2062136 – insights-client-results.service gets selinux denials and permission denied

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2062136 - insights-client-results.service gets selinux denials and permission denied

Summary: insights-client-results.service gets selinux denials and permission denied

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	9.0
Hardware:	Unspecified
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	9.1
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2022191 2063195 2070323 2070584 2070588 2070595 2109244
TreeView+	depends on / blocked

Reported:	2022-03-09 08:58 UTC by Marius Vollmer
Modified:	2022-11-15 12:57 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-34.1.34-1.el9
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Clones:	2063195 (view as bug list)
Environment:
Last Closed:	2022-11-15 11:13:14 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1197	0	None	Merged	Label /var/cache/insights with insights_client_cache_t	2022-07-07 16:48:37 UTC
Red Hat Bugzilla	2060834	1	high	CLOSED	"systemctl start insights-client" broken	2023-05-30 07:10:57 UTC
Red Hat Issue Tracker	RHELPLAN-114918	0	None	None	None	2022-03-09 09:03:22 UTC
Red Hat Product Errata	RHBA-2022:8283	0	None	None	None	2022-11-15 11:13:42 UTC

Description Marius Vollmer 2022-03-09 08:58:41 UTC

Description of problem:

Our integration tests for Cockpit have started showing SELinux denials related to insights-client-results.service.

Using insights-client on the command line for the necessary things like "insights-client --register" and "insights-client --unregister" work fine.

The integration tests have this /etc/insights-client/insights-client.conf:

    [insights-client]
    auto_config=False
    auto_update=False
    base_url=rhel-9-0-127-0-0-2-2201:8443/r/insights
    cert_verify=/var/lib/insights/mock-certs/ca.crt
    username=admin
    password=foobar

"rhel-9-0-127-0-0-2-2201" is the hostname of localhost.

Version-Release number of selected component (if applicable):
selinux-policy-34.1.27-1.el9.noarch
insights-client-3.1.7-1.el9.noarch


How reproducible:
Always

Steps to Reproduce:
1. Configure insights-client as per description above
2. Run "insights-client --register" as root

Actual results:

This appears in the journal once:

Mar 09 03:42:51 rhel-9-0-127-0-0-2-2201 systemd[1]: Starting Check for insights from Red Hat Cloud Services...
Mar 09 03:42:55 rhel-9-0-127-0-0-2-2201 insights-client[21898]: [Errno 13] Permission denied: '/var/cache/insights'
Mar 09 03:42:55 rhel-9-0-127-0-0-2-2201 kernel: audit: type=1400 audit(1646815375.610:4): avc:  denied  { write } for  pid=21898 comm="platform-python" name="cache" dev="vda4" ino=25177643 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0
Mar 09 03:42:55 rhel-9-0-127-0-0-2-2201 systemd[1]: insights-client-results.service: Main process exited, code=exited, status=1/FAILURE
Mar 09 03:42:55 rhel-9-0-127-0-0-2-2201 systemd[1]: insights-client-results.service: Failed with result 'exit-code'.
Mar 09 03:42:55 rhel-9-0-127-0-0-2-2201 systemd[1]: Failed to start Check for insights from Red Hat Cloud Services.

This appears over and overt again with no audit message:

Mar 09 03:42:55 rhel-9-0-127-0-0-2-2201 systemd[1]: Starting Check for insights from Red Hat Cloud Services...
Mar 09 03:42:57 rhel-9-0-127-0-0-2-2201 insights-client[21919]: ('Connection aborted.', PermissionError(13, 'Permission denied'))
Mar 09 03:42:57 rhel-9-0-127-0-0-2-2201 systemd[1]: insights-client-results.service: Main process exited, code=exited, status=1/FAILURE
Mar 09 03:42:57 rhel-9-0-127-0-0-2-2201 systemd[1]: insights-client-results.service: Failed with result 'exit-code'.

Eventually this appears:

Mar 09 03:43:51 rhel-9-0-127-0-0-2-2201 systemd[1]: Starting Check for insights from Red Hat Cloud Services...
Mar 09 03:43:52 rhel-9-0-127-0-0-2-2201 kernel: audit: type=1400 audit(1646815432.576:5): avc:  denied  { write } for  pid=22291 comm="insights-client" name="insights-client.pid" dev="tmpfs" ino=1437 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=0
Mar 09 03:43:52 rhel-9-0-127-0-0-2-2201 insights-client[22291]: Traceback (most recent call last):
Mar 09 03:43:52 rhel-9-0-127-0-0-2-2201 insights-client[22291]:   File "/usr/bin/insights-client", line 11, in <module>
Mar 09 03:43:52 rhel-9-0-127-0-0-2-2201 insights-client[22291]:     _main()
Mar 09 03:43:52 rhel-9-0-127-0-0-2-2201 insights-client[22291]:   File "/usr/lib/python3.9/site-packages/insights_client/__init__.py", line 194, in _main
Mar 09 03:43:52 rhel-9-0-127-0-0-2-2201 insights-client[22291]:     client = InsightsClient(True, False)  # read config, but dont setup logging
Mar 09 03:43:52 rhel-9-0-127-0-0-2-2201 insights-client[22291]:   File "/var/lib/insights/last_stable.egg/insights/client/__init__.py", line 60, in __init__
Mar 09 03:43:52 rhel-9-0-127-0-0-2-2201 insights-client[22291]:   File "/var/lib/insights/last_stable.egg/insights/client/__init__.py", line 738, in _write_pid_files
Mar 09 03:43:52 rhel-9-0-127-0-0-2-2201 insights-client[22291]:   File "/var/lib/insights/last_stable.egg/insights/client/utilities.py", line 129, in write_to_disk
Mar 09 03:43:52 rhel-9-0-127-0-0-2-2201 insights-client[22291]: PermissionError: [Errno 13] Permission denied: '/var/run/insights-client.pid'
Mar 09 03:43:52 rhel-9-0-127-0-0-2-2201 systemd[1]: insights-client-results.service: Main process exited, code=exited, status=1/FAILURE
Mar 09 03:43:52 rhel-9-0-127-0-0-2-2201 systemd[1]: insights-client-results.service: Failed with result 'exit-code'.
Mar 09 03:43:52 rhel-9-0-127-0-0-2-2201 systemd[1]: Failed to start Check for insights from Red Hat Cloud Services.

Expected results:
No error messages from insights-client-results.service in the journal.

Comment 1 Marius Vollmer 2022-03-09 09:03:55 UTC

I believe our special insights-client.conf might be responsible for this:

    Mar 09 03:42:57 rhel-9-0-127-0-0-2-2201 insights-client[21919]: ('Connection aborted.', PermissionError(13, 'Permission denied'))

The rest look like they would happen with any configuration.

"setenforce 0" makes it all work.

"systemctl start insights-client" with "setenforce 0" produces an enormous amount of audit messages.

I think the insights-client.service is locked down way too much to do its work, but we don't really test that in our Cockpit integration tests, we only test "insights-client --register".

Comment 19 Zdenek Pytela 2022-05-19 09:25:00 UTC

Commit to backport:
commit dc53081a9d62404d6ce075321a54bb720a2dc69d (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date:   Wed May 18 20:45:14 2022 +0200

    Label /var/cache/insights with insights_client_cache_t

Comment 20 Zdenek Pytela 2022-05-19 10:54:05 UTC

Two additional commits:
commit 8a8304e2450ca0469ec11dba65fb5e861290d9b7 (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date:   Thu May 19 12:02:41 2022 +0200

    Allow insights-client manage gpg admin home content

commit 2fb3759dc63754b1a24530e092ec5a5750ac2983
Author: Zdenek Pytela <zpytela>
Date:   Thu May 19 12:02:14 2022 +0200

    Add the gpg_manage_admin_home_content() interface

Comment 35 John 2022-07-28 03:19:10 UTC

I am also seeing these warnings on EL8:

type=AVC msg=audit(1658977094.28:30589): avc:  denied  { open } for  pid=1356008 comm="rhsmcertd-worke" path="/etc/insights-client/machine-id" dev="dm-0" ino=6295833 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:insights_client_etc_t:s0 tclass=file permissive=1


Like almost every other Red Hat product or service, this is a massive PITA.
This rhsmcertd, and the insights client and everything related to them, are utter garbage.

Do you people not understand, that if selinux is spamming logs with nonsense warnings that should not occur, then warnings that SHOULD stand out, instead get buried.

This mess is UNACCEPTABLE.

Clean it up.
Thank you.

Comment 36 Marius Vollmer 2022-09-06 10:13:35 UTC

With the newest update, we now see these messages:

# insights-client --version
Client: 3.1.7
Core: 3.0.292-1
# rpmquery selinux-policy-targeted
selinux-policy-targeted-34.1.42-1.el9.noarch

audit: type=1400 audit(1662419602.268:5): avc:  denied  { read } for  pid=22327 comm="gpg" name="last_stable.egg.asc" dev="vda4" ino=25176989 scontext=system_u:system_r:gpg_t:s0 tcontext=unconfined_u:object_r:insights_client_var_lib_t:s0 tclass=file permissive=1
audit: type=1400 audit(1662419602.268:6): avc:  denied  { open } for  pid=22327 comm="gpg" path="/var/lib/insights/last_stable.egg.asc" dev="vda4" ino=25176989 scontext=system_u:system_r:gpg_t:s0 tcontext=unconfined_u:object_r:insights_client_var_lib_t:s0 tclass=file permissive=1
audit: type=1400 audit(1662419603.324:7): avc:  denied  { read } for  pid=22362 comm="gpg" name="last_stable.egg.asc" dev="vda4" ino=25176989 scontext=system_u:system_r:gpg_t:s0 tcontext=unconfined_u:object_r:insights_client_var_lib_t:s0 tclass=file permissive=1
audit: type=1400 audit(1662419603.352:8): avc:  denied  { open } for  pid=22362 comm="gpg" path="/var/lib/insights/last_stable.egg.asc" dev="vda4" ino=25176989 scontext=system_u:system_r:gpg_t:s0 tcontext=unconfined_u:object_r:insights_client_var_lib_t:s0 tclass=file permissive=1
audit: type=1400 audit(1662419642.140:9): avc:  denied  { write } for  pid=22853 comm="virsh" name="virtqemud-sock-ro" dev="tmpfs" ino=1002 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=sock_file permissive=1
audit: type=1400 audit(1662419642.153:10): avc:  denied  { connectto } for  pid=22853 comm="virsh" path="/run/libvirt/virtqemud-sock-ro" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
audit: type=1400 audit(1662419658.331:13): avc:  denied  { write } for  pid=23097 comm="multipath" name="multipath" dev="vda4" ino=41972252 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:lvm_metadata_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1662419658.345:14): avc:  denied  { add_name } for  pid=23097 comm="multipath" name="bindings" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:lvm_metadata_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1662419658.345:15): avc:  denied  { create } for  pid=23097 comm="multipath" name="bindings" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:lvm_metadata_t:s0 tclass=file permissive=1
audit: type=1400 audit(1662419658.345:16): avc:  denied  { write } for  pid=23097 comm="multipath" name="bindings" dev="vda4" ino=42089166 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:lvm_metadata_t:s0 tclass=file permissive=1
audit: type=1400 audit(1662419658.378:17): avc:  denied  { setrlimit } for  pid=23097 comm="multipath" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=process permissive=1
audit: type=1400 audit(1662419658.445:18): avc:  denied  { read write } for  pid=23097 comm="multipath" name="control" dev="devtmpfs" ino=130 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=1
audit: type=1400 audit(1662419658.446:19): avc:  denied  { open } for  pid=23097 comm="multipath" path="/dev/mapper/control" dev="devtmpfs" ino=130 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=1
audit: type=1400 audit(1662419658.446:20): avc:  denied  { ioctl } for  pid=23097 comm="multipath" path="/dev/mapper/control" dev="devtmpfs" ino=130 ioctlcmd=0xfd00 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=1
audit: type=1400 audit(1662419658.446:21): avc:  denied  { ipc_info } for  pid=23097 comm="multipath" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=1
audit: type=1400 audit(1662419673.609:22): avc:  denied  { connectto } for  pid=22470 comm="platform-python" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=1
audit: type=1400 audit(1662419705.020:23): avc:  denied  { map } for  pid=23244 comm="journalctl" path="/var/log/journal/227513444fff487885ec02c30b0bf18e/system.journal" dev="vda4" ino=1718552 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
audit: type=1400 audit(1662419708.164:24): avc:  denied  { setrlimit } for  pid=23336 comm="podman" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=process permissive=1
audit: type=1400 audit(1662419708.262:25): avc:  denied  { write } for  pid=23336 comm="podman" name="bolt_state.db" dev="vda4" ino=1663668 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
audit: type=1400 audit(1662419708.273:26): avc:  denied  { map } for  pid=23336 comm="podman" path="/var/lib/containers/storage/libpod/bolt_state.db" dev="vda4" ino=1663668 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
audit: type=1400 audit(1662419708.273:27): avc:  denied  { mounton } for  pid=23336 comm="podman" path="/var/lib/containers/storage/overlay" dev="vda4" ino=26193460 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:container_ro_file_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1662419708.288:28): avc:  denied  { write } for  pid=23336 comm="podman" name="overlay" dev="vda4" ino=26193460 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:container_ro_file_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1662419708.288:29): avc:  denied  { mknod } for  pid=23336 comm="podman" capability=27  scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=capability permissive=1
audit: type=1400 audit(1662419708.288:30): avc:  denied  { add_name } for  pid=23336 comm="podman" name="backingFsBlockDev.tmp" scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:container_ro_file_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1662419708.288:31): avc:  denied  { create } for  pid=23336 comm="podman" name="backingFsBlockDev.tmp" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=blk_file permissive=1
audit: type=1400 audit(1662419708.288:32): avc:  denied  { remove_name } for  pid=23336 comm="podman" name="backingFsBlockDev.tmp" dev="vda4" ino=26553595 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:container_ro_file_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1662419714.463:43): avc:  denied  { write } for  pid=23458 comm="sealert" name="setroubleshoot_server" dev="tmpfs" ino=1378 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:setroubleshoot_var_run_t:s0 tclass=sock_file permissive=1
audit: type=1400 audit(1662419714.525:44): avc:  denied  { connectto } for  pid=23458 comm="sealert" path="/run/setroubleshoot/setroubleshoot_server" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:setroubleshootd_t:s0 tclass=unix_stream_socket permissive=1
audit: type=1400 audit(1662419725.304:45): avc:  denied  { read } for  pid=23930 comm="gpg" name="last_stable.egg.asc" dev="vda4" ino=25176989 scontext=system_u:system_r:gpg_t:s0 tcontext=unconfined_u:object_r:insights_client_var_lib_t:s0 tclass=file permissive=1
audit: type=1400 audit(1662419725.371:46): avc:  denied  { open } for  pid=23930 comm="gpg" path="/var/lib/insights/last_stable.egg.asc" dev="vda4" ino=25176989 scontext=system_u:system_r:gpg_t:s0 tcontext=unconfined_u:object_r:insights_client_var_lib_t:s0 tclass=file permissive=1

Comment 38 Milos Malik 2022-09-06 13:24:34 UTC

Here is a new BZ which will address the findings listed in the comment#36:
 * https://bugzilla.redhat.com/show_bug.cgi?id=2124549

Comment 39 Milos Malik 2022-09-06 13:28:59 UTC

When you find any SELinux denials related to insights-client programs, please add them into BZ#2124549.

Thank you.

Comment 42 errata-xmlrpc 2022-11-15 11:13:14 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8283

Note You need to log in before you can comment on or make changes to this bug.