Bug 2143878
| Summary: | Frequent AVC denial messages in commands executed via insights-client | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | kyoneyama <kyoneyam> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | Mirek Jahoda <mjahoda> |
| Priority: | high | ||
| Version: | 8.7 | CC: | cmarinea, fjansen, jafiala, lvrabec, mmalik, ngupta, nknazeko, pakotvan, peter.vreman, shivagup, stomsa, thomas.rumbaut, vbhope |
| Target Milestone: | rc | Keywords: | AutoVerified, Triaged |
| Target Release: | 8.8 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.14.3-115.el8 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-05-16 09:04:17 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
# rpm -qa selinux\*
selinux-policy-3.14.3-110.el8.noarch
selinux-policy-targeted-3.14.3-110.el8.noarch
#
----
type=PROCTITLE msg=audit(11/21/2022 12:32:53.618:393) : proctitle=/usr/libexec/platform-python -Es /sbin/semanage login -l
type=PATH msg=audit(11/21/2022 12:32:53.618:393) : item=0 name=/var/lib/selinux/targeted/active/modules inode=7746929 dev=fd:01 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:semanage_store_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(11/21/2022 12:32:53.618:393) : cwd=/
type=SYSCALL msg=audit(11/21/2022 12:32:53.618:393) : arch=x86_64 syscall=access success=no exit=EACCES(Permission denied) a0=0x559c0821cfa0 a1=X_OK|W_OK|R_OK a2=0x0 a3=0x100 items=1 ppid=18619 pid=18620 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=semanage exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null)
type=AVC msg=audit(11/21/2022 12:32:53.618:393) : avc: denied { write } for pid=18620 comm=semanage name=modules dev="vda1" ino=7746929 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:semanage_store_t:s0 tclass=dir permissive=0
----
type=PROCTITLE msg=audit(11/21/2022 12:32:54.913:394) : proctitle=/usr/libexec/platform-python /usr/bin/vdo status
type=PATH msg=audit(11/21/2022 12:32:54.913:394) : item=0 name=/run/lock/vdo/_etc_vdoconf.yml.lock inode=53912 dev=00:18 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:var_lock_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(11/21/2022 12:32:54.913:394) : cwd=/
type=SYSCALL msg=audit(11/21/2022 12:32:54.913:394) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ff6b61c33b0 a2=O_RDWR|O_CLOEXEC a3=0x0 items=1 ppid=18633 pid=18634 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=vdo exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null)
type=AVC msg=audit(11/21/2022 12:32:54.913:394) : avc: denied { write } for pid=18634 comm=vdo name=_etc_vdoconf.yml.lock dev="tmpfs" ino=53912 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file permissive=0
----
type=PROCTITLE msg=audit(11/21/2022 12:32:57.216:395) : proctitle=/usr/bin/lpstat -p
type=SOCKADDR msg=audit(11/21/2022 12:32:57.216:395) : saddr={ saddr_fam=inet6 laddr=::1 lport=631 }
type=SYSCALL msg=audit(11/21/2022 12:32:57.216:395) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x3 a1=0x5599801b7578 a2=0x1c a3=0x7ffc157ee7bc items=0 ppid=18854 pid=18855 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lpstat exe=/usr/bin/lpstat.cups subj=system_u:system_r:insights_client_t:s0 key=(null)
type=AVC msg=audit(11/21/2022 12:32:57.216:395) : avc: denied { name_connect } for pid=18855 comm=lpstat dest=631 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:ipp_port_t:s0 tclass=tcp_socket permissive=0
----
After starting the cups service, which was not running during my first attempt, the following SELinux denial appeared as well:
----
type=PROCTITLE msg=audit(11/21/2022 12:37:11.792:423) : proctitle=/usr/bin/lpstat -p
type=PATH msg=audit(11/21/2022 12:37:11.792:423) : item=0 name=/var/run/cups/cups.sock inode=120650 dev=00:18 mode=socket,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:cupsd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(11/21/2022 12:37:11.792:423) : cwd=/
type=SYSCALL msg=audit(11/21/2022 12:37:11.792:423) : arch=x86_64 syscall=access success=no exit=EACCES(Permission denied) a0=0x7f39b2e273c5 a1=R_OK a2=0x4 a3=0xffffffff items=1 ppid=19995 pid=19996 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lpstat exe=/usr/bin/lpstat.cups subj=system_u:system_r:insights_client_t:s0 key=(null)
type=AVC msg=audit(11/21/2022 12:37:11.792:423) : avc: denied { read } for pid=19996 comm=lpstat name=cups.sock dev="tmpfs" ino=120650 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:cupsd_var_run_t:s0 tclass=sock_file permissive=0
----
Reproduced on 1minutetip machine with the 1MT-RHEL-8.8.0-20221114.3 image.
There seems to remain only a few of the reported problems in the current policy:
rhel88# rpm -q selinux-policy
selinux-policy-3.14.3-111.el8.noarch
rhel88# sesearch -A -s insights_client_t -t var_lock_t -c file -p write
allow insights_client_t var_lock_t:file { append create getattr ioctl link lock open read rename setattr unlink write };
rhel88# sesearch -T -s insights_client_t -t semanage_exec_t
type_transition insights_client_t semanage_exec_t:process semanage_t;
So:
rhel88# sesearch -T -s insights_client_t -t lpr_exec_t
rhel88# sesearch -A -s insights_client_t -t redis_var_run_t -c sock_file -p write
rhel88# sesearch -A -s insights_client_t -t nvme_device_t -c blk_file -p read
<>
0dd73bfa00 (Nikola Knazekova 2022-06-08 10:41:05 +0200 176) storage_raw_read_fixed_disk(insights_client_t)
and
https://github.com/fedora-selinux/selinux-policy/pull/1480
*** Bug 2161716 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2965 |
Description of problem: Frequent AVC denial messages in commands executed via insights-client Each time a service is initiated by a timer, AVC denial occurs. The following five types of errors are reproducible in my environment. (1) ---- time->Wed Nov 9 02:57:05 2022 : node=localhost.localdomain type=AVC msg=audit(1667930225.799:8258): avc: denied { read } for pid=173101 comm="luksmeta" name="random" dev="devtmpfs" ino=18 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=0 ---- (2) ---- time->Wed Nov 9 02:57:13 2022 : node=localhost.localdomain type=AVC msg=audit(1667930233.308:8261): avc: denied { create } for pid=173262 comm="semanage" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=netlink_audit_socket permissive=0 ---- (3) ---- time->Wed Nov 9 02:57:13 2022 : node=localhost.localdomain type=AVC msg=audit(1667930233.313:8262): avc: denied { write } for pid=173262 comm="semanage" name="modules" dev="dm-0" ino=202016482 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:semanage_store_t:s0 tclass=dir permissive=0 ---- (4) ---- time->Wed Nov 9 02:57:17 2022 : node=localhost.localdomain type=AVC msg=audit(1667930237.924:8266): avc: denied { read } for pid=173441 comm="lpstat" name="cups.sock" dev="tmpfs" ino=38149 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:cupsd_var_run_t:s0 tclass=sock_file permissive=0 ---- (5) ---- time->Wed Nov 9 02:57:20 2022 : node=localhost.localdomain type=AVC msg=audit(1667930240.094:8278): avc: denied { write } for pid=173477 comm="vdo" name="_etc_vdoconf.yml.lock" dev="tmpfs" ino=30989 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=0 ---- AVC denial also occur in the customer's environment for the following NVME device. (a) ----insights-client-3.1.7-8.el8.noarch selinux-policy-3.14.3-108.el8.noarch Tue Nov 8 20:48:40 2022 time->Wed Nov 9 02:57:05 2022 : node=localhost.localdomain type=AVC msg=audit(1667930225.596:8252): avc: denied { read } for pid=173094 comm="luksmeta" name="nvme1n1p2" dev="devtmpfs" ino=16701 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=blk_file permissive=0 ---- Version-Release number of selected component (if applicable): - Red Hat Enterprise Linux 8.7 - insights-client-3.1.7-8.el8 - selinux-policy-3.14.3-108.el8 How reproducible: Always Steps to Reproduce: 1. Install relevent packages: # yum install insights-client # yum install luksmeta policycoreutils-python-utils cups vdo 2. Register a host: # insights-client --register 3. Start insights-client service immediately: # systemctl start insights-client.service 4. See messages and audit.log # grep setroubleshoot /var/log/messages # ausearch -ts recent -m AVC