Bug 2107363

Summary:	[RHEL9] insights-client raises SELinux issues
Product:	Red Hat Enterprise Linux 9	Reporter:	mabezerr
Component:	selinux-policy	Assignee:	Zdenek Pytela <zpytela>
Status:	CLOSED ERRATA	QA Contact:	Milos Malik <mmalik>
Severity:	high	Docs Contact:
Priority:	high
Version:	9.0	CC:	ahitacat, cmarinea, gchamoul, lvrabec, mmalik, nknazeko, ssekidde, zpytela
Target Milestone:	rc	Keywords:	Triaged
Target Release:	9.1	Flags:	mabezerr: needinfo-
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:	selinux-policy-34.1.42-1.el9	Doc Type:	Bug Fix
Doc Text:	Cause: selinux-policy does not support insights-client execute additional services Consequence: Some services may fail when started from insights Fix: Support for services execution was added to selinux-policy Result: Services started from insights run successfully	Story Points:	---
Clone Of:		Environment:
Last Closed:	2022-11-15 11:13:54 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description mabezerr 2022-07-14 19:49:13 UTC

>>> Description of problem:
Insights-client is not auto-registering due to AVC denials (cloud providers: Azure and AWS)

>>> Version-Release number of selected component (if applicable):
# rpm -qa |grep selinux
libselinux-3.3-2.el9.x86_64
python3-libselinux-3.3-2.el9.x86_64
libselinux-utils-3.3-2.el9.x86_64
rpm-plugin-selinux-4.16.1.3-12.el9_0.x86_64
selinux-policy-34.1.37-1.el9.noarch
selinux-policy-targeted-34.1.37-1.el9.noarch

# insights-client --version
Client: 3.1.7
Core: 3.0.279-1


>>> How reproducible:
Steps to Reproduce:
1. Update Selinux rpm to the most recent;
2. Instantiate a new VM from cloud provider (Azure or AWS)
3.

>>> Actual results:
insights-client is not auto-registering for Azure and AWS, but registers fine when using GCP.
> GCP
RHEL8 and RHEL9:
subscription-manager was auto-registered [OK]
insights-client auto-registered properly [OK]
rhc auto-registered properly [OK]

> Azure
RHEL8 and RHEL9:
subscription-manager was auto-registered [OK]
insights-client didn't auto-registered [Failing]
rhc auto-registered properly [OK]

> AWS
RHEL8 and RHEL9:
subscription-manager was auto-registered [OK]
insights-client didn't auto-registered [Failing]
rhc auto-registered properly [OK]

# ausearch -m AVC -ts today
----
time->Wed Jul 13 14:43:47 2022
type=PROCTITLE msg=audit(1657737827.014:122): proctitle=2F7573722F62696E2F677067002D2D766572696679002D2D6B657972696E67002F6574632F696E7369676874732D636C69656E742F726564686174746F6F6C732E7075622E677067002F6574632F696E7369676874732D636C69656E742F72706D2E6567672E617363002F6574632F696E7369676874732D636C69656E742F72
type=SYSCALL msg=audit(1657737827.014:122): arch=c000003e syscall=83 success=no exit=-13 a0=5571c05faf80 a1=1c0 a2=0 a3=0 items=0 ppid=1669 pid=1671 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gpg" exe="/usr/bin/gpg" subj=system_u:system_r:insights_client_t:s0 key=(null)
type=AVC msg=audit(1657737827.014:122): avc:  denied  { write } for  pid=1671 comm="gpg" name="root" dev="sda3" ino=3113830 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir permissive=0
----
time->Wed Jul 13 16:12:09 2022
type=PROCTITLE msg=audit(1657743129.934:82): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002F7573722F6C69622F707974686F6E332E362F736974652D7061636B616765732F696E7369676874735F636C69656E742F72756E2E7079002D2D7265676973746572
type=SYSCALL msg=audit(1657743129.934:82): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f3ff909b470 a2=80241 a3=1b6 items=0 ppid=1234 pid=1352 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="platform-python" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:insights_client_t:s0 key=(null)
type=AVC msg=audit(1657743129.934:82): avc:  denied  { create } for  pid=1352 comm="platform-python" name=".insights-core-gpg-sig.etag" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:insights_client_etc_t:s0 tclass=file permissive=0


> systemctl status insights-register.service
● insights-register.service - Automatically Register with Red Hat Insights
   Loaded: loaded (/usr/lib/systemd/system/insights-register.service; static; vendor preset: disabled)
   Active: failed (Result: exit-code) since Wed 2022-07-13 16:12:10 EDT; 22min ago
     Docs: man:insights-client(8)
  Process: 1393 ExecStopPost=/bin/systemctl mask --now insights-register.path (code=exited, status=0/SUCCESS)
 Main PID: 1234 (code=exited, status=1/FAILURE)

Jul 13 16:12:09 rhel8 insights-client[1352]:   File "/etc/insights-client/rpm.egg/insights/client/__init__.py", line 166, in fetch
Jul 13 16:12:09 rhel8 insights-client[1352]:     force)
Jul 13 16:12:09 rhel8 insights-client[1352]:   File "/etc/insights-client/rpm.egg/insights/client/__init__.py", line 72, in _init_connection
Jul 13 16:12:09 rhel8 insights-client[1352]:     return func(self, *args, **kwargs)
Jul 13 16:12:09 rhel8 insights-client[1352]:   File "/etc/insights-client/rpm.egg/insights/client/__init__.py", line 231, in _fetch
Jul 13 16:12:09 rhel8 insights-client[1352]:     with open(etag_file, 'w') as handle:
Jul 13 16:12:09 rhel8 insights-client[1352]: PermissionError: [Errno 13] Permission denied: '/etc/insights-client/.insights-core-gpg-sig.etag'
Jul 13 16:12:10 rhel8 systemd[1]: insights-register.service: Main process exited, code=exited, status=1/FAILURE
Jul 13 16:12:10 rhel8 systemctl[1393]: Created symlink /etc/systemd/system/insights-register.path → /dev/null.
Jul 13 16:12:10 rhel8 systemd[1]: insights-register.service: Failed with result 'exit-code'.


>>> Expected results:
insights-client should be able to auto-register without AVC denials.


>>> Additional info:
It is working as expected when we are using GCP provider.
> GCP
RHEL8 and RHEL9:
subscription-manager was auto-registered [OK]
insights-client auto-registered properly [OK]
rhc auto-registered properly [OK]

> Link for Selinux.rpm for RHEL9:
https://download-node-02.eng.bos.redhat.com/rhel-9/nightly/RHEL-9/RHEL-9.1.0-20220630.0/compose/BaseOS/x86_64/os/Packages/

Comment 1 Zdenek Pytela 2022-07-15 16:39:02 UTC

I see two issues there:

1. insights-client cannot create /root/.gnupg
- fixed in selinux-policy-34.1.33 and will be in selinux-policy-34.1.29-1.el9_0.1 (z-stream)
447ff42dc (tag: v34.1.33) Allow insights-client manage gpg admin home content

2. missing file transition for .insights-core-gpg-sig.etag
needs to be doublechecked, pair .fc file with named transition in .te
workaround: run
  # restorecon -Rv /etc/insights-client

Comment 2 mabezerr 2022-07-18 12:14:16 UTC

Thanks for your comments, @zpytela !
I will check with selinux-policy-34.1.33 version and let you know about the result.
Also, I will check again the .insights-core-gpg-sig.etag case.

I will be back with updates in few hours.

Comment 41 errata-xmlrpc 2022-11-15 11:13:54 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8283