Bug 2131987

Summary: "#insights-client --register" generates SELinux alerts
Product: Red Hat Enterprise Linux 9 Reporter: Peter Stone <fedora-topics-562353>
Component: insights-clientAssignee: Nobody <nobody>
Status: CLOSED DUPLICATE QA Contact: Nobody <nobody>
Severity: low Docs Contact:
Priority: unspecified    
Version: 9.0CC: ahitacat, cmarinea, fjansen, gchamoul, stomsa
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-10-20 12:28:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Peter Stone 2022-10-04 12:09:16 UTC 
Description of problem:"#insights-client --register" results in 2 SELinux denials.


Version-Release number of selected component (if applicable):
# insights-client --version
Client: 3.1.7
Core: 3.0.296-1


How reproducible: by registering the system manually.


Steps to Reproduce:
1. have a machine which is not registered by insights-client
2. as root, run "insights-client --register"

Actual results: machine not registered, insights-client exits and/or Bash crashes.

Cockpit shows "failed to start" for insights-client-results.service, with some of the last log lines being:
insights-client-results.service: Failed with result 'exit-code'.
insights-client-results.service: Main process exited, code=exited, status=1/FAILURE
PermissionError: [Errno 13] Permission denied: '/etc/insights-client/.cache.json.asc'
fd = os.open(path, flags, 0o600)
File "/etc/insights-client/rpm.egg/insights/client/collection_rules.py", line 255, in write_collection_data
self.write_collection_data(self.collection_rules_file + ".asc", sig_text)
File "/etc/insights-client/rpm.egg/insights/client/collection_rules.py", line 248, in get_collection_rules_gpg
self.get_collection_rules_gpg(json_response)

SELinux access control errors from cockpit:
1. "SELinux is preventing /usr/bin/python3.9 from write access on the directory insights-client."
2. "SELinux is preventing /usr/bin/python3.9 from write access on the file /etc/insights-client/.cache.json.asc."
"If you want to fix the label. /etc/insights-client/.cache.json.asc default label should be insights_client_etc_rw_t."


Expected results: machine registers fine.


Additional info: I'd upload an sos report, but cannot open a case with a developer subscription.
Comment 3 Gaƫl Chamoulaud 2022-10-20 12:28:58 UTC 

*** This bug has been marked as a duplicate of bug 2106147 ***