Bug 2124661

Summary: RHEL87 - AVC denials journalctl when starting insights-client from timer
Product: Red Hat Enterprise Linux 8 Reporter: mabezerr
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: ---CC: gchamoul, lvrabec, mmalik
Target Milestone: rcKeywords: Triaged
Target Release: 8.8   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-16 09:04:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description mabezerr 2022-09-06 17:36:12 UTC 
>>> Description of problem:


>>> Versions
# rpm -qa |grep selinux
selinux-policy-targeted-3.14.3-108.el8.noarch
rpm-plugin-selinux-4.14.3-23.el8.x86_64
libselinux-2.9-6.el8.x86_64
libselinux-utils-2.9-6.el8.x86_64
selinux-policy-3.14.3-108.el8.noarch
python3-libselinux-2.9-6.el8.x86_64

# rpm -qa |grep insights-client
insights-client-3.1.7-8.el8.noarch

# cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.7 Beta (Ootpa)

# insights-client --version
Client: 3.1.7
Core: 3.0.292-1

>>> Setup:
# insights-client --disable-schedule
# systemctl edit insights-client.timer
[Timer]
OnCalendar=daily
RandomizedDelaySec=60

>>> Steps to Reproduce:
1. Enable timer and add a customized timer to start insights-client (like described in setup)
2. Call insights-client with '--enable-schedule'
# insights-client --enable-schedule
3. Check journalctl logs to check timer calling insights-client
4. Check audit output for denials message

# journalctl -u insights-client.service --follow
Sep 06 09:17:03 mabezerr-87-selinux systemd[1]: Starting Insights Client...
Sep 06 09:17:03 mabezerr-87-selinux systemd[1]: Started Insights Client.
Sep 06 09:17:18 mabezerr-87-selinux insights-client[52736]: Starting to collect Insights data for mabezerr-87-selinux
Sep 06 09:18:46 mabezerr-87-selinux insights-client[52736]: Uploading Insights data.
Sep 06 09:18:47 mabezerr-87-selinux insights-client[52736]: Successfully uploaded report from mabezerr-87-selinux to account 6089719.
Sep 06 09:18:47 mabezerr-87-selinux insights-client[52736]: View details about this system on console.redhat.com:
Sep 06 09:18:47 mabezerr-87-selinux insights-client[52736]: https://console.redhat.com/insights/inventory/cd7d5ca4-64a8-4e5f-a6bc-0baca69d570b
Sep 06 09:18:48 mabezerr-87-selinux systemd[1]: insights-client.service: Succeeded.

>>> Actual results:
# ausearch -m avc -m user_avc -m selinux_err -i -ts today

----
type=PROCTITLE msg=audit(09/06/2022 09:17:29.920:1774) : proctitle=/usr/bin/journalctl --no-pager --header 
type=SYSCALL msg=audit(09/06/2022 09:17:29.920:1774) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ffce839eeb0 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=0 ppid=52882 pid=52883 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=journalctl exe=/usr/bin/journalctl subj=system_u:system_r:journalctl_t:s0 key=(null) 
type=AVC msg=audit(09/06/2022 09:17:29.920:1774) : avc:  denied  { search } for  pid=52883 comm=journalctl name=1 dev="proc" ino=12244 scontext=system_u:system_r:journalctl_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(09/06/2022 09:17:29.920:1775) : proctitle=/usr/bin/journalctl --no-pager --header 
type=SYSCALL msg=audit(09/06/2022 09:17:29.920:1775) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f338e34ef86 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=0 ppid=52882 pid=52883 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=journalctl exe=/usr/bin/journalctl subj=system_u:system_r:journalctl_t:s0 key=(null) 
type=AVC msg=audit(09/06/2022 09:17:29.920:1775) : avc:  denied  { search } for  pid=52883 comm=journalctl name=1 dev="proc" ino=12244 scontext=system_u:system_r:journalctl_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=0 


>>> Expected results:
No AVC denials should be returned when starting insights-client.service from timer
Comment 1 mabezerr 2022-09-06 19:19:13 UTC 
The same bug happens in a different scenario for insights-client, this time using '--support' option.

>>> Versions:
# rpm -qa |grep selinux
selinux-policy-targeted-3.14.3-108.el8.noarch
rpm-plugin-selinux-4.14.3-23.el8.x86_64
libselinux-2.9-6.el8.x86_64
libselinux-utils-2.9-6.el8.x86_64
selinux-policy-3.14.3-108.el8.noarch
python3-libselinux-2.9-6.el8.x86_64

# rpm -qa |grep insights-client
insights-client-3.1.7-8.el8.noarch

# cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.7 Beta (Ootpa)

# insights-client --version
Client: 3.1.7
Core: 3.0.292-1

>>> Steps to reproduce:
# insights-client --support

>>> Current output:
# ausearch -m avc -m user_avc -m selinux_err -i -ts today
----
type=PROCTITLE msg=audit(09/06/2022 15:06:32.897:1833) : proctitle=/usr/bin/journalctl --no-pager --header 
type=SYSCALL msg=audit(09/06/2022 15:06:32.897:1833) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ffceb00b430 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=0 ppid=62879 pid=62880 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=journalctl exe=/usr/bin/journalctl subj=system_u:system_r:journalctl_t:s0 key=(null) 
type=AVC msg=audit(09/06/2022 15:06:32.897:1833) : avc:  denied  { search } for  pid=62880 comm=journalctl name=1 dev="proc" ino=12244 scontext=system_u:system_r:journalctl_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(09/06/2022 15:06:32.897:1834) : proctitle=/usr/bin/journalctl --no-pager --header 
type=SYSCALL msg=audit(09/06/2022 15:06:32.897:1834) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7fc9a349af86 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=0 ppid=62879 pid=62880 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=journalctl exe=/usr/bin/journalctl subj=system_u:system_r:journalctl_t:s0 key=(null) 
type=AVC msg=audit(09/06/2022 15:06:32.897:1834) : avc:  denied  { search } for  pid=62880 comm=journalctl name=1 dev="proc" ino=12244 scontext=system_u:system_r:journalctl_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=0
Comment 2 Zdenek Pytela 2022-09-07 15:09:41 UTC 
Let's continue in the 8.7 bz#2119507, I believe the new build fixes it.
Comment 3 mabezerr 2022-09-08 11:33:17 UTC 
(In reply to Zdenek Pytela from comment #2)
> Let's continue in the 8.7 bz#2119507, I believe the new build fixes it.

Ok!
Comment 6 Zdenek Pytela 2022-10-05 18:54:35 UTC 
I cannot reproduce this issue with current selinux-policy.
Comment 11 errata-xmlrpc 2023-05-16 09:04:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2965