Bug 2158605

Summary: [RHEL8.6/Insights/SELinux/Bug] SELinux AVC insights-client with selinux-policy-3.14.3-95.el8_6.5
Product: Red Hat Enterprise Linux 8 Reporter: Rajesh Dulhani <rdulhani>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact: Mirek Jahoda <mjahoda>
Priority: high    
Version: 8.6CC: jafiala, lvrabec, mmalik, nknazeko, peter.vreman, thomas.rumbaut
Target Milestone: rcKeywords: Triaged
Target Release: 8.8   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-16 09:04:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rajesh Dulhani 2023-01-05 19:49:03 UTC 
Description of problem:

AVCs not caught by the latest SELinux policy in RHEL8.6.

~~~
----
type=PROCTITLE msg=audit(12/30/2022 09:59:06.257:7041) : proctitle=/usr/libexec/platform-python /usr/sbin/subscription-manager facts
type=MMAP msg=audit(12/30/2022 09:59:06.257:7041) : fd=9 flags=MAP_SHARED
type=SYSCALL msg=audit(12/30/2022 09:59:06.257:7041) : arch=x86_64 syscall=mmap success=yes exit=140682622324736 a0=0x0 a1=0x20 a2=PROT_READ a3=MAP_SHARED items=0 ppid=10959 pid=10960 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=subscription-ma exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null)
type=AVC msg=audit(12/30/2022 09:59:06.257:7041) : avc:  denied  { map } for  pid=10960 comm=subscription-ma path=/dev/mem dev="devtmpfs" ino=9361 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file permissive=1
----
type=PROCTITLE msg=audit(12/30/2022 09:59:36.139:7052) : proctitle=python3 /usr/bin/pmrep -t 1s -T 1s network.interface.out.packets network.interface.collisions swap.pagesout mssql.memory_manager
type=PATH msg=audit(12/30/2022 09:59:36.139:7052) : item=0 name=/run/pcp/pmcd.socket inode=30825 dev=00:18 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:pcp_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(12/30/2022 09:59:36.139:7052) : cwd=/
type=SOCKADDR msg=audit(12/30/2022 09:59:36.139:7052) : saddr={ saddr_fam=local path=/run/pcp/pmcd.socket }
type=SYSCALL msg=audit(12/30/2022 09:59:36.139:7052) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x5 a1=0x7ffe2498d840 a2=0x6e a3=0x7ffe2498d8a8 items=1 ppid=11385 pid=11386 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=python3 exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null)
type=AVC msg=audit(12/30/2022 09:59:36.139:7052) : avc:  denied  { connectto } for  pid=11386 comm=python3 path=/run/pcp/pmcd.socket scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=unix_stream_socket permissive=1
----
type=PROCTITLE msg=audit(12/30/2022 09:59:37.733:7053) : proctitle=/usr/libexec/platform-python -Es /sbin/semanage login -l
type=PATH msg=audit(12/30/2022 09:59:37.733:7053) : item=0 name=/var/lib/selinux/targeted/active/modules inode=27505137 dev=fd:00 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:semanage_store_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(12/30/2022 09:59:37.733:7053) : cwd=/
type=SYSCALL msg=audit(12/30/2022 09:59:37.733:7053) : arch=x86_64 syscall=access success=yes exit=0 a0=0x55de53ac4f30 a1=X_OK|W_OK|R_OK a2=0x0 a3=0x0 items=1 ppid=11408 pid=11409 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=semanage exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null)
type=AVC msg=audit(12/30/2022 09:59:37.733:7053) : avc:  denied  { write } for  pid=11409 comm=semanage name=modules dev="dm-0" ino=27505137 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:semanage_store_t:s0 tclass=dir permissive=1
----
type=PROCTITLE msg=audit(12/30/2022 09:59:44.137:7097) : proctitle=/usr/sbin/gluster volume info
type=PATH msg=audit(12/30/2022 09:59:44.137:7097) : item=1 name=/var/log/glusterfs/cli.log inode=18899384 dev=fd:00 mode=file,600 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:var_log_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(12/30/2022 09:59:44.137:7097) : item=0 name=/var/log/glusterfs/ inode=18875820 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_log_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(12/30/2022 09:59:44.137:7097) : cwd=/
type=SYSCALL msg=audit(12/30/2022 09:59:44.137:7097) : arch=x86_64 syscall=openat success=yes exit=5 a0=AT_FDCWD a1=0x564499c7e0a5 a2=O_WRONLY|O_CREAT|O_APPEND a3=0x180 items=2 ppid=11679 pid=11680 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gluster exe=/usr/sbin/gluster subj=system_u:system_r:insights_client_t:s0 key=(null)
type=AVC msg=audit(12/30/2022 09:59:44.137:7097) : avc:  denied  { create } for  pid=11680 comm=gluster name=cli.log scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(12/30/2022 10:00:46.837:7117) : proctitle=/usr/bin/journalctl --no-pager --header
type=PATH msg=audit(12/30/2022 10:00:46.837:7117) : item=0 name=/proc/1/environ nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(12/30/2022 10:00:46.837:7117) : cwd=/
type=SYSCALL msg=audit(12/30/2022 10:00:46.837:7117) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ffdd567bde0 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=12282 pid=12283 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=journalctl exe=/usr/bin/journalctl subj=system_u:system_r:journalctl_t:s0 key=(null)
type=AVC msg=audit(12/30/2022 10:00:46.837:7117) : avc:  denied  { search } for  pid=12283 comm=journalctl name=1 dev="proc" ino=11462 scontext=system_u:system_r:journalctl_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=0
----
type=PROCTITLE msg=audit(12/30/2022 10:00:46.837:7118) : proctitle=/usr/bin/journalctl --no-pager --header
type=PATH msg=audit(12/30/2022 10:00:46.837:7118) : item=0 name=/proc/1/sched nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(12/30/2022 10:00:46.837:7118) : cwd=/
type=SYSCALL msg=audit(12/30/2022 10:00:46.837:7118) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7fe2d53da2f6 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=12282 pid=12283 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=journalctl exe=/usr/bin/journalctl subj=system_u:system_r:journalctl_t:s0 key=(null)
type=AVC msg=audit(12/30/2022 10:00:46.837:7118) : avc:  denied  { search } for  pid=12283 comm=journalctl name=1 dev="proc" ino=11462 scontext=system_u:system_r:journalctl_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=0
----
type=USER_AVC msg=audit(12/30/2022 10:00:48.264:7119) : pid=943 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=org.freedesktop.timedate1 spid=12369 tpid=12370 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=1  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?'
----
type=USER_AVC msg=audit(12/30/2022 10:00:48.358:7122) : pid=943 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.136 spid=12370 tpid=12369 scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=dbus permissive=0  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?'
+ sudo audit2allow -a


#============= insights_client_t ==============
allow insights_client_t memory_device_t:chr_file map;
allow insights_client_t pcp_pmcd_t:unix_stream_socket connectto;
allow insights_client_t semanage_store_t:dir write;
allow insights_client_t timedatex_t:dbus send_msg;
allow insights_client_t var_log_t:file create;

#============= journalctl_t ==============
allow journalctl_t init_t:dir search;
~~~


One more on 'vdo status'

~~~
----
type=PROCTITLE msg=audit(01/05/2023 16:19:41.662:9609380) : proctitle=/usr/libexec/platform-python /usr/bin/vdo status
type=PATH msg=audit(01/05/2023 16:19:41.662:9609380) : item=0 name=/run/lock/vdo/_etc_vdoconf.yml.lock inode=375904 dev=00:18 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lock_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(01/05/2023 16:19:41.662:9609380) : cwd=/
type=SYSCALL msg=audit(01/05/2023 16:19:41.662:9609380) : arch=x86_64 syscall=openat success=yes exit=4 a0=AT_FDCWD a1=0x7f949e5f8a70 a2=O_RDWR|O_CLOEXEC a3=0x0 items=1 ppid=3543119 pid=3543120 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=vdo exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null)
type=AVC msg=audit(01/05/2023 16:19:41.662:9609380) : avc:  denied  { write } for  pid=3543120 comm=vdo name=_etc_vdoconf.yml.lock dev="tmpfs" ino=375904 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1

#============= insights_client_t ==============
allow insights_client_t var_lock_t:file write;
~~~


Version-Release number of selected component (if applicable):

selinux-policy-3.14.3-95.el8_6.5
Comment 1 Zdenek Pytela 2023-01-06 16:18:36 UTC 
Most of the permissions are in the current policy.
What is still missing is:

type=PROCTITLE msg=audit(12/30/2022 09:59:36.139:7052) : proctitle=python3 /usr/bin/pmrep -t 1s -T 1s network.interface.out.packets network.interface.collisions swap.pagesout mssql.memory_manager
type=PATH msg=audit(12/30/2022 09:59:36.139:7052) : item=0 name=/run/pcp/pmcd.socket inode=30825 dev=00:18 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:pcp_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(12/30/2022 09:59:36.139:7052) : cwd=/
type=SOCKADDR msg=audit(12/30/2022 09:59:36.139:7052) : saddr={ saddr_fam=local path=/run/pcp/pmcd.socket }
type=SYSCALL msg=audit(12/30/2022 09:59:36.139:7052) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x5 a1=0x7ffe2498d840 a2=0x6e a3=0x7ffe2498d8a8 items=1 ppid=11385 pid=11386 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=python3 exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null)
type=AVC msg=audit(12/30/2022 09:59:36.139:7052) : avc:  denied  { connectto } for  pid=11386 comm=python3 path=/run/pcp/pmcd.socket scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=unix_stream_socket permissive=1

pmrep is not confined, so this requires a new pcp interface or even a more general solution

journalctl one is not related, it would require explicit usage of init_read_state(), a solution different to upstream policy
Comment 13 errata-xmlrpc 2023-05-16 09:04:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2965