2060834 – "systemctl start insights-client" broken

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2060834 - "systemctl start insights-client" broken

Summary: "systemctl start insights-client" broken

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.6
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	8.7
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:	Jan Fiala
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-03-04 10:44 UTC by Marius Vollmer
Modified:	2023-05-16 12:56 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-3.14.3-99.el8
Doc Type:	Bug Fix
Doc Text:	.Permissions for `insights-client` added to the SELinux policy The new `insights-client` service requires permissions which were not in the previous `selinux-policy` versions. As a consequence, some components of `insights-client` did not work correctly and reported access vector cache (AVC) error messages. This update adds new permissions to the SELinux policy. As a result, `insights-client` runs correctly without reporting AVC errors.
Clone Of:
Environment:
Last Closed:	2022-11-08 10:43:57 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1202	None	Merged	Insights gpg	2022-07-07 16:48:10 UTC
Red Hat Issue Tracker	RHELPLAN-114511	None	None	None	2022-03-04 10:47:22 UTC
Red Hat Product Errata	RHBA-2022:7691	None	None	None	2022-11-08 10:44:18 UTC

Internal Links: 2062136

Description Marius Vollmer 2022-03-04 10:44:31 UTC

Description of problem:
The insights-client.service can't be started anymore, presumably because of SELinux denials.

Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-93.el8.noarch

How reproducible:
Always

Steps to Reproduce:
1. systemctl start insights-client

Actual results:
insights-client.service ends up in a "failed" state with this message:

    insights-client[1738]: No GPG-verified eggs can be found

At the same time, this audit message is produced:

    audit: type=1400 audit(1646390278.673:4): avc:  denied  { getattr } for  pid=1738 comm="insights-client" path="/var/lib/insights/last_stable.egg" dev="vda3" ino=41997557 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0

Expected results:
insights-client.service can be started successfully.

Additional info:

Running insights-client from the command line works as far as I can tell, it's just the service that is denied access.

With "setenforce 0", the insights-client.service can start successfully, but these audit messages are produced:


[  357.048250] audit: type=1400 audit(1646390546.967:7): avc:  denied  { getattr } for  pid=1816 comm="insights-client" path="/var/lib/insights/last_stable.egg" dev="vda3" ino=41997557 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1
[  357.052731] audit: type=1400 audit(1646390546.971:8): avc:  denied  { read } for  pid=1819 comm="gpg" name="pubring.kbx" dev="vda3" ino=25166050 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=1
[  357.056379] audit: type=1400 audit(1646390546.971:9): avc:  denied  { open } for  pid=1819 comm="gpg" path="/root/.gnupg/pubring.kbx" dev="vda3" ino=25166050 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=1
[  357.060117] audit: type=1400 audit(1646390546.971:10): avc:  denied  { getattr } for  pid=1819 comm="gpg" path="/root/.gnupg/pubring.kbx" dev="vda3" ino=25166050 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=1
[  357.064164] audit: type=1400 audit(1646390546.971:11): avc:  denied  { write } for  pid=1819 comm="gpg" name="pubring.kbx" dev="vda3" ino=25166050 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=1
[  357.067669] audit: type=1400 audit(1646390546.971:12): avc:  denied  { write } for  pid=1819 comm="gpg" name=".gnupg" dev="vda3" ino=25165981 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=dir permissive=1
[  357.071463] audit: type=1400 audit(1646390546.971:13): avc:  denied  { add_name } for  pid=1819 comm="gpg" name=".#lk0x000056332eeb3160.rhel-8-6-127-0-0-2-2201.1819" scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=dir permissive=1
[  357.075124] audit: type=1400 audit(1646390546.971:14): avc:  denied  { create } for  pid=1819 comm="gpg" name=".#lk0x000056332eeb3160.rhel-8-6-127-0-0-2-2201.1819" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=1
[  357.079037] audit: type=1400 audit(1646390546.971:15): avc:  denied  { write open } for  pid=1819 comm="gpg" path="/root/.gnupg/.#lk0x000056332eeb3160.rhel-8-6-127-0-0-2-2201.1819" dev="vda3" ino=25293391 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=1
[  357.083483] audit: type=1400 audit(1646390546.971:16): avc:  denied  { getattr } for  pid=1819 comm="gpg" path="/root/.gnupg/.#lk0x000056332eeb3160.rhel-8-6-127-0-0-2-2201.1819" dev="vda3" ino=25293391 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=1

Comment 1 Milos Malik 2022-03-04 10:56:12 UTC

Based on the SELinux denials, both /root/.gnupg and /var/lib/insights directories are mislabeled:

Please run the following commands and let us know if the result is acceptable:

# restorecon -Rv /var/lib/insights /root/.gnupg
# service insights-client start

Thank you.

Comment 2 Zdenek Pytela 2022-03-04 11:37:55 UTC

> Running insights-client from the command line works as far as I can tell, it's just the service that is denied access.

Marius,

Were the command executed before the insights-client service was started for the first time?
The policy does not expect his.

Comment 3 Milos Malik 2022-03-04 17:42:25 UTC

If the /root/.gnupg directory does not exist before the insights-client service is started then the following SELinux denial appears:
----
type=PROCTITLE msg=audit(03/04/2022 12:37:34.490:333) : proctitle=/usr/bin/gpg --verify --keyring /etc/insights-client/redhattools.pub.gpg /etc/insights-client/rpm.egg.asc /etc/insights-client/r 
type=PATH msg=audit(03/04/2022 12:37:34.490:333) : item=1 name=/root/.gnupg nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(03/04/2022 12:37:34.490:333) : item=0 name=/root/ inode=2097281 dev=fd:01 mode=dir,550 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(03/04/2022 12:37:34.490:333) : cwd=/ 
type=SYSCALL msg=audit(03/04/2022 12:37:34.490:333) : arch=x86_64 syscall=mkdir success=no exit=EACCES(Permission denied) a0=0x55de4758bf80 a1=0700 a2=0x0 a3=0x0 items=2 ppid=5632 pid=5635 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gpg exe=/usr/bin/gpg subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(03/04/2022 12:37:34.490:333) : avc:  denied  { write } for  pid=5635 comm=gpg name=root dev="vda1" ino=2097281 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir permissive=0 
----

because the insights-client service runs the gpg command and SELinux policy does not define a transition from insights_client_t to gpg_t:

# sesearch -s insights_client_t -t gpg_exec_t -T
#

Comment 4 Milos Malik 2022-03-04 17:50:45 UTC

Following SELinux denials appeared in permissive mode:
----
type=PROCTITLE msg=audit(03/04/2022 12:49:00.675:356) : proctitle=/usr/bin/gpg --verify --keyring /etc/insights-client/redhattools.pub.gpg /etc/insights-client/rpm.egg.asc /etc/insights-client/r 
type=PATH msg=audit(03/04/2022 12:49:00.675:356) : item=1 name=/root/.gnupg inode=16777602 dev=fd:01 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(03/04/2022 12:49:00.675:356) : item=0 name=/root/ inode=2097281 dev=fd:01 mode=dir,550 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(03/04/2022 12:49:00.675:356) : cwd=/ 
type=SYSCALL msg=audit(03/04/2022 12:49:00.675:356) : arch=x86_64 syscall=mkdir success=yes exit=0 a0=0x55b55be71f80 a1=0700 a2=0x0 a3=0x0 items=2 ppid=6223 pid=6226 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gpg exe=/usr/bin/gpg subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(03/04/2022 12:49:00.675:356) : avc:  denied  { create } for  pid=6226 comm=gpg name=.gnupg scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir permissive=1 
type=AVC msg=audit(03/04/2022 12:49:00.675:356) : avc:  denied  { add_name } for  pid=6226 comm=gpg name=.gnupg scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir permissive=1 
type=AVC msg=audit(03/04/2022 12:49:00.675:356) : avc:  denied  { write } for  pid=6226 comm=gpg name=root dev="vda1" ino=2097281 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(03/04/2022 12:49:00.675:357) : proctitle=/usr/bin/gpg --verify --keyring /etc/insights-client/redhattools.pub.gpg /etc/insights-client/rpm.egg.asc /etc/insights-client/r 
type=PATH msg=audit(03/04/2022 12:49:00.675:357) : item=1 name=/root/.gnupg/.#lk0x000055b55be72ce0.ci-vm-10-0-136-202.hosted.upshift.rdu2.redhat.com.6226 inode=16777603 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(03/04/2022 12:49:00.675:357) : item=0 name=/root/.gnupg/ inode=16777602 dev=fd:01 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(03/04/2022 12:49:00.675:357) : cwd=/ 
type=SYSCALL msg=audit(03/04/2022 12:49:00.675:357) : arch=x86_64 syscall=openat success=yes exit=5 a0=AT_FDCWD a1=0x55b55be710c0 a2=O_WRONLY|O_CREAT|O_EXCL a3=0x1a4 items=2 ppid=6223 pid=6226 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gpg exe=/usr/bin/gpg subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(03/04/2022 12:49:00.675:357) : avc:  denied  { write open } for  pid=6226 comm=gpg path=/root/.gnupg/.#lk0x000055b55be72ce0.ci-vm-10-0-136-202.hosted.upshift.rdu2.redhat.com.6226 dev="vda1" ino=16777603 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=1 
type=AVC msg=audit(03/04/2022 12:49:00.675:357) : avc:  denied  { create } for  pid=6226 comm=gpg name=.#lk0x000055b55be72ce0.ci-vm-10-0-136-202.hosted.upshift.rdu2.redhat.com.6226 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(03/04/2022 12:49:00.675:358) : proctitle=/usr/bin/gpg --verify --keyring /etc/insights-client/redhattools.pub.gpg /etc/insights-client/rpm.egg.asc /etc/insights-client/r 
type=PATH msg=audit(03/04/2022 12:49:00.675:358) : item=0 name=/root/.gnupg/.#lk0x000055b55be72ce0.ci-vm-10-0-136-202.hosted.upshift.rdu2.redhat.com.6226 inode=16777603 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(03/04/2022 12:49:00.675:358) : cwd=/ 
type=SYSCALL msg=audit(03/04/2022 12:49:00.675:358) : arch=x86_64 syscall=stat success=yes exit=0 a0=0x55b55be710c0 a1=0x7fffc1e20ee0 a2=0x7fffc1e20ee0 a3=0x1a4 items=1 ppid=6223 pid=6226 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gpg exe=/usr/bin/gpg subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(03/04/2022 12:49:00.675:358) : avc:  denied  { getattr } for  pid=6226 comm=gpg path=/root/.gnupg/.#lk0x000055b55be72ce0.ci-vm-10-0-136-202.hosted.upshift.rdu2.redhat.com.6226 dev="vda1" ino=16777603 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(03/04/2022 12:49:00.675:359) : proctitle=/usr/bin/gpg --verify --keyring /etc/insights-client/redhattools.pub.gpg /etc/insights-client/rpm.egg.asc /etc/insights-client/r 
type=PATH msg=audit(03/04/2022 12:49:00.675:359) : item=2 name=/root/.gnupg/.#lk0x000055b55be72ce0.ci-vm-10-0-136-202.hosted.upshift.rdu2.redhat.com.6226x inode=16777603 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(03/04/2022 12:49:00.675:359) : item=1 name=/root/.gnupg/ inode=16777602 dev=fd:01 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(03/04/2022 12:49:00.675:359) : item=0 name=/root/.gnupg/.#lk0x000055b55be72ce0.ci-vm-10-0-136-202.hosted.upshift.rdu2.redhat.com.6226 inode=16777603 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(03/04/2022 12:49:00.675:359) : cwd=/ 
type=SYSCALL msg=audit(03/04/2022 12:49:00.675:359) : arch=x86_64 syscall=link success=yes exit=0 a0=0x55b55be710c0 a1=0x55b55be76e60 a2=0x1a a3=0x0 items=3 ppid=6223 pid=6226 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gpg exe=/usr/bin/gpg subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(03/04/2022 12:49:00.675:359) : avc:  denied  { link } for  pid=6226 comm=gpg name=.#lk0x000055b55be72ce0.ci-vm-10-0-136-202.hosted.upshift.rdu2.redhat.com.6226 dev="vda1" ino=16777603 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=1 
type=AVC msg=audit(03/04/2022 12:49:00.675:359) : avc:  denied  { read } for  pid=6226 comm=gpg name=.#lk0x000055b55be72ce0.ci-vm-10-0-136-202.hosted.upshift.rdu2.redhat.com.6226 dev="vda1" ino=16777603 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(03/04/2022 12:49:00.675:360) : proctitle=/usr/bin/gpg --verify --keyring /etc/insights-client/redhattools.pub.gpg /etc/insights-client/rpm.egg.asc /etc/insights-client/r 
type=PATH msg=audit(03/04/2022 12:49:00.675:360) : item=1 name=/root/.gnupg/.#lk0x000055b55be72ce0.ci-vm-10-0-136-202.hosted.upshift.rdu2.redhat.com.6226x inode=16777603 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(03/04/2022 12:49:00.675:360) : item=0 name=/root/.gnupg/ inode=16777602 dev=fd:01 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(03/04/2022 12:49:00.675:360) : cwd=/ 
type=SYSCALL msg=audit(03/04/2022 12:49:00.675:360) : arch=x86_64 syscall=unlink success=yes exit=0 a0=0x55b55be76e60 a1=0x7fffc1e20ee0 a2=0x7fffc1e20ee0 a3=0x0 items=2 ppid=6223 pid=6226 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gpg exe=/usr/bin/gpg subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(03/04/2022 12:49:00.675:360) : avc:  denied  { unlink } for  pid=6226 comm=gpg name=.#lk0x000055b55be72ce0.ci-vm-10-0-136-202.hosted.upshift.rdu2.redhat.com.6226x dev="vda1" ino=16777603 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=1 
type=AVC msg=audit(03/04/2022 12:49:00.675:360) : avc:  denied  { remove_name } for  pid=6226 comm=gpg name=.#lk0x000055b55be72ce0.ci-vm-10-0-136-202.hosted.upshift.rdu2.redhat.com.6226x dev="vda1" ino=16777603 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir permissive=1 
----

Comment 5 Marius Vollmer 2022-03-07 12:56:38 UTC

(In reply to Zdenek Pytela from comment #2)
> > Running insights-client from the command line works as far as I can tell, it's just the service that is denied access.
> 
> Marius,
> 
> Were the command executed before the insights-client service was started for
> the first time?

Yes.

Comment 6 Marius Vollmer 2022-03-07 13:20:37 UTC

(In reply to Milos Malik from comment #1)
> Based on the SELinux denials, both /root/.gnupg and /var/lib/insights
> directories are mislabeled:
> 
> Please run the following commands and let us know if the result is
> acceptable:
> 
> # restorecon -Rv /var/lib/insights /root/.gnupg
> # service insights-client start

This allows the service to start successfully.  Also, subsequent runs of insights-client on the command line (as root), do not seem to mislabel things anymore.

Comment 7 Marius Vollmer 2022-03-08 09:05:31 UTC

(In reply to Marius Vollmer from comment #6)
> (In reply to Milos Malik from comment #1)
> > Based on the SELinux denials, both /root/.gnupg and /var/lib/insights
> > directories are mislabeled:
> > 
> > Please run the following commands and let us know if the result is
> > acceptable:
> > 
> > # restorecon -Rv /var/lib/insights /root/.gnupg
> > # service insights-client start
> 
> This allows the service to start successfully.  Also, subsequent runs of
> insights-client on the command line (as root), do not seem to mislabel
> things anymore.

Hmm, I also need to relabel /var/log/insights-client and create /var/cache/insights/ upfront, but even then the service runs into this error:

Mar 08 04:01:36 rhel-8-6-127-0-0-2-2201 insights-client[5893]: HTTPSConnectionPool(host='rhel-8-6-127-0-0-2-2201', port=8888): Max retries exceeded with url: /r/insights/platform/inventory/v1/hosts?insights_id=e59c3bf0-e7af-449c-9e53-0e807aab3cd7 (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7fc8487a8ac8>: Failed to establish a new connection: [Errno 13] Permission denied',))
Mar 08 04:01:36 rhel-8-6-127-0-0-2-2201 kernel: audit: type=1400 audit(1646730096.170:5): avc:  denied  { name_connect } for  pid=5893 comm="platform-python" dest=8888 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
Mar 08 04:01:36 rhel-8-6-127-0-0-2-2201 systemd[1]: insights-client-results.service: Main process exited, code=exited, status=1/FAILURE

Comment 8 Milos Malik 2022-03-08 10:00:02 UTC

Please run the following command on the machine where you encountered the SELinux denial (kernel: audit: type=1400 ...):

# semanage port -a -t http_port_t -p tcp 8888

And start the insights-client service again.

Let us know if additional SELinux denials appear:

# ausearch -m avc -m user_avc -m selinux_err -i -ts today

Thank you.

Comment 9 Milos Malik 2022-03-08 10:14:08 UTC

SELinux policy already defines a special SELinux context for the /var/log/insights-client directory:

# matchpathcon /var/log/insights-client
/var/log/insights-client	system_u:object_r:insights_client_var_log_t:s0
#

But SELinux policy does not define a special SELinux context for the /var/cache/insights directory:

# matchpathcon /var/cache/insights/
/var/cache/insights	system_u:object_r:var_t:s0
#

Which means that execution of the following commands is also necessary:

# semanage fcontext -a -t insights_client_var_run_t '/var/cache/insights(/.*)?'
# restorecon -Rv /var/cache/insights

Please restart the insights-client service again.

And let us know if additional SELinux denials appear:

# ausearch -m avc -m user_avc -m selinux_err -i -ts today

Thank you.

Comment 10 Marius Vollmer 2022-03-08 15:11:58 UTC

Before I spend more time on this, I have to ask: Do you guys test this also on your side? Can I see that test case?
I am not sure anymore whether you think I am reporting bugs in the policy, or whether you think I am using insights-client "wrong".  Thanks!

Comment 13 Marius Vollmer 2022-03-09 12:01:11 UTC

(In reply to Milos Malik from comment #9)

# ausearch -m avc -m user_avc -m selinux_err -i -ts today
Could not open dir /var/log/audit (No such file or directory)
NOTE - using built-in logs: /var/log/audit/audit.log
Error opening /var/log/audit/audit.log (No such file or directory)

I'll give you "journalctl | grep audit".

Comment 14 Marius Vollmer 2022-03-09 12:42:59 UTC

Hmm, I start to understand more of the problem, I think.  Our image creation scripts somehow cause the relevant files to be mislabeled.  Just running insights-client on the command line does not do this, it must be something in our image creation scripts.

So I will go away now and try to figure this out.  Thanks a lot for your patience so far!

But here is what I have so far.  Running this before the test:

    semanage fcontext -a -t insights_client_var_run_t '/var/cache/insights(/.*)?'
    mkdir /var/cache/insights
    restorecon -Rv /var/lib/insights /root/.gnupg /var/log/insights-client /var/cache/insights
    setenforce 0

results in these audit messages:

audit: type=1400 audit(1646829092.200:8): avc:  denied  { write } for  pid=23159 comm="insights-client" name="insights-client.pid" dev="tmpfs" ino=87064 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829092.200:9): avc:  denied  { open } for  pid=23159 comm="insights-client" path="/run/insights-client.pid" dev="tmpfs" ino=87064 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829092.200:10): avc:  denied  { getattr } for  pid=23159 comm="insights-client" path="/run/insights-client.pid" dev="tmpfs" ino=87064 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829092.200:11): avc:  denied  { ioctl } for  pid=23159 comm="insights-client" path="/run/insights-client.pid" dev="tmpfs" ino=87064 ioctlcmd=0x5401 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829103.349:12): avc:  denied  { unlink } for  pid=23249 comm="platform-python" name=".registered" dev="vda3" ino=32046 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:insights_client_etc_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829132.253:13): avc:  denied  { getattr } for  pid=23365 comm="platform-python" path="/usr/bin/systemd-notify" dev="vda3" ino=137936 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:systemd_notify_exec_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829132.334:14): avc:  denied  { execute } for  pid=23384 comm="platform-python" name="systemd-notify" dev="vda3" ino=137936 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:systemd_notify_exec_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829132.334:15): avc:  denied  { read open } for  pid=23384 comm="platform-python" path="/usr/bin/systemd-notify" dev="vda3" ino=137936 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:systemd_notify_exec_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829132.334:16): avc:  denied  { execute_no_trans } for  pid=23384 comm="platform-python" path="/usr/bin/systemd-notify" dev="vda3" ino=137936 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:systemd_notify_exec_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829132.424:17): avc:  denied  { map } for  pid=23384 comm="systemd-notify" path="/usr/bin/systemd-notify" dev="vda3" ino=137936 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:systemd_notify_exec_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829132.431:18): avc:  denied  { getattr } for  pid=23384 comm="systemd-notify" name="/" dev="vda3" ino=128 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
audit: type=1400 audit(1646829132.431:19): avc:  denied  { create } for  pid=23384 comm="systemd-notify" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=unix_dgram_socket permissive=1
audit: type=1400 audit(1646829132.431:20): avc:  denied  { getopt } for  pid=23384 comm="systemd-notify" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=unix_dgram_socket permissive=1
audit: type=1400 audit(1646829132.431:21): avc:  denied  { setopt } for  pid=23384 comm="systemd-notify" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=unix_dgram_socket permissive=1
audit: type=1400 audit(1646829132.431:22): avc:  denied  { sendto } for  pid=23384 comm="systemd-notify" path="/run/systemd/notify" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
audit: type=1400 audit(1646829138.145:54): avc:  denied  { getattr } for  pid=23402 comm="subscription-ma" path="/var/log/rhsm" dev="vda3" ino=25293396 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:rhsmcertd_log_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1646829138.145:55): avc:  denied  { search } for  pid=23402 comm="subscription-ma" name="rhsm" dev="vda3" ino=25293396 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:rhsmcertd_log_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1646829138.145:56): avc:  denied  { open } for  pid=23402 comm="subscription-ma" path="/var/log/rhsm/rhsm.log" dev="vda3" ino=26333872 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:rhsmcertd_log_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829138.244:57): avc:  denied  { getattr } for  pid=23402 comm="subscription-ma" path="/usr/bin/rpm" dev="vda3" ino=50035 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829140.436:58): avc:  denied  { search } for  pid=23402 comm="subscription-ma" name="rhsm" dev="vda3" ino=25289725 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:rhsmcertd_var_lib_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1646829140.436:59): avc:  denied  { getattr } for  pid=23402 comm="subscription-ma" path="/var/lib/rhsm/cache/current_owner.json" dev="vda3" ino=26333877 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:rhsmcertd_var_lib_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829140.456:60): avc:  denied  { read } for  pid=23402 comm="subscription-ma" name="ca" dev="vda3" ino=25165984 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:rhsmcertd_config_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1646829140.604:61): avc:  denied  { read } for  pid=23402 comm="subscription-ma" name="cache" dev="vda3" ino=25289726 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:rhsmcertd_var_lib_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1646829140.604:62): avc:  denied  { read write } for  pid=23402 comm="subscription-ma" name="current_owner.json" dev="vda3" ino=26333877 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:rhsmcertd_var_lib_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829140.604:63): avc:  denied  { open } for  pid=23402 comm="subscription-ma" path="/var/lib/rhsm/cache/current_owner.json" dev="vda3" ino=26333877 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:rhsmcertd_var_lib_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829157.732:122): avc:  denied  { bind } for  pid=23526 comm="isc-worker0000" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=udp_socket permissive=1
audit: type=1400 audit(1646829157.732:123): avc:  denied  { getopt } for  pid=23526 comm="isc-worker0000" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=udp_socket permissive=1
audit: type=1400 audit(1646829162.512:124): avc:  denied  { sendto } for  pid=23540 comm="systemd-notify" path="/run/systemd/notify" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
audit: type=1400 audit(1646829187.866:125): avc:  denied  { execute } for  pid=23365 comm="platform-python" name="dmesg" dev="vda3" ino=59354 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:dmesg_exec_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829187.866:126): avc:  denied  { getattr } for  pid=23365 comm="platform-python" path="/usr/bin/dmesg" dev="vda3" ino=59354 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:dmesg_exec_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829187.924:127): avc:  denied  { read open } for  pid=23606 comm="timeout" path="/usr/bin/dmesg" dev="vda3" ino=59354 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:dmesg_exec_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829187.924:128): avc:  denied  { execute_no_trans } for  pid=23606 comm="timeout" path="/usr/bin/dmesg" dev="vda3" ino=59354 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:dmesg_exec_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829187.924:129): avc:  denied  { map } for  pid=23606 comm="dmesg" path="/usr/bin/dmesg" dev="vda3" ino=59354 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:dmesg_exec_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829187.925:130): avc:  denied  { read } for  pid=23606 comm="dmesg" name="kmsg" dev="devtmpfs" ino=9368 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=1
audit: type=1400 audit(1646829187.925:131): avc:  denied  { open } for  pid=23606 comm="dmesg" path="/dev/kmsg" dev="devtmpfs" ino=9368 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=1
audit: type=1400 audit(1646829187.925:132): avc:  denied  { syslog_read } for  pid=23606 comm="dmesg" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=1
audit: type=1400 audit(1646829187.933:133): avc:  denied  { execute } for  pid=23365 comm="platform-python" name="rpm" dev="vda3" ino=50035 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829187.934:134): avc:  denied  { read } for  pid=23365 comm="platform-python" name="messages" dev="vda3" ino=8407073 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829211.228:149): avc:  denied  { execute } for  pid=23365 comm="platform-python" name="dmsetup" dev="vda3" ino=25166243 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829211.228:150): avc:  denied  { getattr } for  pid=23365 comm="platform-python" path="/usr/sbin/dmsetup" dev="vda3" ino=25166243 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829211.276:151): avc:  denied  { read open } for  pid=23757 comm="timeout" path="/usr/sbin/dmsetup" dev="vda3" ino=25166243 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829211.276:152): avc:  denied  { execute_no_trans } for  pid=23757 comm="timeout" path="/usr/sbin/dmsetup" dev="vda3" ino=25166243 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829211.276:153): avc:  denied  { map } for  pid=23757 comm="dmsetup" path="/usr/sbin/dmsetup" dev="vda3" ino=25166243 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829211.278:154): avc:  denied  { getattr } for  pid=23757 comm="dmsetup" path="/dev/mapper/control" dev="devtmpfs" ino=12938 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=1
audit: type=1400 audit(1646829211.278:155): avc:  denied  { read write } for  pid=23757 comm="dmsetup" name="control" dev="devtmpfs" ino=12938 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=1
audit: type=1400 audit(1646829211.278:156): avc:  denied  { open } for  pid=23757 comm="dmsetup" path="/dev/mapper/control" dev="devtmpfs" ino=12938 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=1
audit: type=1400 audit(1646829211.278:157): avc:  denied  { ioctl } for  pid=23757 comm="dmsetup" path="/dev/mapper/control" dev="devtmpfs" ino=12938 ioctlcmd=0xfd00 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=1
audit: type=1400 audit(1646829211.645:158): avc:  denied  { execute } for  pid=23365 comm="platform-python" name="systemctl" dev="vda3" ino=137923 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829216.528:265): avc:  denied  { getattr } for  pid=23907 comm="tuned-adm" path="/usr/sbin/tuned" dev="vda3" ino=25166506 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:tuned_exec_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829217.253:266): avc:  denied  { search } for  pid=23907 comm="tuned-adm" name="tuned" dev="vda3" ino=16798057 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:tuned_etc_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1646829217.253:267): avc:  denied  { read } for  pid=23907 comm="tuned-adm" name="tuned-main.conf" dev="vda3" ino=16798061 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:tuned_etc_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829217.253:268): avc:  denied  { open } for  pid=23907 comm="tuned-adm" path="/etc/tuned/tuned-main.conf" dev="vda3" ino=16798061 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:tuned_etc_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829217.253:269): avc:  denied  { getattr } for  pid=23907 comm="tuned-adm" path="/etc/tuned/tuned-main.conf" dev="vda3" ino=16798061 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:tuned_etc_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829217.253:270): avc:  denied  { ioctl } for  pid=23907 comm="tuned-adm" path="/etc/tuned/tuned-main.conf" dev="vda3" ino=16798061 ioctlcmd=0x5401 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:tuned_etc_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829217.325:271): avc:  denied  { write } for  pid=23907 comm="tuned-adm" name="system_bus_socket" dev="tmpfs" ino=24251 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
audit: type=1400 audit(1646829217.328:274): avc:  denied  { write } for  pid=23907 comm="tuned-adm" name="memfd:libffi" dev="tmpfs" ino=94491 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829222.245:285): avc:  denied  { search } for  pid=23365 comm="platform-python" name="dnf" dev="vda3" ino=41943291 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:rpm_var_lib_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1646829222.245:286): avc:  denied  { read } for  pid=23365 comm="platform-python" name="modulefailsafe" dev="vda3" ino=50332092 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:rpm_var_lib_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1646829222.245:287): avc:  denied  { open } for  pid=23365 comm="platform-python" path="/var/lib/dnf/modulefailsafe" dev="vda3" ino=50332092 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:rpm_var_lib_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1646829222.348:288): avc:  denied  { search } for  pid=23365 comm="platform-python" name="modules" dev="vda3" ino=8392878 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1646829231.028:289): avc:  denied  { read } for  pid=23945 comm="uptime" name="utmp" dev="tmpfs" ino=16106 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829231.028:290): avc:  denied  { open } for  pid=23945 comm="uptime" path="/run/utmp" dev="tmpfs" ino=16106 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829231.028:291): avc:  denied  { lock } for  pid=23945 comm="uptime" path="/run/utmp" dev="tmpfs" ino=16106 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829231.646:292): avc:  denied  { connect } for  pid=23947 comm="vdo" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=unix_dgram_socket permissive=1
audit: type=1400 audit(1646829231.646:293): avc:  denied  { read } for  pid=23947 comm="vdo" name="log" dev="devtmpfs" ino=12767 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=1
audit: type=1400 audit(1646829231.646:294): avc:  denied  { write } for  pid=23947 comm="vdo" name="dev-log" dev="tmpfs" ino=12765 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file permissive=1
audit: type=1400 audit(1646829231.646:295): avc:  denied  { getattr } for  pid=23947 comm="vdo" path="/var/lock" dev="vda3" ino=25293394 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file permissive=1
audit: type=1400 audit(1646829231.646:296): avc:  denied  { read } for  pid=23947 comm="vdo" name="lock" dev="vda3" ino=25293394 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file permissive=1
audit: type=1400 audit(1646829231.646:297): avc:  denied  { getattr } for  pid=23947 comm="vdo" path="/run/lock/vdo/_etc_vdoconf.yml.lock" dev="tmpfs" ino=26323 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829231.646:298): avc:  denied  { read write } for  pid=23947 comm="vdo" name="_etc_vdoconf.yml.lock" dev="tmpfs" ino=26323 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829237.752:830): avc:  denied  { getattr } for  pid=24114 comm="rct" path="/var/log/rhsm" dev="vda3" ino=25293396 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:rhsmcertd_log_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1646829237.752:831): avc:  denied  { search } for  pid=24114 comm="rct" name="rhsm" dev="vda3" ino=25293396 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:rhsmcertd_log_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1646829237.752:832): avc:  denied  { open } for  pid=24114 comm="rct" path="/var/log/rhsm/rhsm.log" dev="vda3" ino=26333872 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:rhsmcertd_log_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829242.628:833): avc:  denied  { getattr } for  pid=24135 comm="pvs" path="/dev/vda" dev="devtmpfs" ino=15276 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
audit: type=1400 audit(1646829242.629:834): avc:  denied  { getattr } for  pid=24135 comm="pvs" path="/run/systemd/journal/dev-log" dev="tmpfs" ino=12765 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file permissive=1
audit: type=1400 audit(1646829242.630:835): avc:  denied  { read } for  pid=24135 comm="pvs" name="vda" dev="devtmpfs" ino=15276 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
audit: type=1400 audit(1646829242.630:836): avc:  denied  { open } for  pid=24135 comm="pvs" path="/dev/vda" dev="devtmpfs" ino=15276 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
audit: type=1400 audit(1646829242.630:837): avc:  denied  { ioctl } for  pid=24135 comm="pvs" path="/dev/vda" dev="devtmpfs" ino=15276 ioctlcmd=0x1272 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
audit: type=1400 audit(1646829242.840:838): avc:  denied  { search } for  pid=23365 comm="platform-python" name="libvirt" dev="vda3" ino=17624962 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:virt_etc_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1646829242.857:839): avc:  denied  { getattr } for  pid=23365 comm="platform-python" path="/etc/libvirt/qemu.conf" dev="vda3" ino=17625092 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:virt_etc_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829242.857:840): avc:  denied  { getattr } for  pid=23365 comm="platform-python" path="/etc/libvirt" dev="vda3" ino=17624962 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:virt_etc_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1646829242.857:841): avc:  denied  { read } for  pid=23365 comm="platform-python" name="qemu.conf" dev="vda3" ino=17625092 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:virt_etc_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829242.862:842): avc:  denied  { open } for  pid=24150 comm="cp" path="/etc/libvirt/qemu.conf" dev="vda3" ino=17625092 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:virt_etc_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829242.864:843): avc:  denied  { getattr } for  pid=23365 comm="platform-python" path="/proc/mdstat" dev="proc" ino=4026532010 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:proc_mdstat_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829242.864:844): avc:  denied  { read } for  pid=23365 comm="platform-python" name="mdstat" dev="proc" ino=4026532010 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:proc_mdstat_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829242.869:845): avc:  denied  { open } for  pid=24151 comm="cp" path="/proc/mdstat" dev="proc" ino=4026532010 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:proc_mdstat_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829242.931:846): avc:  denied  { read } for  pid=23365 comm="platform-python" name="qemu" dev="vda3" ino=33652804 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:virt_etc_rw_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1646829242.931:847): avc:  denied  { open } for  pid=23365 comm="platform-python" path="/etc/libvirt/qemu" dev="vda3" ino=33652804 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:virt_etc_rw_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1646829252.942:873): avc:  denied  { execute } for  pid=24230 comm="platform-python" name="systemd-notify" dev="vda3" ino=137936 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:systemd_notify_exec_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829252.942:874): avc:  denied  { read open } for  pid=24230 comm="platform-python" path="/usr/bin/systemd-notify" dev="vda3" ino=137936 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:systemd_notify_exec_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829252.942:875): avc:  denied  { execute_no_trans } for  pid=24230 comm="platform-python" path="/usr/bin/systemd-notify" dev="vda3" ino=137936 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:systemd_notify_exec_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829252.985:876): avc:  denied  { map } for  pid=24230 comm="systemd-notify" path="/usr/bin/systemd-notify" dev="vda3" ino=137936 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:systemd_notify_exec_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829252.992:877): avc:  denied  { create } for  pid=24230 comm="systemd-notify" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=unix_dgram_socket permissive=1
audit: type=1400 audit(1646829252.992:878): avc:  denied  { getopt } for  pid=24230 comm="systemd-notify" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=unix_dgram_socket permissive=1
audit: type=1400 audit(1646829252.992:879): avc:  denied  { setopt } for  pid=24230 comm="systemd-notify" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=unix_dgram_socket permissive=1
audit: type=1400 audit(1646829252.992:880): avc:  denied  { sendto } for  pid=24230 comm="systemd-notify" path="/run/systemd/notify" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
audit: type=1400 audit(1646829267.638:881): avc:  denied  { search } for  pid=24262 comm="multipath" name="fs" dev="proc" ino=12392 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1646829267.638:882): avc:  denied  { read } for  pid=24262 comm="multipath" name="nr_open" dev="proc" ino=12393 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829267.638:883): avc:  denied  { open } for  pid=24262 comm="multipath" path="/proc/sys/fs/nr_open" dev="proc" ino=12393 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829267.638:884): avc:  denied  { getattr } for  pid=24262 comm="multipath" path="/proc/sys/fs/nr_open" dev="proc" ino=12393 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829267.640:885): avc:  denied  { sys_resource } for  pid=24262 comm="multipath" capability=24  scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=capability permissive=1
audit: type=1400 audit(1646829267.640:886): avc:  denied  { setrlimit } for  pid=24262 comm="multipath" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=process permissive=1
audit: type=1400 audit(1646829267.642:887): avc:  denied  { read } for  pid=24262 comm="multipath" name="b252:2" dev="tmpfs" ino=23743 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829267.642:888): avc:  denied  { open } for  pid=24262 comm="multipath" path="/run/udev/data/b252:2" dev="tmpfs" ino=23743 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829267.642:889): avc:  denied  { getattr } for  pid=24262 comm="multipath" path="/run/udev/data/b252:2" dev="tmpfs" ino=23743 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829267.712:890): avc:  denied  { read write } for  pid=24262 comm="multipath" name="control" dev="devtmpfs" ino=12938 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=1
audit: type=1400 audit(1646829274.441:1085): avc:  denied  { getattr } for  pid=24389 comm="find" path="/etc/pki/fwupd" dev="vda3" ino=17694239 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:fwupd_cert_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1646829274.442:1086): avc:  denied  { read } for  pid=24389 comm="find" name="fwupd" dev="vda3" ino=17694239 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:fwupd_cert_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1646829274.442:1087): avc:  denied  { open } for  pid=24389 comm="find" path="/etc/pki/fwupd" dev="vda3" ino=17694239 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:fwupd_cert_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1646829274.526:1088): avc:  denied  { search } for  pid=24433 comm="openssl" name="fwupd" dev="vda3" ino=17694239 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:fwupd_cert_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1646829274.526:1089): avc:  denied  { read } for  pid=24433 comm="openssl" name="GPG-KEY-Linux-Foundation-Firmware" dev="vda3" ino=17694240 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:fwupd_cert_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829274.526:1090): avc:  denied  { open } for  pid=24433 comm="openssl" path="/etc/pki/fwupd/GPG-KEY-Linux-Foundation-Firmware" dev="vda3" ino=17694240 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:fwupd_cert_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829274.526:1091): avc:  denied  { getattr } for  pid=24433 comm="openssl" path="/etc/pki/fwupd/GPG-KEY-Linux-Foundation-Firmware" dev="vda3" ino=17694240 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:fwupd_cert_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829275.053:1092): avc:  denied  { execute } for  pid=23365 comm="platform-python" name="chronyc" dev="vda3" ino=184456 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:chronyc_exec_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829275.133:1093): avc:  denied  { execute_no_trans } for  pid=24450 comm="timeout" path="/usr/bin/chronyc" dev="vda3" ino=184456 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:chronyc_exec_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829275.158:1094): avc:  denied  { map } for  pid=24450 comm="chronyc" path="/usr/bin/chronyc" dev="vda3" ino=184456 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:chronyc_exec_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829279.744:1133): avc:  denied  { read } for  pid=24510 comm="gluster" name="random" dev="devtmpfs" ino=9366 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=1
audit: type=1400 audit(1646829279.744:1134): avc:  denied  { write } for  pid=24510 comm="gluster" name="dev-log" dev="tmpfs" ino=12765 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file permissive=1
audit: type=1400 audit(1646829279.744:1135): avc:  denied  { sendto } for  pid=24510 comm="gluster" path="/run/systemd/journal/dev-log" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
audit: type=1400 audit(1646829279.744:1136): avc:  denied  { create } for  pid=24510 comm="gluster" name="cli.log" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829279.744:1137): avc:  denied  { open } for  pid=24510 comm="gluster" path="/var/log/glusterfs/cli.log" dev="vda3" ino=42741227 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829281.231:1138): avc:  denied  { read } for  pid=24543 comm="pgrep" name="stat" dev="proc" ino=12424 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829281.231:1139): avc:  denied  { open } for  pid=24543 comm="pgrep" path="/proc/2/stat" dev="proc" ino=12424 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829281.262:1140): avc:  denied  { read } for  pid=24543 comm="pgrep" name="stat" dev="proc" ino=24255 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:stratisd_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829285.469:1299): avc:  denied  { open } for  pid=24615 comm="yum" path="/var/log/dnf.log" dev="vda3" ino=9055261 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829285.526:1300): avc:  denied  { search } for  pid=24615 comm="yum" name="dnf" dev="vda3" ino=16810918 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1646829285.526:1301): avc:  denied  { open } for  pid=24615 comm="yum" path="/var/cache/dnf/expired_repos.json" dev="vda3" ino=16810919 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:rpm_var_cache_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829285.543:1302): avc:  denied  { getattr } for  pid=24615 comm="yum" path="/var/cache/dnf" dev="vda3" ino=16810918 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1646829285.543:1303): avc:  denied  { open } for  pid=24615 comm="yum" path="/var/log/hawkey.log" dev="vda3" ino=9055269 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:rpm_log_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829285.558:1304): avc:  denied  { write } for  pid=24615 comm="yum" name="dnf" dev="vda3" ino=16810918 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1646829285.558:1305): avc:  denied  { add_name } for  pid=24615 comm="yum" name="metadata_lock.pid" scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1646829285.558:1306): avc:  denied  { create } for  pid=24615 comm="yum" name="metadata_lock.pid" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829285.558:1307): avc:  denied  { open } for  pid=24615 comm="yum" path="/var/cache/dnf/metadata_lock.pid" dev="vda3" ino=16811806 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829286.746:1308): avc:  denied  { remove_name } for  pid=24615 comm="yum" name="metadata_lock.pid" dev="vda3" ino=16811806 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1646829291.944:1313): avc:  denied  { ioctl } for  pid=24640 comm="cp" path="/sys/devices/pci0000:00/0000:00:01.1/ata1/host1/target1:0:1/1:0:1:0/block/sr0/queue/scheduler" dev="sysfs" ino=17184 ioctlcmd=0x660b scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829295.453:1314): avc:  denied  { getattr } for  pid=24643 comm="yum" path="/usr/bin/dnf-3" dev="vda3" ino=141722 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829295.953:1315): avc:  denied  { search } for  pid=24643 comm="yum" name="rhsm" dev="vda3" ino=25293396 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:rhsmcertd_log_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1646829295.958:1316): avc:  denied  { write } for  pid=24643 comm="yum" name="rhsm" dev="tmpfs" ino=24021 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:rhsmcertd_var_run_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1646829295.958:1317): avc:  denied  { add_name } for  pid=24643 comm="yum" name="cert.pid" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:rhsmcertd_var_run_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1646829295.958:1318): avc:  denied  { create } for  pid=24643 comm="yum" name="cert.pid" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:rhsmcertd_var_run_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829295.958:1319): avc:  denied  { write open } for  pid=24643 comm="yum" path="/run/rhsm/cert.pid" dev="tmpfs" ino=104632 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:rhsmcertd_var_run_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829295.958:1320): avc:  denied  { getattr } for  pid=24643 comm="yum" path="/run/rhsm/cert.pid" dev="tmpfs" ino=104632 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:rhsmcertd_var_run_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829295.958:1321): avc:  denied  { ioctl } for  pid=24643 comm="yum" path="/run/rhsm/cert.pid" dev="tmpfs" ino=104632 ioctlcmd=0x5401 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:rhsmcertd_var_run_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829295.958:1322): avc:  denied  { lock } for  pid=24643 comm="yum" path="/run/rhsm/cert.pid" dev="tmpfs" ino=104632 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:rhsmcertd_var_run_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829297.249:1347): avc:  denied  { remove_name } for  pid=24643 comm="yum" name="metadata_lock.pid" dev="vda3" ino=16811807 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1646829298.861:1348): avc:  denied  { execute } for  pid=24671 comm="sealert" name="rpm" dev="vda3" ino=50035 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829300.171:1349): avc:  denied  { read } for  pid=24671 comm="sealert" name="policy" dev="vda3" ino=234 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:semanage_store_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1646829300.171:1350): avc:  denied  { open } for  pid=24671 comm="sealert" path="/etc/selinux/targeted/policy" dev="vda3" ino=234 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:semanage_store_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1646829300.171:1351): avc:  denied  { getattr } for  pid=24671 comm="sealert" path="/etc/selinux/targeted/policy" dev="vda3" ino=234 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:semanage_store_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1646829300.193:1352): avc:  denied  { search } for  pid=24671 comm="sealert" name="policy" dev="vda3" ino=234 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:semanage_store_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1646829300.193:1353): avc:  denied  { read } for  pid=24671 comm="sealert" name="policy.31" dev="vda3" ino=676111 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:semanage_store_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829300.193:1354): avc:  denied  { open } for  pid=24671 comm="sealert" path="/etc/selinux/targeted/policy/policy.31" dev="vda3" ino=676111 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:semanage_store_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829300.193:1355): avc:  denied  { getattr } for  pid=24671 comm="sealert" path="/etc/selinux/targeted/policy/policy.31" dev="vda3" ino=676111 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:semanage_store_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829302.040:1356): avc:  denied  { read open } for  pid=24678 comm="sealert" path="/usr/bin/rpm" dev="vda3" ino=50035 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829302.450:1359): avc:  denied  { write } for  pid=24671 comm="sealert" name="system_bus_socket" dev="tmpfs" ino=24251 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
audit: type=1400 audit(1646829305.062:1362): avc:  denied  { write } for  pid=24671 comm="sealert" name="setroubleshoot_server" dev="tmpfs" ino=105086 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:setroubleshoot_var_run_t:s0 tclass=sock_file permissive=1
audit: type=1400 audit(1646829305.062:1363): avc:  denied  { connectto } for  pid=24671 comm="sealert" path="/run/setroubleshoot/setroubleshoot_server" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
audit: type=1400 audit(1646829305.063:1364): avc:  denied  { write } for  pid=24671 comm="sealert" name="memfd:libffi" dev="tmpfs" ino=105096 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829305.063:1365): avc:  denied  { map } for  pid=24671 comm="sealert" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=105096 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829305.063:1366): avc:  denied  { read execute } for  pid=24671 comm="sealert" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=105096 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829305.258:1367): avc:  denied  { read } for  pid=24692 comm="sestatus" name="booleans" dev="selinuxfs" ino=22 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1646829313.241:1561): avc:  denied  { execute } for  pid=24880 comm="platform-python" name="systemd-notify" dev="vda3" ino=137936 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:systemd_notify_exec_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829313.241:1562): avc:  denied  { read open } for  pid=24880 comm="platform-python" path="/usr/bin/systemd-notify" dev="vda3" ino=137936 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:systemd_notify_exec_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829313.241:1563): avc:  denied  { execute_no_trans } for  pid=24880 comm="platform-python" path="/usr/bin/systemd-notify" dev="vda3" ino=137936 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:systemd_notify_exec_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829313.249:1564): avc:  denied  { map } for  pid=24880 comm="systemd-notify" path="/usr/bin/systemd-notify" dev="vda3" ino=137936 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:systemd_notify_exec_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829313.324:1565): avc:  denied  { getopt } for  pid=24880 comm="systemd-notify" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=unix_dgram_socket permissive=1
audit: type=1400 audit(1646829313.324:1566): avc:  denied  { setopt } for  pid=24880 comm="systemd-notify" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=unix_dgram_socket permissive=1
audit: type=1400 audit(1646829313.324:1567): avc:  denied  { sendto } for  pid=24880 comm="systemd-notify" path="/run/systemd/notify" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
audit: type=1400 audit(1646829320.468:1568): avc:  denied  { write } for  pid=23365 comm="platform-python" name=".last-upload.results" dev="vda3" ino=32048 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:insights_client_etc_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829320.479:1569): avc:  denied  { setattr } for  pid=23365 comm="platform-python" name=".last-upload.results" dev="vda3" ino=32048 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:insights_client_etc_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829321.876:1570): avc:  denied  { write } for  pid=25083 comm="insights-client" name="insights-client.pid" dev="tmpfs" ino=114455 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829321.876:1571): avc:  denied  { open } for  pid=25083 comm="insights-client" path="/run/insights-client.pid" dev="tmpfs" ino=114455 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829321.876:1572): avc:  denied  { getattr } for  pid=25083 comm="insights-client" path="/run/insights-client.pid" dev="tmpfs" ino=114455 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829321.876:1573): avc:  denied  { ioctl } for  pid=25083 comm="insights-client" path="/run/insights-client.pid" dev="tmpfs" ino=114455 ioctlcmd=0x5401 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829325.862:1574): avc:  denied  { unlink } for  pid=25083 comm="insights-client" name="insights-client.ppid" dev="vda3" ino=32046 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=1
audit: type=1400 audit(1646829325.862:1575): avc:  denied  { unlink } for  pid=25083 comm="insights-client" name="insights-client.pid" dev="tmpfs" ino=114455 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1

Comment 15 Martin Pitt 2022-03-22 04:46:39 UTC

This affects RHEL 9.0 as well now, e.g. here:
https://logs.cockpit-project.org/logs/pull-3119-20220321-182531-9465bb9c-rhel-9-0-candlepin-subscription-manager/log.html#5

Should I already clone the bug, or do you want to do that after you have a fix?

Comment 16 Zdenek Pytela 2022-03-22 18:44:55 UTC

(In reply to Martin Pitt from comment #15)
> This affects RHEL 9.0 as well now, e.g. here:
> https://logs.cockpit-project.org/logs/pull-3119-20220321-182531-9465bb9c-
> rhel-9-0-candlepin-subscription-manager/log.html#5
> 
> Should I already clone the bug, or do you want to do that after you have a
> fix?

There already is one and the resolution will be shared.
https://bugzilla.redhat.com/show_bug.cgi?id=2062136

Comment 17 Zdenek Pytela 2022-05-19 10:08:16 UTC

I've submitted a Fedora PR to address the gpg issue:
https://github.com/fedora-selinux/selinux-policy/pull/1202
There still is an option to do a transition to gpg domain instead.

Also note separate bzs exist for other particular problems:
bz#2063195 /var/cache/insights
bz#2087069 unix_dgram_socket, /root/.local/insights.yaml

Comment 18 Zdenek Pytela 2022-05-19 10:53:03 UTC

commit 8a8304e2450ca0469ec11dba65fb5e861290d9b7 (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date:   Thu May 19 12:02:41 2022 +0200

    Allow insights-client manage gpg admin home content

commit 2fb3759dc63754b1a24530e092ec5a5750ac2983
Author: Zdenek Pytela <zpytela>
Date:   Thu May 19 12:02:14 2022 +0200

    Add the gpg_manage_admin_home_content() interface

Comment 29 errata-xmlrpc 2022-11-08 10:43:57 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7691

Note You need to log in before you can comment on or make changes to this bug.