RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2119507 - insights-client fails to execute additional services
Summary: insights-client fails to execute additional services
Keywords:
Status: CLOSED ERRATA
Alias: None
Deadline: 2022-09-06
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.6
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: 8.7
Assignee: Zdenek Pytela
QA Contact: Milos Malik
Jan Fiala
URL:
Whiteboard:
: 2131733 (view as bug list)
Depends On: 2087069 2103606
Blocks: 2121125 2123445
TreeView+ depends on / blocked
 
Reported: 2022-08-18 17:04 UTC by Zdenek Pytela
Modified: 2023-09-18 04:45 UTC (History)
34 users (show)

Fixed In Version: selinux-policy-3.14.3-108.el8
Doc Type: Bug Fix
Doc Text:
.`insights-client` no longer fails to execute additional services Previously, SELinux policy did not support `insights-client` executing additional services. As a consequence, some services failed when started from Insights. With this update, SELinux policy supports executing additional services. As a result, services started from Insights run successfully.
Clone Of: 2103606
: 2121125 2123445 (view as bug list)
Environment:
Last Closed: 2022-11-08 10:45:06 UTC
Type: ---
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
AVC events for insights_client_t (8.97 KB, application/x-xz)
2022-08-24 16:51 UTC, Sam Morris 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 1345 0 None Merged Update rhcd policy for executing additional commands 2022-08-24 16:33:54 UTC
Red Hat Issue Tracker RHELPLAN-131471 0 None None None 2022-08-18 17:08:03 UTC
Red Hat Product Errata RHBA-2022:7691 0 None None None 2022-11-08 10:45:27 UTC

Comment 7 Sam Morris 2022-08-24 16:51:37 UTC 
Created attachment 1907432 [details]
AVC events for insights_client_t

I'm seeing the attached AVC denials with selinux-policy-3.14.3-95.el8_6.4.noarch
Comment 8 Zdenek Pytela 2022-08-24 17:12:11 UTC 
Thank you for the ausearch command output. I see these groups of issues:
- get attributes of various processes and their open files
- lock files usage
- additional permissions to read files or use sockets
- write to config_home_t
- setrlimit permissions
- communication with containers
- grafana.process

First three should be addressed by this bz.
For another three we need to know the configuration changes to trigger these denials, and/or have audit logs with full auditing enabled. In particular, based on experience setrlimit often appears on a system with high load, but some data are needed to actually assess.
The last one is a domain not provided by Red Hat selinux-policy.
Comment 9 Sam Morris 2022-08-24 17:40:40 UTC 
Thanks for taking a look at the log. I can re-run insights-client & provide the full audit.log & insights-client.log, contents of /etc/insights-client if that's helpful? But I haven't customized insights-client at all so all these denials are I presume from insights-client trying to do whatever it does by default. :)

> write to config_home_t

Per the proctitle lines, these are from insights-client running "fwupdagent get-devices" and "fwupdagent security --force" - I guess they try to write to somewhere under /root/.config.

> setrlimit permissions

These are from insights-client running podman ps, podman images, etc. I take the point about the system being under load, I recall a KCS about similar messages being generated when the system is short of memory(?)

> communication with containers

Is this insights-client running lsof on processes running inside containers?

> grafana.process

This domain is generated by udica (I can provide the .cil file you want). I think if insights_client is expected to be able to run, it looks like lsof?, on processes inside containers started with podman [which use the default container_t domain], then it should be able to do the same on processes inside containers that use udica-generated domains, which inherit from the default container/net_container blocks? OTOH I'm fine ignoring this one--but I expect you'll see other similar reports from people running insights-client on machines where they use udica-generated policies for their containers.

Maybe what insights-client is doing to the container_t & grafana.process processes is covered already by "get attributes of various processes and their open files"? In which case, ignoring the setrlimit permissions, the only oversight in selinux policy is allowing insights-client to correctly run fwupdagent.
Comment 28 Zdenek Pytela 2022-09-01 08:21:12 UTC 
(In reply to Milos Malik from comment #24)
> The following SELinux denials appeared on a clean ppc64le machine
> (RHEL-8.7.0-20220831.0 compose):
> ----
> type=PROCTITLE msg=audit(08/31/2022 15:45:57.579:484) :
> proctitle=/usr/bin/lscpu 
> type=PATH msg=audit(08/31/2022 15:45:57.579:484) : item=1
> name=/var/lock/LCK..librtas inode=14295 dev=00:18 mode=file,600 ouid=root
> ogid=root rdev=00:00 obj=system_u:object_r:rtas_errd_var_lock_t:s0
> nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
> type=PATH msg=audit(08/31/2022 15:45:57.579:484) : item=0 name=/var/lock/
> inode=1078 dev=00:18 mode=dir,755 ouid=root ogid=root rdev=00:00
> obj=system_u:object_r:var_lock_t:s0 nametype=PARENT cap_fp=none cap_fi=none
> cap_fe=0 cap_fver=0 cap_frootid=0 
> type=CWD msg=audit(08/31/2022 15:45:57.579:484) : cwd=/ 
> type=SYSCALL msg=audit(08/31/2022 15:45:57.579:484) : arch=ppc64le
> syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD
> a1=0x7fffa6977728 a2=O_RDWR|O_CREAT a3=0x180 items=2 ppid=32998 pid=32999
> auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root
> sgid=root fsgid=root tty=(none) ses=unset comm=lscpu exe=/usr/bin/lscpu
> subj=system_u:system_r:insights_client_t:s0 key=(null) 
> type=AVC msg=audit(08/31/2022 15:45:57.579:484) : avc:  denied  { write }
> for  pid=32999 comm=lscpu name=LCK..librtas dev="tmpfs" ino=14295
> scontext=system_u:system_r:insights_client_t:s0
> tcontext=system_u:object_r:rtas_errd_var_lock_t:s0 tclass=file permissive=0 
> ----
> type=PROCTITLE msg=audit(08/31/2022 15:51:43.266:599) :
> proctitle=/usr/bin/lscpu 
> type=PATH msg=audit(08/31/2022 15:51:43.266:599) : item=0 name=/dev/mem
> inode=3074 dev=00:06 mode=character,640 ouid=root ogid=kmem rdev=01:01
> obj=system_u:object_r:memory_device_t:s0 nametype=NORMAL cap_fp=none
> cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
> type=CWD msg=audit(08/31/2022 15:51:43.266:599) : cwd=/ 
> type=SYSCALL msg=audit(08/31/2022 15:51:43.266:599) : arch=ppc64le
> syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD
> a1=0x7fffa5c87660 a2=O_RDWR a3=0x0 items=1 ppid=34670 pid=34671 auid=unset
> uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
> fsgid=root tty=(none) ses=unset comm=lscpu exe=/usr/bin/lscpu
> subj=system_u:system_r:insights_client_t:s0 key=(null) 
> type=AVC msg=audit(08/31/2022 15:51:43.266:599) : avc:  denied  { read write
> } for  pid=34671 comm=lscpu name=mem dev="devtmpfs" ino=3074
> scontext=system_u:system_r:insights_client_t:s0
> tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file permissive=0 
> ----

Karle,

lscpu requests to read/write /dev/mem and write to /run/lock/LCK..librtas. It seems to trigger only on ppc64le.

Is this expected? Is it required for lscpu to work properly, or can we dontaudit (silence) the reported AVC denials?
Comment 48 Zdenek Pytela 2022-10-03 15:44:27 UTC 
*** Bug 2131733 has been marked as a duplicate of this bug. ***
Comment 50 errata-xmlrpc 2022-11-08 10:45:06 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7691
Comment 51 Red Hat Bugzilla 2023-09-18 04:45:03 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days
Note You need to log in before you can comment on or make changes to this bug.