Bug 2183351

Summary: SELinux prevents the insights-client service from executing the ipcs command
Product: Red Hat Enterprise Linux 8 Reporter: Nikhil Gupta <ngupta>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: VERIFIED --- QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: urgent    
Version: 8.7CC: lvrabec, mmalik, nknazeko, thomas.rumbaut, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-119.el8 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nikhil Gupta 2023-03-30 22:35:56 UTC 
Description of problem:
SELinux prevents the insights-client service from executing the ipcs command.

----
node=test.example.com type=PROCTITLE msg=audit(03/30/2023 02:03:41.721:40170) : proctitle=/usr/bin/ipcs -s -i 3
node=test.example.com type=IPC msg=audit(03/30/2023 02:03:41.721:40170) : ouid=root ogid=root mode=000,666 obj=system_u:system_r:unconfined_service_t:s0
node=test.example.com type=SYSCALL msg=audit(03/30/2023 02:03:41.721:40170) : arch=x86_64 syscall=semctl success=no exit=EACCES(Permission denied) a0=0x3 a1=0x0 a2=0xc a3=0x0 items=0 ppid=206100 pid=206101 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ipcs exe=/usr/bin/ipcs subj=system_u:system_r:insights_client_t:s0 key=(null)
node=test.example.com type=AVC msg=audit(03/30/2023 02:03:41.721:40170) : avc:  denied  { read } for  pid=206101 comm=ipcs ipc_key=1913520266  scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=sem permissive=0
----


Version-Release number of selected component (if applicable):
4.18.0-425.13.1.el8_7.x86_64
selinux-policy-targeted-3.14.3-117.el8.noarch
selinux-policy-3.14.3-117.el8.noarch

How reproducible:
Always

Steps to Reproduce:
1. Create a fresh VM with plain  RHEL8.7 with SELinux enforced.
2. After 24 hours of life this VM produced SELinux avc: denied errors

Actual results:
AVC denials for ipcs are reporting.
----
node=test.example.com type=PROCTITLE msg=audit(03/30/2023 02:03:41.727:40171) : proctitle=/usr/bin/ipcs -s -i 13
node=test.example.com type=IPC msg=audit(03/30/2023 02:03:41.727:40171) : ouid=root ogid=root mode=000,664 obj=system_u:system_r:unconfined_service_t:s0
node=test.example.com type=SYSCALL msg=audit(03/30/2023 02:03:41.727:40171) : arch=x86_64 syscall=semctl success=no exit=EACCES(Permission denied) a0=0xd a1=0x0 a2=0xc a3=0x0 items=0 ppid=206103 pid=206104 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ipcs exe=/usr/bin/ipcs subj=system_u:system_r:insights_client_t:s0 key=(null)
node=test.example.com type=AVC msg=audit(03/30/2023 02:03:41.727:40171) : avc:  denied  { read } for  pid=206104 comm=ipcs ipc_key=17695361  scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=sem permissive=0
----

Expected results:
Insights-client scheduled run should run without any avc denials.

Additional info:
#  sealert -l 14c6dfc5-a727-46db-971f-bd543147990f| grep -P ^Hash:
Hash: ipcs,insights_client_t,unconfined_service_t,sem,unix_read
Comment 2 Zdenek Pytela 2023-03-31 11:05:46 UTC 
Do you happen to know which service is being checked? It is not a part of audit records. List of services can be found e. g. with

# ps -eo pid,ppid,command,context | grep unconfined_service_[t]

In the policy there is only
rhel89# sesearch -A -s insights_client_t -t unconfined_service_t -c sem
allow insights_client_t domain:sem unix_read;

Will you be able to try a local SELinux module to check if adding the permission is sufficient?

  # cat local_unconfinedservice_semread.cil
(allow insights_client_t unconfined_service_t (sem (read)))
  # semodule -i local_unconfinedservice_semread.cil

To remove the module afterwards:
  # semodule -r local_unconfinedservice_semread
Comment 5 Zdenek Pytela 2023-04-06 10:53:29 UTC 
Hi,

So the module should contain

  # cat local_unconfinedservice_semread.cil
(allow insights_client_t unconfined_service_t (sem (getattr read)))
  # semodule -i local_unconfinedservice_semread.cil

The current version of the insights-client service should make the domain permissive which would make easier to gather all required permissions, but apparently it is not the case here - see permissive=0 in the output.

The ps command unfortunately did not help much as there are multiple services running in the unconfined_service_t domain.

Can you try to find out what is the service? Perhaps

  # ipcs -a

or another command to check IPC resources.
Thank you for the cooperation.
Comment 8 Zdenek Pytela 2023-04-20 19:06:29 UTC 
Thank you. You can enhance the local module with:

(allow insights_client_t filesystem_type (filesystem (quotaget)))