Bug 2188231

Summary: [AWS]Many AVC failures seen with : denied { create } comm="rhc-worker-play" and comm="ansible-playboo".
Product: Red Hat Enterprise Linux 9 Reporter: libhe
Component: rhc-worker-playbookAssignee: CSI Client Tools Bugs <csi-client-tools-bugs>
Status: NEW --- QA Contact: CSI Client Tools Bugs <csi-client-tools-bugs>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 9.2CC: cmarinea, linl, lvrabec, mmalik, xiliang, ymao, zpytela
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
os_tests.tests.test_general_check.TestGeneralCheck.test_check_avclog.debug none

Description libhe 2023-04-20 07:52:04 UTC 
Created attachment 1958486 [details]
os_tests.tests.test_general_check.TestGeneralCheck.test_check_avclog.debug

Description of problem:
Many AVC failures seen with : denied { create } comm="rhc-worker-play" and comm="ansible-playboo".

----
type=PROCTITLE msg=audit(04/19/2023 12:26:23.290:371) : proctitle=/usr/bin/python3 /usr/libexec/rhc/rhc-worker-playbook.worker 
type=SYSCALL msg=audit(04/19/2023 12:26:23.290:371) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7fbc46f27050 a2=O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC a3=0x1a4 items=0 ppid=24199 pid=24518 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhc-worker-play exe=/usr/bin/python3.9 subj=system_u:system_r:rhcd_t:s0 key=(null) 
type=AVC msg=audit(04/19/2023 12:26:23.290:371) : avc:  denied  { write } for  pid=24518 comm=rhc-worker-play name=__pycache__ dev="nvme0n1p4" ino=25798780 scontext=system_u:system_r:rhcd_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(04/19/2023 12:26:37.251:393) : proctitle=/usr/bin/python3.11 /bin/ansible-playbook /tmp/tmpra9n_3m3/project/main.json 
type=SYSCALL msg=audit(04/19/2023 12:26:37.251:393) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f0ab341e2d0 a2=O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC a3=0x1a4 items=0 ppid=24518 pid=24948 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=unset comm=ansible-playboo exe=/usr/bin/python3.11 subj=system_u:system_r:rhcd_t:s0 key=(null) 
type=AVC msg=audit(04/19/2023 12:26:37.251:393) : avc:  denied  { write } for  pid=24948 comm=ansible-playboo name=__pycache__ dev="nvme0n1p4" ino=1354793 scontext=system_u:system_r:rhcd_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=0 
----

Version-Release number of selected components (if applicable):
RHEL-9.2

How reproducible:
100%

Steps to Reproduce:
1. Launch an aws instance with ami-0a7cc1e66703db662(RHEL-9.2.0-20230419.48)
2. Check if avc log exist
   sudo ausearch -m AVC -ts today 

Actual results:
Many AVC denial seen for comm="rhc-worker-play" and comm="ansible-playboo"
http://10.73.196.244/results/iscsi/os_tests/20230419/home/jenkins/workspace/aws_os_tests_x86_64-844/os_tests_result_i3en.6xlarge/attachments/TestGeneralCheck.os_tests.tests.test_general_check.TestGeneralCheck.test_check_avclog/os_tests.tests.test_general_check.TestGeneralCheck.test_check_avclog.debug
...

Expected results:
No AVC denial should be there

Additional info:
Comment 1 Zdenek Pytela 2023-04-20 11:41:38 UTC 
Hello,

What is the rhc package version?

  # rpm -q rhc
  # semodule -lfull | grep rhcd
Comment 2 libhe 2023-04-20 13:35:40 UTC 
[ec2-user@ip-10-0-25-4 ~]$ rpm -q rhc
rhc-0.2.2-1.el9.x86_64

[ec2-user@ip-10-0-25-4 ~]$ sudo semodule -lfull | grep rhcd
100 rhcd                         pp
Comment 3 Zdenek Pytela 2023-04-20 13:42:36 UTC 
Are you aware of any SELinux or rhc related changes since the installation time? The rhcd_t domain should be permissive:

rhel93# rpm -q rhc
rhc-0.2.2-1.el9.x86_64
rhel93# rpm -q rhc --scripts
postinstall scriptlet (using /bin/sh):
if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
    /usr/sbin/semanage permissive --add rhcd_t || true
fi
postuninstall scriptlet (using /bin/sh):
if [ $1 -eq 0 ]; then
    if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
        /usr/sbin/semanage permissive --delete rhcd_t || true
    fi
fi
rhel93# semodule -lfull | grep rhcd
400 permissive_rhcd_t            cil
100 rhcd                         pp
Comment 4 libhe 2023-04-20 14:05:52 UTC 
NO any change for SELinux or rhc related since the installation with the latest AWS AMI.
Comment 5 Zdenek Pytela 2023-04-20 18:04:11 UTC 
Can you also run this?

  $ rpm -q rhc --scripts

The only explanation which comes to my mind is that selinux was disabled when rhc was being installed. In that case, reinstallation should help:

  # dnf reinstall rhc
Comment 6 libhe 2023-04-21 02:34:41 UTC 
(In reply to Zdenek Pytela from comment #5)
> Can you also run this?
> 
>   $ rpm -q rhc --scripts
> 
> The only explanation which comes to my mind is that selinux was disabled
> when rhc was being installed. In that case, reinstallation should help:

[ec2-user@ip-10-0-16-30 ~]$ rpm -q rhc --scripts
postinstall scriptlet (using /bin/sh):
if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
    /usr/sbin/semanage permissive --add rhcd_t || true
fi
postuninstall scriptlet (using /bin/sh):
if [ $1 -eq 0 ]; then
    if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
        /usr/sbin/semanage permissive --delete rhcd_t || true
    fi
fi

> 
>   # dnf reinstall rhc
Yes, reinstallation works.
Comment 7 libhe 2023-04-21 02:39:47 UTC 
BTW, with the build before 20230419, there is no such issue observed.

Here is the result with build RHEL-9.2.0-20230418.20_x86_64
[ec2-user@ip-10-0-22-92 ~]$ sudo semodule -lfull | grep rhcd
100 rhcd                         pp          

[ec2-user@ip-10-0-22-92 ~]$ sudo ausearch -m AVC -ts today
<no matches>

[ec2-user@ip-10-0-22-92 ~]$ rpm -q rhc
rhc-0.2.2-1.el9.x86_64
Comment 8 Zdenek Pytela 2023-08-11 14:48:45 UTC 
Switching the component, but I believe all issues like this have already been addressed.