Bug 2103606

Summary: After upgrading system to RHEL 8.6, insights-client fails to run when it's triggered via systemd [rhel-8.6.0.z]
Product: Red Hat Enterprise Linux 8 Reporter: RHEL Program Management Team <pgm-rhel-tools>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 8.6CC: afarley, anuk, cj, cmarinea, derek.tc.lee, fjansen, gchamoul, jafiala, jbreitwe, jrichards2, lvrabec, marc, matt.bebsz, matthew.lesieur, mgoyal, mmalik, pakotvan, perobins, peter.vreman, reynolds, sam, shivagup, ssekidde, stomsa, tony, vvasilev, zpytela
Target Milestone: rcKeywords: AutoVerified, Triaged, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-95.el8_6.3 Doc Type: Bug Fix
Doc Text:
.Permissions for `insights-client` added to the SELinux policy The new `insights-client` service requires permissions which were not in the previous `selinux-policy` versions. As a consequence, some components of `insights-client` did not work correctly and reported access vector cache (AVC) error messages. This update adds new permissions to the SELinux policy. As a result, `insights-client` runs correctly without reporting AVC errors.
 Story Points: ---
Clone Of: 2087069
: 2119507 (view as bug list) Environment:
Last Closed: 2022-08-24 09:46:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2087069    
Bug Blocks: 2119507, 2121125    

Comment 37 errata-xmlrpc 2022-08-24 09:46:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:6151
Comment 38 Sam Morris 2022-08-24 16:27:00 UTC 
I'm still seeing AVC denials with selinux-policy-3.14.3-95.el8_6.4.noarch; I can provide ausearch output here, or in a child bug, or in a new bug as you advise.
Comment 39 Zdenek Pytela 2022-08-24 16:47:04 UTC 
(In reply to Sam Morris from comment #38)
> I'm still seeing AVC denials with selinux-policy-3.14.3-95.el8_6.4.noarch; I
> can provide ausearch output here, or in a child bug, or in a new bug as you
> advise.
Sam,

We are aware of some outstanding issues with particular configuration changes in place, please use bz#2119507 for reporting any problems like these, with the needed configuration changes if possible, thank you.

This command should provide valuable information, especially if full auditing was enabled:

  # ausearch -i -m avc,user_avc -ts today
Comment 40 Red Hat Bugzilla 2023-09-18 04:41:03 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days