RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2107363 - [RHEL9] insights-client raises SELinux issues
Summary: [RHEL9] insights-client raises SELinux issues
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: selinux-policy
Version: 9.0
Hardware: x86_64
OS: Linux
high
high
Target Milestone: rc
: 9.1
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-07-14 19:49 UTC by mabezerr
Modified: 2022-11-15 12:58 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-34.1.42-1.el9
Doc Type: Bug Fix
Doc Text:
Cause: selinux-policy does not support insights-client execute additional services Consequence: Some services may fail when started from insights Fix: Support for services execution was added to selinux-policy Result: Services started from insights run successfully
Clone Of:
Environment:
Last Closed: 2022-11-15 11:13:54 UTC
Type: Bug
Target Upstream Version:
Embargoed:
mabezerr: needinfo-


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 1298 0 None open Make default file context match with named transitions 2022-07-28 14:24:27 UTC
Red Hat Bugzilla 2104913 0 high CLOSED insights-client raises SELinux issues 2022-11-08 12:44:31 UTC
Red Hat Issue Tracker RHELPLAN-127792 0 None None None 2022-07-14 19:51:25 UTC
Red Hat Product Errata RHBA-2022:8283 0 None None None 2022-11-15 11:14:02 UTC

Internal Links: 2104913

Description mabezerr 2022-07-14 19:49:13 UTC
>>> Description of problem:
Insights-client is not auto-registering due to AVC denials (cloud providers: Azure and AWS)

>>> Version-Release number of selected component (if applicable):
# rpm -qa |grep selinux
libselinux-3.3-2.el9.x86_64
python3-libselinux-3.3-2.el9.x86_64
libselinux-utils-3.3-2.el9.x86_64
rpm-plugin-selinux-4.16.1.3-12.el9_0.x86_64
selinux-policy-34.1.37-1.el9.noarch
selinux-policy-targeted-34.1.37-1.el9.noarch

# insights-client --version
Client: 3.1.7
Core: 3.0.279-1


>>> How reproducible:
Steps to Reproduce:
1. Update Selinux rpm to the most recent;
2. Instantiate a new VM from cloud provider (Azure or AWS)
3.

>>> Actual results:
insights-client is not auto-registering for Azure and AWS, but registers fine when using GCP.
> GCP
RHEL8 and RHEL9:
subscription-manager was auto-registered [OK]
insights-client auto-registered properly [OK]
rhc auto-registered properly [OK]

> Azure
RHEL8 and RHEL9:
subscription-manager was auto-registered [OK]
insights-client didn't auto-registered [Failing]
rhc auto-registered properly [OK]

> AWS
RHEL8 and RHEL9:
subscription-manager was auto-registered [OK]
insights-client didn't auto-registered [Failing]
rhc auto-registered properly [OK]

# ausearch -m AVC -ts today
----
time->Wed Jul 13 14:43:47 2022
type=PROCTITLE msg=audit(1657737827.014:122): proctitle=2F7573722F62696E2F677067002D2D766572696679002D2D6B657972696E67002F6574632F696E7369676874732D636C69656E742F726564686174746F6F6C732E7075622E677067002F6574632F696E7369676874732D636C69656E742F72706D2E6567672E617363002F6574632F696E7369676874732D636C69656E742F72
type=SYSCALL msg=audit(1657737827.014:122): arch=c000003e syscall=83 success=no exit=-13 a0=5571c05faf80 a1=1c0 a2=0 a3=0 items=0 ppid=1669 pid=1671 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gpg" exe="/usr/bin/gpg" subj=system_u:system_r:insights_client_t:s0 key=(null)
type=AVC msg=audit(1657737827.014:122): avc:  denied  { write } for  pid=1671 comm="gpg" name="root" dev="sda3" ino=3113830 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir permissive=0
----
time->Wed Jul 13 16:12:09 2022
type=PROCTITLE msg=audit(1657743129.934:82): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002F7573722F6C69622F707974686F6E332E362F736974652D7061636B616765732F696E7369676874735F636C69656E742F72756E2E7079002D2D7265676973746572
type=SYSCALL msg=audit(1657743129.934:82): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f3ff909b470 a2=80241 a3=1b6 items=0 ppid=1234 pid=1352 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="platform-python" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:insights_client_t:s0 key=(null)
type=AVC msg=audit(1657743129.934:82): avc:  denied  { create } for  pid=1352 comm="platform-python" name=".insights-core-gpg-sig.etag" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:insights_client_etc_t:s0 tclass=file permissive=0


> systemctl status insights-register.service
● insights-register.service - Automatically Register with Red Hat Insights
   Loaded: loaded (/usr/lib/systemd/system/insights-register.service; static; vendor preset: disabled)
   Active: failed (Result: exit-code) since Wed 2022-07-13 16:12:10 EDT; 22min ago
     Docs: man:insights-client(8)
  Process: 1393 ExecStopPost=/bin/systemctl mask --now insights-register.path (code=exited, status=0/SUCCESS)
 Main PID: 1234 (code=exited, status=1/FAILURE)

Jul 13 16:12:09 rhel8 insights-client[1352]:   File "/etc/insights-client/rpm.egg/insights/client/__init__.py", line 166, in fetch
Jul 13 16:12:09 rhel8 insights-client[1352]:     force)
Jul 13 16:12:09 rhel8 insights-client[1352]:   File "/etc/insights-client/rpm.egg/insights/client/__init__.py", line 72, in _init_connection
Jul 13 16:12:09 rhel8 insights-client[1352]:     return func(self, *args, **kwargs)
Jul 13 16:12:09 rhel8 insights-client[1352]:   File "/etc/insights-client/rpm.egg/insights/client/__init__.py", line 231, in _fetch
Jul 13 16:12:09 rhel8 insights-client[1352]:     with open(etag_file, 'w') as handle:
Jul 13 16:12:09 rhel8 insights-client[1352]: PermissionError: [Errno 13] Permission denied: '/etc/insights-client/.insights-core-gpg-sig.etag'
Jul 13 16:12:10 rhel8 systemd[1]: insights-register.service: Main process exited, code=exited, status=1/FAILURE
Jul 13 16:12:10 rhel8 systemctl[1393]: Created symlink /etc/systemd/system/insights-register.path → /dev/null.
Jul 13 16:12:10 rhel8 systemd[1]: insights-register.service: Failed with result 'exit-code'.


>>> Expected results:
insights-client should be able to auto-register without AVC denials.


>>> Additional info:
It is working as expected when we are using GCP provider.
> GCP
RHEL8 and RHEL9:
subscription-manager was auto-registered [OK]
insights-client auto-registered properly [OK]
rhc auto-registered properly [OK]

> Link for Selinux.rpm for RHEL9:
https://download-node-02.eng.bos.redhat.com/rhel-9/nightly/RHEL-9/RHEL-9.1.0-20220630.0/compose/BaseOS/x86_64/os/Packages/

Comment 1 Zdenek Pytela 2022-07-15 16:39:02 UTC
I see two issues there:

1. insights-client cannot create /root/.gnupg
- fixed in selinux-policy-34.1.33 and will be in selinux-policy-34.1.29-1.el9_0.1 (z-stream)
447ff42dc (tag: v34.1.33) Allow insights-client manage gpg admin home content

2. missing file transition for .insights-core-gpg-sig.etag
needs to be doublechecked, pair .fc file with named transition in .te
workaround: run
  # restorecon -Rv /etc/insights-client

Comment 2 mabezerr 2022-07-18 12:14:16 UTC
Thanks for your comments, @zpytela !
I will check with selinux-policy-34.1.33 version and let you know about the result.
Also, I will check again the .insights-core-gpg-sig.etag case.

I will be back with updates in few hours.

Comment 41 errata-xmlrpc 2022-11-15 11:13:54 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8283


Note You need to log in before you can comment on or make changes to this bug.