Bug 2132230
| Summary: | [RHEL8/Insights/Bug] SELinux violations insights client with Satellite 6.11 | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Nikhil Gupta <ngupta> | |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 8.6 | CC: | lvrabec, mmalik, nknazeko, pakotvan, peter.vreman, ribanerj | |
| Target Milestone: | rc | Keywords: | Triaged, ZStream | |
| Target Release: | 8.8 | Flags: | pm-rhel:
mirror+
|
|
| Hardware: | Unspecified | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-3.14.3-110.el8 | Doc Type: | Bug Fix | |
| Doc Text: |
Cause:
selinux-policy does not support insights-client interacting with PostgreSQL and password checks
Consequence:
Some commands may fail when started from insights
Fix:
Support for services execution was added to selinux-policy
Result:
Services started from insights run successfully
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 2136762 2136764 (view as bug list) | Environment: | ||
| Last Closed: | 2023-05-16 09:04:16 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2136762, 2136764 | |||
| Deadline: | 2022-10-04 | |||
These issues have not been addressed yet:
----
type=PROCTITLE msg=audit(1.1.1970 01:00:10.000:0) : proctitle=/usr/bin/psql
type=AVC msg=audit(1.1.1970 01:00:10.000:0) : avc: denied { write } for pid=2090233 comm=psql name=.s.PGSQL.5432 dev="tmpfs" ino=30746 scontext=system_u:system_r:insights_client_t:s0 tcontext=sy tem_u:object_r:postgresql_var_run_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1.1.1970 01:00:10.000:0) : avc: denied { connectto } for pid=2090233 comm=psql path=/run/postgresql/.s.PGSQL.5432 scontext=system_u:system_r:insights_client_t:s0 tcontext=syst m_u:system_r:postgresql_t:s0 tclass=unix_stream_socket permissive=1
type=SYSCALL msg=audit(1.1.1970 01:00:10.000:0) : arch=unknown-elf-type(x86_64) syscall=read success=yes exit=0 a0=0x0x4 a1=0x0x5587f5469d70 a2=0x0x6e a3=0x0x0 items=1 ppid=2090224 pid=2090233 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=psql exe=/usr/bin/psql subj=system_u:system_r:insights_client_t:s0 key=(null)
type=SOCKADDR msg=audit(1.1.1970 01:00:10.000:0) : saddr=malformed-host({) saddr_fam=local path=/var/run/postgresql/.s.PGSQL.5432
type=CWD msg=audit(1.1.1970 01:00:10.000:0) : cwd=/var/lib/pgsql\015
type=PATH msg=audit(1.1.1970 01:00:10.000:0) : item=0 name=/var/run/postgresql/.s.PGSQL.5432 inode=30746 dev=00:18 mode=000,000 777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:postgresql_v r_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
----
type=PROCTITLE msg=audit(10/04/2022 11:50:42.240:257143) : proctitle=/usr/sbin/unix_chkpwd root chkexpiry
type=PATH msg=audit(10/04/2022 11:50:42.240:257143) : item=0 name=/etc/shadow inode=4602846 dev=fd:00 mode=file,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shadow_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(10/04/2022 11:50:42.240:257143) : cwd=/
type=SYSCALL msg=audit(10/04/2022 11:50:42.240:257143) : arch=x86_64 syscall=openat success=yes exit=5 a0=AT_FDCWD a1=0x147810507ec6 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=2090224 pid=2090225 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=unix_chkpwd exe=/usr/sbin/unix_chkpwd subj=system_u:system_r:insights_client_t:s0 key=(null)
type=AVC msg=audit(10/04/2022 11:50:42.240:257143) : avc: denied { open } for pid=2090225 comm=unix_chkpwd path=/etc/shadow dev="dm-0" ino=4602846 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
type=AVC msg=audit(10/04/2022 11:50:42.240:257143) : avc: denied { read } for pid=2090225 comm=unix_chkpwd name=shadow dev="dm-0" ino=4602846 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
----
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2965 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days |
Description of problem: SELinux violations insights client with Satellite 6.11 ~~~ #============= insights_client_t ============== allow insights_client_t admin_home_t:file append; allow insights_client_t foreman_rails_t:fifo_file getattr; allow insights_client_t postgresql_t:fifo_file getattr; #!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode' allow insights_client_t postgresql_t:unix_stream_socket connectto; allow insights_client_t postgresql_var_run_t:sock_file write; allow insights_client_t pulpcore_server_t:fifo_file getattr; allow insights_client_t pulpcore_t:fifo_file getattr; allow insights_client_t shadow_t:file { open read }; allow insights_client_t tomcat_t:fifo_file getattr; allow insights_client_t websm_port_t:tcp_socket name_connect; ~~~ Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: