08.2022 11:40:16.994:316) : avc:  denied  { search } for  pid=7993 comm=insights-client name=.local dev="dm-0" ino=100664796 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:gconf_home_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(22.08.2022 11:40:17.209:317) : proctitle=/usr/libexec/platform-python /usr/bin/insights-client --check-results 
type=SYSCALL msg=audit(22.08.2022 11:40:17.209:317) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f62d47bb910 a2=O_WRONLY|O_CREAT|O_APPEND|O_CLOEXEC a3=0x1b6 items=0 ppid=1 pid=7993 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=insights-client exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(22.08.2022 11:40:17.209:317) : avc:  denied  { open } for  pid=7993 comm=insights-client path=/var/log/insights-client/insights-client.log dev="dm-0" ino=70374993 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0 

Regards,
Christian

Comment 50 Zdenek Pytela 2022-08-24 06:57:55 UTC

(In reply to Christian Labisch from comment #47)
> > Also note we noe have bz#2119351 for new rhcd issues in RHEL 9, so if this
> > is your case, please rather update there.
> 
> Hi Zdenek,
> 
> What I reported occurs on all RHEL 8.6 and RHEL 9.0 systems. I can't access
> the bug you mentioned : You are not authorized to access bug #2119351.
Christian,

you are right, sorry for that, but in your output it does not seem to be any SELinux-related problem with rhcd.

> As a workaround I had disabled rhcd.service, and after manually starting the
> service, CPU usage is extremely high and the fans are "running wild".
I don't have much information, just based on experience this usually happens when setroubleshoot starts for each individual denial. If it rather is a rhcd problem, it needs to be resolved separately.

> I have cleared /var/log/audit/audit.log, then started rhcd.service, and
I suppose this still means starting using systemd, not from a commandline, note there is a substantial difference so I'm rather doublechecking.

> waited about 5 minutes to give you the exact information you asked me for.
> 
> $ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
One chronyc and 2 insights-client denials should be addressed by the next build.

Updates should be available in bz#2119507.
Current updates  refer to bz#2119507 (insights-client) and bz#2119351 (rhcd).

Comment 51 Christian Labisch 2022-08-24 08:30:04 UTC

(In reply to Zdenek Pytela from comment #50)
> (In reply to Christian Labisch from comment #47)
> > > Also note we noe have bz#2119351 for new rhcd issues in RHEL 9, so if this
> > > is your case, please rather update there.
> > 
> > Hi Zdenek,
> > 
> > What I reported occurs on all RHEL 8.6 and RHEL 9.0 systems. I can't access
> > the bug you mentioned : You are not authorized to access bug #2119351.
> Christian,
> 
> you are right, sorry for that, but in your output it does not seem to be any
> SELinux-related problem with rhcd.
> 
> > As a workaround I had disabled rhcd.service, and after manually starting the
> > service, CPU usage is extremely high and the fans are "running wild".
> I don't have much information, just based on experience this usually happens
> when setroubleshoot starts for each individual denial. If it rather is a
> rhcd problem, it needs to be resolved separately.
> 
> > I have cleared /var/log/audit/audit.log, then started rhcd.service, and
> I suppose this still means starting using systemd, not from a commandline,
> note there is a substantial difference so I'm rather doublechecking.
> 
> > waited about 5 minutes to give you the exact information you asked me for.
> > 
> > $ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
> One chronyc and 2 insights-client denials should be addressed by the next
> build.
> 
> Updates should be available in bz#2119507.
> Current updates  refer to bz#2119507 (insights-client) and bz#2119351 (rhcd).

Hi Zdenek,

The CPU issue only appears when rhcd.service is started or enabled. Maybe you can double check with Mohit Goyal from the Insights team ?
@mgoyal : Besides the SELinux issues, running insights-client manually still takes a long time to finish on RHEL 8.6 systems.

Regards,
Christian

Comment 52 Christian Labisch 2022-08-25 11:00:05 UTC

RHEL 8.6 : selinux-policy 3.14.3-95.el8_6.4 ->

Failed to start Check for insights from Red Hat Cloud Services.
SELinux is preventing /usr/libexec/platform-python3.6 from rename access on the file insights-client.log.
SELinux is preventing /usr/libexec/platform-python3.6 from unlink access on the file insights-client.log.3

RHEL 9.0 : selinux-policy 34.1.29-1.el9_0.2 ->

Failed to start Check for insights from Red Hat Cloud Services.
SELinux is preventing /usr/bin/python3.9 from write access on the file insights-client.pid.
SELinux is preventing /usr/bin/python3.9 from rename access on the file insights-client.log.

Comment 67 errata-xmlrpc 2022-11-08 10:44:16 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7691