Bug 2124661
Summary: | RHEL87 - AVC denials journalctl when starting insights-client from timer | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | mabezerr |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | --- | CC: | gchamoul, lvrabec, mmalik |
Target Milestone: | rc | Keywords: | Triaged |
Target Release: | 8.8 | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | No Doc Update | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2023-05-16 09:04:16 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
mabezerr
2022-09-06 17:36:12 UTC
The same bug happens in a different scenario for insights-client, this time using '--support' option. >>> Versions: # rpm -qa |grep selinux selinux-policy-targeted-3.14.3-108.el8.noarch rpm-plugin-selinux-4.14.3-23.el8.x86_64 libselinux-2.9-6.el8.x86_64 libselinux-utils-2.9-6.el8.x86_64 selinux-policy-3.14.3-108.el8.noarch python3-libselinux-2.9-6.el8.x86_64 # rpm -qa |grep insights-client insights-client-3.1.7-8.el8.noarch # cat /etc/redhat-release Red Hat Enterprise Linux release 8.7 Beta (Ootpa) # insights-client --version Client: 3.1.7 Core: 3.0.292-1 >>> Steps to reproduce: # insights-client --support >>> Current output: # ausearch -m avc -m user_avc -m selinux_err -i -ts today ---- type=PROCTITLE msg=audit(09/06/2022 15:06:32.897:1833) : proctitle=/usr/bin/journalctl --no-pager --header type=SYSCALL msg=audit(09/06/2022 15:06:32.897:1833) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ffceb00b430 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=0 ppid=62879 pid=62880 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=journalctl exe=/usr/bin/journalctl subj=system_u:system_r:journalctl_t:s0 key=(null) type=AVC msg=audit(09/06/2022 15:06:32.897:1833) : avc: denied { search } for pid=62880 comm=journalctl name=1 dev="proc" ino=12244 scontext=system_u:system_r:journalctl_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=0 ---- type=PROCTITLE msg=audit(09/06/2022 15:06:32.897:1834) : proctitle=/usr/bin/journalctl --no-pager --header type=SYSCALL msg=audit(09/06/2022 15:06:32.897:1834) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7fc9a349af86 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=0 ppid=62879 pid=62880 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=journalctl exe=/usr/bin/journalctl subj=system_u:system_r:journalctl_t:s0 key=(null) type=AVC msg=audit(09/06/2022 15:06:32.897:1834) : avc: denied { search } for pid=62880 comm=journalctl name=1 dev="proc" ino=12244 scontext=system_u:system_r:journalctl_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=0 Let's continue in the 8.7 bz#2119507, I believe the new build fixes it. (In reply to Zdenek Pytela from comment #2) > Let's continue in the 8.7 bz#2119507, I believe the new build fixes it. Ok! I cannot reproduce this issue with current selinux-policy. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2965 |