Bug 2177607
| Summary: | [RHEL8.6/Insights/SELinux/Bug] AVC Compliance irq with selinux-policy-3.14.3-95.el8_6.6 | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Nikhil Gupta <ngupta> | |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
| Severity: | low | Docs Contact: | ||
| Priority: | urgent | |||
| Version: | 8.6 | CC: | lvrabec, mgoyal, mhaicman, mmalik, peter.vreman, vmojzis, zpytela | |
| Target Milestone: | rc | Keywords: | Triaged, ZStream | |
| Target Release: | 8.9 | Flags: | pm-rhel:
mirror+
|
|
| Hardware: | Unspecified | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-3.14.3-118.el8 | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2209890 2233931 2233932 (view as bug list) | Environment: | ||
| Last Closed: | 2023-11-14 15:47:46 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2209890, 2233931, 2233932 | |||
| Deadline: | 2023-04-24 | |||
insights-client hasn't been allowed this permission in the latest selinux-policy package version Commit to backport: 174e5da36 (HEAD -> rawhide, upstream/rawhide) Allow insights-client read all sysctls Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:7091 |
Description of problem: Something newly introduced by SCAP CIS policy and/or the selinux-policy released this week together triggers this AVC for insights compliance on the CIS policy: ~~~ $ rpm -q selinux-policy scap-security-guide selinux-policy-3.14.3-95.el8_6.6.noarch scap-security-guide-0.1.66-1.el8_6.noarch ~~~ ~~~ sudo audit2allow -t insights_client_t -a ---- node=host.example.com type=PROCTITLE msg=audit(03/10/2023 06:24:21.245:32929) : proctitle=oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_server_l1 --lts /var/tmp/insights-client/insights-archiv node=host.example.com type=PATH msg=audit(03/10/2023 06:24:21.245:32929) : item=0 name=/proc/irq inode=4026531861 dev=00:05 mode=dir,555 ouid=root ogid=root rdev=00:00 obstem_u:object_r:sysctl_irq_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 node=host.example.com type=CWD msg=audit(03/10/2023 06:24:21.245:32929) : cwd=/root node=host.example.com type=SYSCALL msg=audit(03/10/2023 06:24:21.245:32929) : arch=x86_64 syscall=openat success=yes exit=27 a0=AT_FDCWD a1=0x5601f768ca10 a2=O_RDONLY|O_NOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=1 ppid=494573 pid=498401 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(nones=unset comm=probe_worker exe=/usr/bin/oscap subj=system_u:system_r:insights_client_t:s0-s0:c0.c1023 key=(null) node=host.example.com type=AVC msg=audit(03/10/2023 06:24:21.245:32929) : avc: denied { read } for pid=498401 comm=probe_worker name=irq dev="proc" ino=4026531861 scon=system_u:system_r:insights_client_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir permissive=1 ---- node=host.example.com type=PROCTITLE msg=audit(03/10/2023 06:24:21.245:32930) : proctitle=oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_server_l1 --lts /var/tmp/insights-client/insights-archiv node=host.example.com type=PATH msg=audit(03/10/2023 06:24:21.245:32930) : item=0 name=/proc/irq/default_smp_affinity inode=4026531862 dev=00:05 mode=file,644 ouid=root oroot rdev=00:00 obj=system_u:object_r:sysctl_irq_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 node=host.example.com type=CWD msg=audit(03/10/2023 06:24:21.245:32930) : cwd=/root node=host.example.com type=SYSCALL msg=audit(03/10/2023 06:24:21.245:32930) : arch=x86_64 syscall=lstat success=yes exit=0 a0=0x5601f768ca10 a1=0x5601f7692de0 a2=0x5601f7e0 a3=0x0 items=1 ppid=494573 pid=498401 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=probe_er exe=/usr/bin/oscap subj=system_u:system_r:insights_client_t:s0-s0:c0.c1023 key=(null) node=host.example.com type=AVC msg=audit(03/10/2023 06:24:21.245:32930) : avc: denied { getattr } for pid=498401 comm=probe_worker path=/proc/irq/default_smp_affinity "proc" ino=4026531862 scontext=system_u:system_r:insights_client_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=file permissive=1 $ sudo audit2allow -t insights_client_t -a #============= insights_client_t ============== allow insights_client_t sysctl_irq_t:dir read; allow insights_client_t sysctl_irq_t:file getattr; ~~~ Version-Release number of selected component (if applicable): selinux-policy-3.14.3-95.el8_6.6 How reproducible: Always Steps to Reproduce: 1. Register RHEL 8.6 host, having selinux-policy-3.14.3-95.el8_6.6, with Insights 2. Register it to the cis_server_l1 compliance policy. 3. Run `insights-client --compliance` command Actual results: Triggers this AVC for insights compliance on the CIS policy . Expected results: The compliance command should finish successfully without any AVC triggered.