Bug 2127902

Summary:	Insights compliance service is run from cron instead of systemd which have different SELinux context and leads to AVCs
Product:	Red Hat Enterprise Linux 8	Reporter:	Riya Banerjee <ribanerj>
Component:	selinux-policy	Assignee:	Zdenek Pytela <zpytela>
Status:	CLOSED ERRATA	QA Contact:	Milos Malik <mmalik>
Severity:	medium	Docs Contact:	Mirek Jahoda <mjahoda>
Priority:	high
Version:	8.6	CC:	jafiala, lvrabec, mmalik, pakotvan, peter.vreman, zpytela
Target Milestone:	rc	Keywords:	Triaged
Target Release:	8.8
Hardware:	Unspecified
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2023-05-16 09:04:16 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Riya Banerjee 2022-09-19 10:33:47 UTC

Description of problem:
As follow-up on the SELinux challenges for the insights collection rules, the regular run is now from systemd timer started with insights_client_t as context.

However, the Compliance run is documented to be from the cron (Refer KB - https://access.redhat.com/solutions/6707871) which creates things like pid files with a different context like cron_var_run_t. 
Leading to AVCs like
~~~
allow insights_client_t cron_var_run_t:file unlink;
~~~


Both runs were on the same time, compliance scheduled at 1:30am, but it looks like the insgihts-client timer can also use that timeframe.

~~~
[cb/LI] hoiroot@li-lc-2105:~$ cat /etc/cron.d/hoi-insights-scap
30 1 * * * root /opt/hoi/bin/hoi-cron-wrapper '/usr/bin/insights-client --compliance 2>&1'

[cb/LI] hoiroot@li-lc-2105:~$ sudo ausearch -i -m avc,user_avc -ts today
----
type=PROCTITLE msg=audit(09/16/2022 01:31:32.702:218383) : proctitle=/usr/libexec/platform-python /usr/bin/insights-client --retry 3
type=PATH msg=audit(09/16/2022 01:31:32.702:218383) : item=1 name=/var/run/insights-client.pid inode=33134529 dev=00:18 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:cron_var_run_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(09/16/2022 01:31:32.702:218383) : item=0 name=/var/run/ inode=12425 dev=00:18 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(09/16/2022 01:31:32.702:218383) : cwd=/
type=SYSCALL msg=audit(09/16/2022 01:31:32.702:218383) : arch=x86_64 syscall=unlink success=no exit=EACCES(Permission denied) a0=0x7f9342157990 a1=0x0 a2=0x0 a3=0x1 items=2 ppid=1 pid=1261648 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=insights-client exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null)
type=AVC msg=audit(09/16/2022 01:31:32.702:218383) : avc:  denied  { unlink } for  pid=1261648 comm=insights-client name=insights-client.pid dev="tmpfs" ino=33134529 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:cron_var_run_t:s0 tclass=file permissiv
~~~

Queries:
- Conflict in how insights-client runs are supposed to the started taking the new SELinux rules into account
- Concurrent runs of compliance/malwre and insights collection. How is this supposed to go together without conflicts?  This is undocumented in KB (https://access.redhat.com/solutions/6707871) on the timeframes used by each

Comment 1 Zdenek Pytela 2022-09-19 10:40:35 UTC

> [cb/LI] hoiroot@li-lc-2105:~$ cat /etc/cron.d/hoi-insights-scap
> 30 1 * * * root /opt/hoi/bin/hoi-cron-wrapper '/usr/bin/insights-client --compliance 2>&1'

Where do these files come from, are they a part of a customer's setup?

Comment 3 Zdenek Pytela 2022-10-07 14:33:04 UTC

I've checked both system and user cronjobs executing insights-client directly do not trigger any issue with the latest selinux-policy package in place.
Using a custom wrapper is not considered as a supported scenario.

Comment 8 Peter Vreman 2023-03-08 20:11:32 UTC

No compliance issues seen anymore with the latest selinux-policy-3.14.3-95.el8_6.6
For me the BZ can be closed

Comment 9 Zdenek Pytela 2023-03-09 07:59:43 UTC

Peter,

Thank you for conforming. This bz will follow the internal process and will be closed with RHEL 8.8 GA.

Comment 12 errata-xmlrpc 2023-05-16 09:04:16 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2965