Bug 2122958

Summary: insights-client raises SELinux dbus issue
Product: Red Hat Enterprise Linux 9 Reporter: Alba Hita <ahitacat>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 9.1CC: gchamoul, lvrabec, mmalik, pakotvan
Target Milestone: rcKeywords: Reopened, Triaged
Target Release: 9.2Flags: pm-rhel: mirror+
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-34.1.43-1.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 2124327 (view as bug list) Environment:
Last Closed: 2023-05-09 08:16:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2124327    

Description Alba Hita 2022-08-31 12:42:58 UTC 
>>> Description of problem:
Insights-client is raising SELinux issues


Version-Release number of selected component (if applicable):


>>> Steps to Reproduce:
1. Installed the last SELinux-policy and insights-client version. 
2. Configure SELinux with the enforcing policy.

3. Run insights-client --register.
4. Run insights-client systemd service


>>> Actual results:

> sudo systemctl status insights-client
○ insights-client.service - Insights Client
     Loaded: loaded (/usr/lib/systemd/system/insights-client.service; static)
     Active: inactive (dead) since Wed 2022-08-31 11:24:05 CEST; 1s ago
TriggeredBy: ● insights-client.timer
       Docs: man:insights-client(8)
    Process: 2754 ExecStart=/usr/bin/insights-client --retry 3 (code=exited, status=0/SUCCESS)
    Process: 2755 ExecStartPost=/bin/bash -c echo 2G >/dev/null 2>&1 > /sys/fs/cgroup/memory/system.slice/insights-client.service/memory.memsw.limit_in_bytes (code=exited, status=1/FAILURE)
    Process: 2756 ExecStartPost=/bin/bash -c echo 1G >/dev/null 2>&1 > /sys/fs/cgroup/memory/system.slice/insights-client.service/memory.soft_limit_in_bytes (code=exited, status=1/FAILURE)
   Main PID: 2754 (code=exited, status=0/SUCCESS)
        CPU: 27.108s

Aug 31 11:22:32 localhost.localdomain systemd[1]: Started Insights Client.
Aug 31 11:22:42 localhost.localdomain insights-client[2765]: Unable to fetch egg url. Defaulting to /release
Aug 31 11:22:54 localhost.localdomain insights-client[2784]: Starting to collect Insights data for localhost.localdomain
Aug 31 11:23:32 localhost.localdomain /usr/bin/sealert[3211]: attempt to open server connection failed: Permission denied
Aug 31 11:24:04 localhost.localdomain insights-client[2784]: Uploading Insights data.
Aug 31 11:24:05 localhost.localdomain insights-client[2784]: Successfully uploaded report from localhost.localdomain to account 5910538.
Aug 31 11:24:05 localhost.localdomain insights-client[2784]: View details about this system on cloud.redhat.com:
Aug 31 11:24:05 localhost.localdomain insights-client[2784]: https://cloud.redhat.com/insights/inventory/95ca7bdc-85b3-4ffe-bf89-f7595b74f096
Aug 31 11:24:05 localhost.localdomain systemd[1]: insights-client.service: Deactivated successfully.
Aug 31 11:24:05 localhost.localdomain systemd[1]: insights-client.service: Consumed 27.108s CPU time.

> sudo ausearch -m avc -m user_avc -m selinux_err -i -ts boot
----
type=USER_AVC msg=audit(08/31/2022 11:23:09.249:188) : pid=690 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=dbus permissive=0  exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(08/31/2022 11:23:09.249:189) : pid=690 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=dbus permissive=0  exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(08/31/2022 11:23:09.249:190) : pid=690 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=dbus permissive=0  exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(08/31/2022 11:23:09.249:191) : pid=690 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=dbus permissive=0  exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(08/31/2022 11:23:09.250:192) : pid=690 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=dbus permissive=0  exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' 
----
type=PROCTITLE msg=audit(08/31/2022 11:23:32.864:218) : proctitle=/usr/bin/python3 -Es /usr/bin/sealert -l * 
type=SYSCALL msg=audit(08/31/2022 11:23:32.864:218) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x5 a1=0x7ffc96601e80 a2=0x2f a3=0x7f09834b49b9 items=0 ppid=3210 pid=3211 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sealert exe=/usr/bin/python3.9 subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(08/31/2022 11:23:32.864:218) : avc:  denied  { write } for  pid=3211 comm=sealert name=setroubleshoot_server dev="tmpfs" ino=1174 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:setroubleshoot_var_run_t:s0 tclass=sock_file permissive=0 


Additional info:
> rpm -qa selinux\* insights\* | sort
insights-client-3.1.7-6.el9_0.noarch
selinux-policy-34.1.42-1.el9.noarch
selinux-policy-targeted-34.1.42-1.el9.noarch
Comment 13 errata-xmlrpc 2023-05-09 08:16:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2483