2121125 – insights-client fails to execute additional services

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2121125 - insights-client fails to execute additional services

Summary: insights-client fails to execute additional services

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	9.0
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	9.1
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:	2087069 2103606 2119507 2126105 2127962
Blocks:	2123358
TreeView+	depends on / blocked

Reported:	2022-08-24 14:32 UTC by Zdenek Pytela
Modified:	2022-11-15 12:59 UTC (History)
CC List:	30 users (show)
Fixed In Version:	selinux-policy-34.1.43-1.el9
Doc Type:	Bug Fix
Doc Text:	Cause: selinux-policy does not support insights-client execute additional services Consequence: Some services may fail when started from insights Fix: Support for services execution was added to selinux-policy Result: Services started from insights run successfully
Clone Of:	2119507
Clones:	2123358 (view as bug list)
Environment:
Last Closed:	2022-11-15 11:14:11 UTC
Type:	---
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1357	None	open	Update insights-client policy for additional commands execution	2022-09-01 08:33:32 UTC
Red Hat Issue Tracker	RHELPLAN-132217	None	None	None	2022-08-24 15:02:12 UTC
Red Hat Product Errata	RHBA-2022:8283	None	None	None	2022-11-15 11:14:21 UTC

Comment 5 Zdenek Pytela 2022-08-25 07:23:56 UTC

Link,

In the previous build testing the following denials appeared:

type=PROCTITLE msg=audit(08/24/2022 15:57:09.452:107) : proctitle=/usr/bin/python3 /usr/libexec/rhc/rhc-worker-playbook.worker 
type=PATH msg=audit(08/24/2022 15:57:09.452:107) : item=3 name=/usr/lib/python3.9/site-packages/rhc_worker_playbook/__pycache__/__init__.cpython-39.pyc inode=34037140 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:lib_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(08/24/2022 15:57:09.452:107) : item=2 name=/usr/lib/python3.9/site-packages/rhc_worker_playbook/__pycache__/__init__.cpython-39.pyc.140565727401136 inode=34037140 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:lib_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(08/24/2022 15:57:09.452:107) : item=1 name=/usr/lib/python3.9/site-packages/rhc_worker_playbook/__pycache__/ inode=33842944 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:lib_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(08/24/2022 15:57:09.452:107) : item=0 name=/usr/lib/python3.9/site-packages/rhc_worker_playbook/__pycache__/ inode=33842944 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:lib_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(08/24/2022 15:57:09.452:107) : cwd=/ 
type=SYSCALL msg=audit(08/24/2022 15:57:09.452:107) : arch=x86_64 syscall=rename success=yes exit=0 a0=0x7fd8023fd680 a1=0x7fd80241f150 a2=0x0 a3=0x7fd802b0498f items=4 ppid=2741 pid=2765 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhc-worker-play exe=/usr/bin/python3.9 subj=system_u:system_r:rhcd_t:s0 key=(null) 
type=AVC msg=audit(08/24/2022 15:57:09.452:107) : avc:  denied  { rename } for  pid=2765 comm=rhc-worker-play name=__init__.cpython-39.pyc.140565727401136 dev="dm-0" ino=34037140 scontext=system_u:system_r:rhcd_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(08/24/2022 15:57:09.452:107) : avc:  denied  { remove_name } for  pid=2765 comm=rhc-worker-play name=__init__.cpython-39.pyc.140565727401136 dev="dm-0" ino=34037140 scontext=system_u:system_r:rhcd_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=1


I cannot see it today. Is writing to /usr/lib expected behaviour and can it be avoided run-time?

Comment 8 Link Dupont 2022-08-25 17:59:41 UTC

(In reply to Zdenek Pytela from comment #5)
> Link,
> 
> In the previous build testing the following denials appeared:
> 
> type=PROCTITLE msg=audit(08/24/2022 15:57:09.452:107) :
> proctitle=/usr/bin/python3 /usr/libexec/rhc/rhc-worker-playbook.worker 
> type=PATH msg=audit(08/24/2022 15:57:09.452:107) : item=3
> name=/usr/lib/python3.9/site-packages/rhc_worker_playbook/__pycache__/
> __init__.cpython-39.pyc inode=34037140 dev=fd:00 mode=file,644 ouid=root
> ogid=root rdev=00:00 obj=system_u:object_r:lib_t:s0 nametype=CREATE
> cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
> type=PATH msg=audit(08/24/2022 15:57:09.452:107) : item=2
> name=/usr/lib/python3.9/site-packages/rhc_worker_playbook/__pycache__/
> __init__.cpython-39.pyc.140565727401136 inode=34037140 dev=fd:00
> mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:lib_t:s0
> nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
> type=PATH msg=audit(08/24/2022 15:57:09.452:107) : item=1
> name=/usr/lib/python3.9/site-packages/rhc_worker_playbook/__pycache__/
> inode=33842944 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00
> obj=system_u:object_r:lib_t:s0 nametype=PARENT cap_fp=none cap_fi=none
> cap_fe=0 cap_fver=0 cap_frootid=0 
> type=PATH msg=audit(08/24/2022 15:57:09.452:107) : item=0
> name=/usr/lib/python3.9/site-packages/rhc_worker_playbook/__pycache__/
> inode=33842944 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00
> obj=system_u:object_r:lib_t:s0 nametype=PARENT cap_fp=none cap_fi=none
> cap_fe=0 cap_fver=0 cap_frootid=0 
> type=CWD msg=audit(08/24/2022 15:57:09.452:107) : cwd=/ 
> type=SYSCALL msg=audit(08/24/2022 15:57:09.452:107) : arch=x86_64
> syscall=rename success=yes exit=0 a0=0x7fd8023fd680 a1=0x7fd80241f150 a2=0x0
> a3=0x7fd802b0498f items=4 ppid=2741 pid=2765 auid=unset uid=root gid=root
> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
> ses=unset comm=rhc-worker-play exe=/usr/bin/python3.9
> subj=system_u:system_r:rhcd_t:s0 key=(null) 
> type=AVC msg=audit(08/24/2022 15:57:09.452:107) : avc:  denied  { rename }
> for  pid=2765 comm=rhc-worker-play
> name=__init__.cpython-39.pyc.140565727401136 dev="dm-0" ino=34037140
> scontext=system_u:system_r:rhcd_t:s0 tcontext=system_u:object_r:lib_t:s0
> tclass=file permissive=1
> type=AVC msg=audit(08/24/2022 15:57:09.452:107) : avc:  denied  {
> remove_name } for  pid=2765 comm=rhc-worker-play
> name=__init__.cpython-39.pyc.140565727401136 dev="dm-0" ino=34037140
> scontext=system_u:system_r:rhcd_t:s0 tcontext=system_u:object_r:lib_t:s0
> tclass=dir permissive=1
> 
> 
> I cannot see it today. Is writing to /usr/lib expected behaviour and can it
> be avoided run-time?

This looks like bad behavior from the python interpreter trying to create byte-compiled caches. I would say that it is not desired or expected behavior and it is a bug if the application attempts to write files to /usr/lib.

Comment 19 Peter Vreman 2022-09-01 09:58:16 UTC

After many many hours (felt more like days) of trial-and-error and step by step adding the additional rules i have gathered the following list in my hybrid cloud environment:

~~~
allow insights_client_t self:process setrlimit;
allow insights_client_t self:capability net_bind_service;
allow insights_client_t insights_client_etc_t:file { create write setattr };
allow insights_client_t config_home_t:dir write;
allow insights_client_t automount_t:fifo_file getattr;
allow insights_client_t devlog_t:sock_file write;
allow insights_client_t file_context_t:file getattr;
allow insights_client_t krb5_keytab_t:file getattr;
allow insights_client_t named_t:fifo_file getattr;
allow insights_client_t node_t:udp_socket node_bind;
allow insights_client_t nrpe_t:fifo_file getattr;
allow insights_client_t pcp_pmcd_t:fifo_file getattr;
allow insights_client_t pcp_pmcd_t:unix_stream_socket connectto;
allow insights_client_t pcp_var_run_t:sock_file write;
allow insights_client_t postfix_master_t:fifo_file getattr;
allow insights_client_t postfix_pickup_t:fifo_file getattr;
allow insights_client_t postfix_qmgr_t:fifo_file getattr;
allow insights_client_t proc_kmsg_t:file getattr;
allow insights_client_t rngd_t:fifo_file getattr;
allow insights_client_t rpm_log_t:file create;
allow insights_client_t sssd_t:fifo_file getattr;
allow insights_client_t tuned_t:fifo_file getattr;
allow insights_client_t var_lock_t:dir { add_name create write };
allow insights_client_t var_lock_t:file { create write setattr };
allow insights_client_t var_log_t:file map;
allow insights_client_t self:vsock_socket { create bind connect };
allow insights_client_t vsock_device_t:chr_file { read open ioctl };
allow insights_client_t semanage_store_t:file { getattr open read };
allow insights_client_t security_t:file write;
allow insights_client_t security_t:security compute_av;
allow insights_client_t setroubleshootd_t:dbus send_msg;
allow insights_client_t setroubleshootd_t:unix_stream_socket connectto;
allow insights_client_t setroubleshoot_var_run_t:sock_file write;
allow insights_client_t system_cronjob_lock_t:file write;
allow insights_client_t system_cronjob_tmp_t:file { create write setattr unlink };
allow insights_client_t system_cronjob_tmp_t:dir { create write add_name remove_name rmdir };
allow setroubleshootd_t insights_client_t:dbus send_msg;
~~~

As you can see things are getting pretty tricky and additional rules were needed on empty systems like the 'rpm_log_t:file create;' and 'var_lock_t:dir { add_name create write }' where the log/lock files/dirs did not exists yet when calling status commands like 'vdo status'.

The cronjob_tmp_t are related to /var/tmp/insights-client that is created by insights-client commands like register are being started from the cron (e.g. puppet) and then the files/directories in /var/tmp like /var/tmp/insights-client are created with the cronjob_tmp_t context.

Comment 20 Zdenek Pytela 2022-09-01 11:22:20 UTC

(In reply to Peter Vreman from comment #19)
> After many many hours (felt more like days) of trial-and-error and step by
> step adding the additional rules i have gathered the following list in my
> hybrid cloud environment:
...
> As you can see things are getting pretty tricky and additional rules were
> needed on empty systems like the 'rpm_log_t:file create;' and
> 'var_lock_t:dir { add_name create write }' where the log/lock files/dirs did
> not exists yet when calling status commands like 'vdo status'.
> 
> The cronjob_tmp_t are related to /var/tmp/insights-client that is created by
> insights-client commands like register are being started from the cron (e.g.
> puppet) and then the files/directories in /var/tmp like
> /var/tmp/insights-client are created with the cronjob_tmp_t context.

Thank you, Peter.

Majority of the denials will be addressed with the build which is now being worked on; for a few of the others, additional data are needed. Can you attach audit log, or ausearch command output with as much information as possible?

Comment 23 Peter Vreman 2022-09-01 13:16:44 UTC

Thanks for the quick response.
The list of denials is collected in the last 10 days from audit2allow reports from many different servers various hardware (e.g. vmware,aws,azure,eufi) and various stages of lifecycle (empty,years-only-upgraded).

The challenge is here that at least some basic allow-rules need to be there before collection can even start. To reproduce i have to keep the basic set and then do reverse testing and remove the allow-rules you need more info.
If you please provide more details on which denials you need more information i will see if i can reproduce it on a hardware/lifecycle combination.

Comment 24 Zdenek Pytela 2022-09-01 14:23:59 UTC

These are probably resolved using transition:
allow insights_client_t self:process setrlimit;
allow insights_client_t self:capability net_bind_service;
allow insights_client_t insights_client_etc_t:file { create write setattr };
allow insights_client_t var_lock_t:dir { add_name create write };
allow insights_client_t var_lock_t:file { create write setattr };

This is probably mkdir /run/user/0/dconf which should be allowed now:
allow insights_client_t config_home_t:dir write;

These are yet unknown so any detail is appreciated:
allow insights_client_t rpm_log_t:file create;
allow insights_client_t system_cronjob_lock_t:file write;
allow insights_client_t system_cronjob_tmp_t:file { create write setattr unlink };
allow insights_client_t system_cronjob_tmp_t:dir { create write add_name remove_name rmdir };
allow insights_client_t vsock_device_t:chr_file { read open ioctl };

> As you can see things are getting pretty tricky and additional rules were needed on empty systems like the 'rpm_log_t:file create;' and 'var_lock_t:dir { add_name create write }' where the log/lock files/dirs did not exists yet when calling status commands like 'vdo status'.
Note in advance we may be hitting limits of support scope here.

> The cronjob_tmp_t are related to /var/tmp/insights-client that is created by insights-client commands like register are being started from the cron (e.g. puppet) and then the files/directories in /var/tmp like /var/tmp/insights-client are created with the cronjob_tmp_t context.
Frankly I don't quite understand the workflow here, order of execution and creating files, hopefully data will help.


Current state is that our testing scenarios work with the latest selinux-policy package without any additional rules needed and the following sequence:

subscription-manager register
insights-client --register
systemctl restart insights-client rhcd

does not produce any errors even after all tasks finish.

Thank you for your cooperation.

Comment 25 Peter Vreman 2022-09-01 15:08:19 UTC

I already opened a customer case for the cronjob regression because it is setup that is already working 5 years since day 1 of insights.

~~~
Reproducer (using offline instead of register):
1. rm -f /var/lib/insights
2. echo '* * * * * root /usr/bin/insights-client --offline' > /etc/cron.d/insights-cronjob
3. watch ls -lZd /var/lib/insights
4. # weait until finished and remove cron to prevent again a run
5. rm -f /etc/cron.d/insights-cronjob
6. systemctl start insights-client

Result:
Directory with cronjob_tmp permissions:
drwx------. 4 root root system_u:object_r:system_cronjob_tmp_t:s0 72 Aug 31 14:01 /var/tmp/insights-client

service call to insights-client failing:
Aug 31 14:03:07 li-lc-2623 setroubleshoot[396843]: SELinux is preventing /usr/libexec/platform-python3.6 from create access on the file /var/tmp/insights-client/insights-archive-evwhe01h/insights-li-lc-2623.hag.hilti.com-20220831140305/insights_archive.txt.#012#012*****  Plugin restorecon (99.5 confidence) suggests   ************************#012#012If you want to fix the label. #012/var/tmp/insights-client/insights-archive-evwhe01h/insights-li-lc-2623.hag.hilti.com-20220831140305/insights_archive.txt default label should be insights_client_tmp_t.#012Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.#012Do#012# /sbin/restorecon -v /var/tmp/insights-client/insights-archive-evwhe01h/insights-li-lc-2623.hag.hilti.com-20220831140305/insights_archive.txt#012#012*****  Plugin catchall (1.49 confidence) suggests   **************************#012#012If you believe that platform-python3.6 should be allowed create access on the insights_archive.txt file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'platform-python' --raw | audit2allow -M my-platformpython#012# semodule -X 300 -i my-platformpython.pp#012


Expectation:
Working solution that also allows 'insights-client --register' to be run from e.g. cronjobs that also have special selinux contexts
~~~

Comment 26 Peter Vreman 2022-09-01 16:11:06 UTC

The 2 related to 'vsock' are from VMWare VMs running vmtools

~~~
$ sudo ausearch -i -m avc,user_avc -ts today
----
type=USER_AVC msg=audit(09/01/2022 15:24:28.789:126258) : pid=988 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received setenforce notice (enforcing=0)  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?'
----
type=PROCTITLE msg=audit(09/01/2022 15:25:39.059:126290) : proctitle=/usr/bin/vmware-toolbox-cmd stat raw text session
type=SYSCALL msg=audit(09/01/2022 15:25:39.059:126290) : arch=x86_64 syscall=socket success=yes exit=3 a0=vsock a1=SOCK_DGRAM a2=ip a3=0x0 items=0 ppid=2705058 pid=2705059 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=vmware-toolbox- exe=/usr/bin/vmware-toolbox-cmd subj=system_u:system_r:insights_client_t:s0 key=(null)
type=AVC msg=audit(09/01/2022 15:25:39.059:126290) : avc:  denied  { create } for  pid=2705059 comm=vmware-toolbox- scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=vsock_socket permissive=1
----
type=PROCTITLE msg=audit(09/01/2022 15:25:39.059:126291) : proctitle=/usr/bin/vmware-toolbox-cmd stat raw text session
type=PATH msg=audit(09/01/2022 15:25:39.059:126291) : item=0 name=/dev/vsock inode=24369 dev=00:06 mode=character,600 ouid=root ogid=root rdev=0a:3c obj=system_u:object_r:vsock_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(09/01/2022 15:25:39.059:126291) : cwd=/
type=SYSCALL msg=audit(09/01/2022 15:25:39.059:126291) : arch=x86_64 syscall=openat success=yes exit=4 a0=AT_FDCWD a1=0x7f31b3b1a3ef a2=O_RDONLY a3=0x0 items=1 ppid=2705058 pid=2705059 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=vmware-toolbox- exe=/usr/bin/vmware-toolbox-cmd subj=system_u:system_r:insights_client_t:s0 key=(null)
type=AVC msg=audit(09/01/2022 15:25:39.059:126291) : avc:  denied  { open } for  pid=2705059 comm=vmware-toolbox- path=/dev/vsock dev="devtmpfs" ino=24369 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(09/01/2022 15:25:39.059:126291) : avc:  denied  { read } for  pid=2705059 comm=vmware-toolbox- name=vsock dev="devtmpfs" ino=24369 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=1
----
type=PROCTITLE msg=audit(09/01/2022 15:25:39.059:126292) : proctitle=/usr/bin/vmware-toolbox-cmd stat raw text session
type=SYSCALL msg=audit(09/01/2022 15:25:39.059:126292) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0x4 a1=0x7b9 a2=0x7ffe08e5bfac a3=0x0 items=0 ppid=2705058 pid=2705059 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=vmware-toolbox- exe=/usr/bin/vmware-toolbox-cmd subj=system_u:system_r:insights_client_t:s0 key=(null)
type=AVC msg=audit(09/01/2022 15:25:39.059:126292) : avc:  denied  { ioctl } for  pid=2705059 comm=vmware-toolbox- path=/dev/vsock dev="devtmpfs" ino=24369 ioctlcmd=0x7b9 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=1
----
type=PROCTITLE msg=audit(09/01/2022 15:25:39.059:126293) : proctitle=/usr/bin/vmware-toolbox-cmd stat raw text session
type=SOCKADDR msg=audit(09/01/2022 15:25:39.059:126293) : saddr={ saddr_fam=vsock (unsupported) }
type=SYSCALL msg=audit(09/01/2022 15:25:39.059:126293) : arch=x86_64 syscall=bind success=no exit=EADDRINUSE(Address already in use) a0=0x3 a1=0x7ffe08e5bfb0 a2=0x10 a3=0x0 items=0 ppid=2705058 pid=2705059 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=vmware-toolbox- exe=/usr/bin/vmware-toolbox-cmd subj=system_u:system_r:insights_client_t:s0 key=(null)
type=AVC msg=audit(09/01/2022 15:25:39.059:126293) : avc:  denied  { bind } for  pid=2705059 comm=vmware-toolbox- scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=vsock_socket permissive=1
----
type=PROCTITLE msg=audit(09/01/2022 15:25:39.059:126294) : proctitle=/usr/bin/vmware-toolbox-cmd stat raw text session
type=SOCKADDR msg=audit(09/01/2022 15:25:39.059:126294) : saddr={ saddr_fam=vsock (unsupported) }
type=SYSCALL msg=audit(09/01/2022 15:25:39.059:126294) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x3 a1=0x7ffe08e5c040 a2=0x10 a3=0x0 items=0 ppid=2705058 pid=2705059 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=vmware-toolbox- exe=/usr/bin/vmware-toolbox-cmd subj=system_u:system_r:insights_client_t:s0 key=(null)
type=AVC msg=audit(09/01/2022 15:25:39.059:126294) : avc:  denied  { connect } for  pid=2705059 comm=vmware-toolbox- scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=vsock_socket permissive=1
~~~

Comment 27 Zdenek Pytela 2022-09-01 20:20:05 UTC

Peter,

I believe I've managed to understand all problems reported by you and have fixes for that, with some exceptions:

It appears order of actions plays role and there is some randomness or unpredictability which is a bit tricky to simulate, so possibly on some systems the fixes will still not be sufficient. As an example, I was unable to reproduce creating /var/tmp/insights-client with an incorrect label from a cronjob.

Additionally, this one did not appear in any further scenarios:
allow insights_client_t system_cronjob_lock_t:file write;

Also note it is not a good idea to remove packaged files:
> rm -f /var/lib/insights

For a kind of "reset", I'd rather use
rm -rf /var/lib/insights/* /var/tmp/insights-client

Thank you again for your cooperation. I will keep you informed in this bz as well as in bz#2119351 and bz#2119507.

Comment 28 Peter Vreman 2022-09-02 06:53:56 UTC

Sorry, i see now my typo in the reproducer. I actually did a only a 'rm -rf /var/tmp/insights-client', where the temp directory corresponded the 'tmp_t' part

If a dedicated temporary directory like '/var/tmp/insights-client' is really needed with a certain permission, it might be an alternative use a directory in /var/cache instseada. E.g. the /var/cache/insights-client that can also be packaged with the correct permissions.

Comment 33 Peter Vreman 2022-09-06 07:05:32 UTC

On servers running httpd a few more rules are needed. The impact is heavy, on my simple httpd an insights-client run triggered 900 avc reports

~~~
allow insights_client_t httpd_modules_t:file map;
allow insights_client_t httpd_t:fifo_file getattr;
allow insights_client_t httpd_t:sem unix_read;
~~~

~~~
----
type=PROCTITLE msg=audit(09/06/2022 06:54:26.899:668969) : proctitle=/usr/sbin/httpd -M
type=MMAP msg=audit(09/06/2022 06:54:26.899:668969) : fd=5 flags=MAP_PRIVATE|MAP_DENYWRITE
type=SYSCALL msg=audit(09/06/2022 06:54:26.899:668969) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0x202078 a2=PROT_READ|PROT_EXEC a3=MAP_PRIVATE|MAP_DENYWRITE items=0 ppid=3889427 pid=3889428 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:insights_client_t:s0 key=(null)
type=AVC msg=audit(09/06/2022 06:54:26.899:668969) : avc:  denied  { map } for  pid=3889428 comm=httpd path=/usr/lib64/httpd/modules/mod_access_compat.so dev="dm-0" ino=46201731 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:httpd_modules_t:s0 tclass=file permissive=0
----
type=PROCTITLE msg=audit(09/06/2022 06:54:27.143:668970) : proctitle=/usr/sbin/httpd -V
type=MMAP msg=audit(09/06/2022 06:54:27.143:668970) : fd=5 flags=MAP_PRIVATE|MAP_DENYWRITE
type=SYSCALL msg=audit(09/06/2022 06:54:27.143:668970) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0x202078 a2=PROT_READ|PROT_EXEC a3=MAP_PRIVATE|MAP_DENYWRITE items=0 ppid=3889436 pid=3889437 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:insights_client_t:s0 key=(null)
type=AVC msg=audit(09/06/2022 06:54:27.143:668970) : avc:  denied  { map } for  pid=3889437 comm=httpd path=/usr/lib64/httpd/modules/mod_access_compat.so dev="dm-0" ino=46201731 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:httpd_modules_t:s0 tclass=file permissive=0
----
type=PROCTITLE msg=audit(09/06/2022 06:55:13.456:668992) : proctitle=lsof -p 3555440
type=PATH msg=audit(09/06/2022 06:55:13.456:668992) : item=0 name=/proc/3555440/fd/19 inode=18925352 dev=00:0d mode=fifo,600 ouid=apache ogid=apache rdev=00:00 obj=system_u:system_r:httpd_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(09/06/2022 06:55:13.456:668992) : cwd=/
type=SYSCALL msg=audit(09/06/2022 06:55:13.456:668992) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7ffe4bbc5d30 a1=0x7ffe4bbc6d40 a2=0x7ffe4bbc6d40 a3=0x7f258a172840 items=1 ppid=3891364 pid=3891366 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lsof exe=/usr/bin/lsof subj=system_u:system_r:insights_client_t:s0 key=(null)
type=AVC msg=audit(09/06/2022 06:55:13.456:668992) : avc:  denied  { getattr } for  pid=3891366 comm=lsof path=pipe:[18925352] dev="pipefs" ino=18925352 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=fifo_file permissive=0
----
type=PROCTITLE msg=audit(09/06/2022 06:55:59.253:668993) : proctitle=/usr/bin/ipcs -s -i 4
type=IPC msg=audit(09/06/2022 06:55:59.253:668993) : ouid=apache ogid=apache mode=000,600 obj=system_u:system_r:httpd_t:s0
type=SYSCALL msg=audit(09/06/2022 06:55:59.253:668993) : arch=x86_64 syscall=semctl success=no exit=EACCES(Permission denied) a0=0x4 a1=0x0 a2=0xc a3=0x0 items=0 ppid=3892949 pid=3892953 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ipcs exe=/usr/bin/ipcs subj=system_u:system_r:insights_client_t:s0 key=(null)
type=AVC msg=audit(09/06/2022 06:55:59.253:668993) : avc:  denied  { unix_read } for  pid=3892953 comm=ipcs key=0  scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=sem permissive=0
~~~

Comment 34 Peter Vreman 2022-09-06 07:06:52 UTC

On an NFS server (both nfsv3 and nfsv4):

~~~
allow insights_client_t rpcd_t:fifo_file getattr;
allow insights_client_t sysctl_rpc_t:file getattr;
~~~

~~~
----
type=PROCTITLE msg=audit(09/06/2022 06:57:11.191:140830) : proctitle=/usr/bin/lsof
type=PATH msg=audit(09/06/2022 06:57:11.191:140830) : item=0 name=/proc/1007/fd/5 inode=25749 dev=00:0d mode=fifo,600 ouid=root ogid=root rdev=00:00 obj=system_u:system_r:rpcd_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(09/06/2022 06:57:11.191:140830) : cwd=/
type=SYSCALL msg=audit(09/06/2022 06:57:11.191:140830) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x55c9ad47e450 a1=0x7ffc91a2e180 a2=0x7ffc91a2e180 a3=0x0 items=1 ppid=3909560 pid=3909561 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lsof exe=/usr/bin/lsof subj=system_u:system_r:insights_client_t:s0 key=(null)
type=AVC msg=audit(09/06/2022 06:57:11.191:140830) : avc:  denied  { getattr } for  pid=3909561 comm=lsof path=pipe:[25749] dev="pipefs" ino=25749 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:rpcd_t:s0 tclass=fifo_file permissive=0
----
type=PROCTITLE msg=audit(09/06/2022 06:57:11.312:140833) : proctitle=/usr/bin/lsof
type=PATH msg=audit(09/06/2022 06:57:11.312:140833) : item=0 name=/proc/1193/fd/4 inode=4026532533 dev=00:05 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_rpc_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(09/06/2022 06:57:11.312:140833) : cwd=/
type=SYSCALL msg=audit(09/06/2022 06:57:11.312:140833) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x55c9ad4dd560 a1=0x7ffc91a2e180 a2=0x7ffc91a2e180 a3=0x0 items=1 ppid=3909560 pid=3909561 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lsof exe=/usr/bin/lsof subj=system_u:system_r:insights_client_t:s0 key=(null)
type=AVC msg=audit(09/06/2022 06:57:11.312:140833) : avc:  denied  { getattr } for  pid=3909561 comm=lsof path=/proc/1175/net/rpc/nfsd.export/channel dev="proc" ino=4026532533 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:sysctl_rpc_t:s0 tclass=file permissive=0
~~~

Comment 35 Peter Vreman 2022-09-06 12:35:05 UTC

On a service with a legacy init.d service file where insights is calling 'status' on

~~~
allow insights_client_t initrc_exec_t:service status;
~~~


~~~
----
type=USER_AVC msg=audit(09/06/2022 07:18:35.959:14114) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=root uid=root gid=root path=/etc/rc.d/init.d/vxpbx_exchanged cmdline="" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=service permissive=1  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?'
~~~

Comment 36 Peter Vreman 2022-09-06 14:11:59 UTC

Server with a simple libvirtd kvm running:

~~~
allow insights_client_t dnsmasq_t:fifo_file getattr;
allow insights_client_t random_device_t:chr_file read;
allow insights_client_t rndc_port_t:tcp_socket name_connect;
allow insights_client_t virt_var_run_t:sock_file write;
allow insights_client_t virtd_t:unix_stream_socket connectto;
allow insights_client_t virtlogd_t:fifo_file getattr;
~~~

~~~
sudo ausearch -i -m avc,user_avc -ts today
----
type=PROCTITLE msg=audit(09/06/2022 13:11:32.001:139707) : proctitle=/usr/sbin/gluster volume info 
type=PATH msg=audit(09/06/2022 13:11:32.001:139707) : item=0 name=/dev/random inode=1031 dev=00:06 mode=character,666 ouid=root ogid=root rdev=01:08 obj=system_u:object_r:random_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/06/2022 13:11:32.001:139707) : cwd=/ 
type=SYSCALL msg=audit(09/06/2022 13:11:32.001:139707) : arch=x86_64 syscall=access success=yes exit=0 a0=0x7f9402420504 a1=R_OK a2=0x560b0dc8ba20 a3=0x0 items=1 ppid=155930 pid=155931 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gluster exe=/usr/sbin/gluster subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(09/06/2022 13:11:32.001:139707) : avc:  denied  { read } for  pid=155931 comm=gluster name=random dev="devtmpfs" ino=1031 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=1 
----
type=PROCTITLE msg=audit(09/06/2022 13:11:37.885:139710) : proctitle=/usr/sbin/rndc status 
type=SOCKADDR msg=audit(09/06/2022 13:11:37.885:139710) : saddr={ saddr_fam=inet laddr=127.0.0.1 lport=953 } 
type=SYSCALL msg=audit(09/06/2022 13:11:37.885:139710) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0x14 a1=0x5646849198a0 a2=0x10 a3=0x7f4c4929e080 items=0 ppid=156249 pid=156250 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=isc-worker0000 exe=/usr/sbin/rndc subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(09/06/2022 13:11:37.885:139710) : avc:  denied  { name_connect } for  pid=156250 comm=isc-worker0000 dest=953 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:rndc_port_t:s0 tclass=tcp_socket permissive=1 
----
type=PROCTITLE msg=audit(09/06/2022 13:11:42.389:139711) : proctitle=/usr/bin/virsh --readonly list --all 
type=PATH msg=audit(09/06/2022 13:11:42.389:139711) : item=0 name=/var/run/libvirt/libvirt-sock-ro inode=20252 dev=00:18 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:virt_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/06/2022 13:11:42.389:139711) : cwd=/ 
type=SOCKADDR msg=audit(09/06/2022 13:11:42.389:139711) : saddr={ saddr_fam=local path=/var/run/libvirt/libvirt-sock-ro } 
type=SYSCALL msg=audit(09/06/2022 13:11:42.389:139711) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x4 a1=0x7fffa7aaf430 a2=0x6e a3=0x1 items=1 ppid=156319 pid=156320 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=virsh exe=/usr/bin/virsh subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(09/06/2022 13:11:42.389:139711) : avc:  denied  { connectto } for  pid=156320 comm=virsh path=/run/libvirt/libvirt-sock-ro scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 
type=AVC msg=audit(09/06/2022 13:11:42.389:139711) : avc:  denied  { write } for  pid=156320 comm=virsh name=libvirt-sock-ro dev="tmpfs" ino=20252 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=sock_file permissive=1 
----
type=PROCTITLE msg=audit(09/06/2022 13:12:52.197:139753) : proctitle=/usr/bin/lsof 
type=PATH msg=audit(09/06/2022 13:12:52.197:139753) : item=0 name=/proc/2527/fd/12 inode=38221 dev=00:0d mode=fifo,600 ouid=root ogid=root rdev=00:00 obj=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/06/2022 13:12:52.197:139753) : cwd=/ 
type=SYSCALL msg=audit(09/06/2022 13:12:52.197:139753) : arch=x86_64 syscall=stat success=yes exit=0 a0=0x7ffd40e5b650 a1=0x7ffd40e5c660 a2=0x7ffd40e5c660 a3=0x7f00b08e2840 items=1 ppid=157049 pid=157051 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lsof exe=/usr/bin/lsof subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(09/06/2022 13:12:52.197:139753) : avc:  denied  { getattr } for  pid=157051 comm=lsof path=pipe:[38221] dev="pipefs" ino=38221 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tclass=fifo_file permissive=1 
----
type=PROCTITLE msg=audit(09/06/2022 13:12:53.283:139754) : proctitle=/usr/bin/lsof 
type=PATH msg=audit(09/06/2022 13:12:53.283:139754) : item=0 name=/proc/1163067/fd/7 inode=7334604 dev=00:0d mode=fifo,600 ouid=root ogid=root rdev=00:00 obj=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/06/2022 13:12:53.283:139754) : cwd=/ 
type=SYSCALL msg=audit(09/06/2022 13:12:53.283:139754) : arch=x86_64 syscall=stat success=yes exit=0 a0=0x7ffd40e5b650 a1=0x7ffd40e5c660 a2=0x7ffd40e5c660 a3=0x7f00b08e2840 items=1 ppid=157049 pid=157051 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lsof exe=/usr/bin/lsof subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(09/06/2022 13:12:53.283:139754) : avc:  denied  { getattr } for  pid=157051 comm=lsof path=pipe:[7334604] dev="pipefs" ino=7334604 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tclass=fifo_file permissive=1 
~~~

Comment 37 Peter Vreman 2022-09-06 14:16:17 UTC

RedHat IdM (FreeIPA) Server also has its own share of additional rules

~~~
allow certmonger_t insights_client_t:dbus send_msg;
allow insights_client_t certmonger_t:dbus send_msg;
allow insights_client_t dirsrv_t:fifo_file getattr;
allow insights_client_t gssproxy_t:fifo_file getattr;
allow insights_client_t kadmind_t:fifo_file getattr;
allow insights_client_t krb5kdc_t:fifo_file getattr;
allow insights_client_t samba_var_t:sock_file { create unlink };
allow insights_client_t smbd_t:fifo_file getattr;
allow insights_client_t winbind_t:fifo_file getattr;
~~~

~~~
type=PROCTITLE msg=audit(09/06/2022 13:10:49.632:736022) : proctitle=/usr/bin/lsof 
type=PATH msg=audit(09/06/2022 13:10:49.632:736022) : item=0 name=/proc/1066/task/1069/fd/5 inode=25238 dev=00:0d mode=fifo,600 ouid=root ogid=root rdev=00:00 obj=system_u:system_r:gssproxy_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/06/2022 13:10:49.632:736022) : cwd=/ 
type=SYSCALL msg=audit(09/06/2022 13:10:49.632:736022) : arch=x86_64 syscall=stat success=yes exit=0 a0=0x7ffc338749e0 a1=0x7ffc338759f0 a2=0x7ffc338759f0 a3=0x7f1b957d2840 items=1 ppid=3946792 pid=3946794 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lsof exe=/usr/bin/lsof subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(09/06/2022 13:10:49.632:736022) : avc:  denied  { getattr } for  pid=3946794 comm=lsof path=pipe:[25238] dev="pipefs" ino=25238 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=fifo_file permissive=1 
----
type=PROCTITLE msg=audit(09/06/2022 13:10:50.459:736023) : proctitle=/usr/bin/lsof 
type=PATH msg=audit(09/06/2022 13:10:50.459:736023) : item=0 name=/proc/4863/task/6405/fd/8 inode=42885 dev=00:0d mode=fifo,600 ouid=root ogid=root rdev=00:00 obj=system_u:system_r:dirsrv_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/06/2022 13:10:50.459:736023) : cwd=/ 
type=SYSCALL msg=audit(09/06/2022 13:10:50.459:736023) : arch=x86_64 syscall=stat success=yes exit=0 a0=0x7ffc338749e0 a1=0x7ffc338759f0 a2=0x7ffc338759f0 a3=0x7f1b957d2840 items=1 ppid=3946792 pid=3946794 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lsof exe=/usr/bin/lsof subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(09/06/2022 13:10:50.459:736023) : avc:  denied  { getattr } for  pid=3946794 comm=lsof path=pipe:[42885] dev="pipefs" ino=42885 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=fifo_file permissive=1 
----
type=PROCTITLE msg=audit(09/06/2022 13:10:52.445:736025) : proctitle=/usr/bin/lsof 
type=PATH msg=audit(09/06/2022 13:10:52.445:736025) : item=0 name=/proc/6983/fd/6 inode=46168 dev=00:0d mode=fifo,600 ouid=root ogid=root rdev=00:00 obj=system_u:system_r:krb5kdc_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/06/2022 13:10:52.445:736025) : cwd=/ 
type=SYSCALL msg=audit(09/06/2022 13:10:52.445:736025) : arch=x86_64 syscall=stat success=yes exit=0 a0=0x7ffc338749e0 a1=0x7ffc338759f0 a2=0x7ffc338759f0 a3=0x7f1b957d2840 items=1 ppid=3946792 pid=3946794 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lsof exe=/usr/bin/lsof subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(09/06/2022 13:10:52.445:736025) : avc:  denied  { getattr } for  pid=3946794 comm=lsof path=pipe:[46168] dev="pipefs" ino=46168 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:krb5kdc_t:s0 tclass=fifo_file permissive=1 
----
type=PROCTITLE msg=audit(09/06/2022 13:10:52.536:736027) : proctitle=/usr/bin/lsof 
type=PATH msg=audit(09/06/2022 13:10:52.536:736027) : item=0 name=/proc/7044/fd/6 inode=46479 dev=00:0d mode=fifo,600 ouid=root ogid=root rdev=00:00 obj=system_u:system_r:kadmind_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/06/2022 13:10:52.536:736027) : cwd=/ 
type=SYSCALL msg=audit(09/06/2022 13:10:52.536:736027) : arch=x86_64 syscall=stat success=yes exit=0 a0=0x7ffc338749e0 a1=0x7ffc338759f0 a2=0x7ffc338759f0 a3=0x7f1b957d2840 items=1 ppid=3946792 pid=3946794 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lsof exe=/usr/bin/lsof subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(09/06/2022 13:10:52.536:736027) : avc:  denied  { getattr } for  pid=3946794 comm=lsof path=pipe:[46479] dev="pipefs" ino=46479 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:kadmind_t:s0 tclass=fifo_file permissive=1 
----
type=PROCTITLE msg=audit(09/06/2022 13:10:52.557:736028) : proctitle=/usr/bin/lsof 
type=PATH msg=audit(09/06/2022 13:10:52.557:736028) : item=0 name=/proc/7663/fd/14 inode=47858 dev=00:0d mode=fifo,600 ouid=root ogid=root rdev=00:00 obj=system_u:system_r:smbd_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/06/2022 13:10:52.557:736028) : cwd=/ 
type=SYSCALL msg=audit(09/06/2022 13:10:52.557:736028) : arch=x86_64 syscall=stat success=yes exit=0 a0=0x7ffc338749e0 a1=0x7ffc338759f0 a2=0x7ffc338759f0 a3=0x7f1b957d2840 items=1 ppid=3946792 pid=3946794 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lsof exe=/usr/bin/lsof subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(09/06/2022 13:10:52.557:736028) : avc:  denied  { getattr } for  pid=3946794 comm=lsof path=pipe:[47858] dev="pipefs" ino=47858 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:smbd_t:s0 tclass=fifo_file permissive=1 
----
type=PROCTITLE msg=audit(09/06/2022 13:10:52.748:736029) : proctitle=/usr/bin/lsof 
type=PATH msg=audit(09/06/2022 13:10:52.748:736029) : item=0 name=/proc/7820/fd/17 inode=50223 dev=00:0d mode=fifo,600 ouid=root ogid=root rdev=00:00 obj=system_u:system_r:winbind_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/06/2022 13:10:52.748:736029) : cwd=/ 
type=SYSCALL msg=audit(09/06/2022 13:10:52.748:736029) : arch=x86_64 syscall=stat success=yes exit=0 a0=0x7ffc338749e0 a1=0x7ffc338759f0 a2=0x7ffc338759f0 a3=0x7f1b957d2840 items=1 ppid=3946792 pid=3946794 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lsof exe=/usr/bin/lsof subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(09/06/2022 13:10:52.748:736029) : avc:  denied  { getattr } for  pid=3946794 comm=lsof path=pipe:[50223] dev="pipefs" ino=50223 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:winbind_t:s0 tclass=fifo_file permissive=1 
----
type=USER_AVC msg=audit(09/06/2022 13:11:48.737:736047) : pid=999 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.fedorahosted.certmonger member=get_requests dest=org.fedorahosted.certmonger spid=3947999 tpid=1053 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=dbus permissive=1  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(09/06/2022 13:11:48.738:736048) : pid=999 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.25989 spid=1053 tpid=3947999 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=dbus permissive=0  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=PROCTITLE msg=audit(09/06/2022 13:12:25.551:736060) : proctitle=/usr/bin/smbstatus -p 
type=PATH msg=audit(09/06/2022 13:12:25.551:736060) : item=1 name=/var/lib/samba/private/msg.sock/3948783 inode=31488005 dev=fd:00 mode=socket,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:samba_var_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(09/06/2022 13:12:25.551:736060) : item=0 name=/var/lib/samba/private/msg.sock/ inode=31488013 dev=fd:00 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:samba_var_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/06/2022 13:12:25.551:736060) : cwd=/ 
type=SOCKADDR msg=audit(09/06/2022 13:12:25.551:736060) : saddr={ saddr_fam=local path=/var/lib/samba/private/msg.sock/3948783 } 
type=SYSCALL msg=audit(09/06/2022 13:12:25.551:736060) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x6 a1=0x7ffce6c838c0 a2=0x6e a3=0x7ffce6c839a0 items=2 ppid=3948782 pid=3948783 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=smbstatus exe=/usr/bin/smbstatus subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(09/06/2022 13:12:25.551:736060) : avc:  denied  { create } for  pid=3948783 comm=smbstatus name=3948783 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:samba_var_t:s0 tclass=sock_file permissive=1 
----
type=PROCTITLE msg=audit(09/06/2022 13:12:25.554:736061) : proctitle=/usr/bin/smbstatus -p 
type=PATH msg=audit(09/06/2022 13:12:25.554:736061) : item=1 name=/var/lib/samba/private/msg.sock/3948783 inode=31488005 dev=fd:00 mode=socket,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:samba_var_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(09/06/2022 13:12:25.554:736061) : item=0 name=/var/lib/samba/private/msg.sock/ inode=31488013 dev=fd:00 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:samba_var_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/06/2022 13:12:25.554:736061) : cwd=/ 
type=SYSCALL msg=audit(09/06/2022 13:12:25.554:736061) : arch=x86_64 syscall=unlink success=yes exit=0 a0=0x7ffce6c838d0 a1=0x3c40ef a2=0x0 a3=0x0 items=2 ppid=3948782 pid=3948783 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=smbstatus exe=/usr/bin/smbstatus subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(09/06/2022 13:12:25.554:736061) : avc:  denied  { unlink } for  pid=3948783 comm=smbstatus name=3948783 dev="dm-0" ino=31488005 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:samba_var_t:s0 tclass=sock_file permissive=1 
~~~

Comment 38 Peter Vreman 2022-09-06 14:46:39 UTC

Server running Performance Co-pilot with Grafana (pmproxy+redis+grafana) as documented in the standard RHEL monitoring documentation

~~~
allow insights_client_t ephemeral_port_t:tcp_socket name_connect;
allow insights_client_t pcp_pmproxy_t:fifo_file getattr;
allow insights_client_t redis_t:fifo_file getattr;
~~~

~~~
type=PROCTITLE msg=audit(09/06/2022 14:23:24.684:784107) : proctitle=/usr/bin/curl -s http://127.0.0.1:44322/metrics --connect-timeout 5 
type=SOCKADDR msg=audit(09/06/2022 14:23:24.684:784107) : saddr={ saddr_fam=inet laddr=127.0.0.1 lport=44322 } 
type=SYSCALL msg=audit(09/06/2022 14:23:24.684:784107) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0x5 a1=0x7ffff318c6d0 a2=0x10 a3=0xd2791636 items=0 ppid=2763549 pid=2763550 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=curl exe=/usr/bin/curl subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(09/06/2022 14:23:24.684:784107) : avc:  denied  { name_connect } for  pid=2763550 comm=curl dest=44322 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket permissive=1 
----
type=PROCTITLE msg=audit(09/06/2022 14:24:15.721:784131) : proctitle=/usr/bin/lsof 
type=PATH msg=audit(09/06/2022 14:24:15.721:784131) : item=0 name=/proc/1057/task/1079/fd/3 inode=26746 dev=00:0d mode=fifo,600 ouid=redis ogid=redis rdev=00:00 obj=system_u:system_r:redis_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/06/2022 14:24:15.721:784131) : cwd=/ 
type=SYSCALL msg=audit(09/06/2022 14:24:15.721:784131) : arch=x86_64 syscall=stat success=yes exit=0 a0=0x7ffd74d695c0 a1=0x7ffd74d6a5d0 a2=0x7ffd74d6a5d0 a3=0x7f5e5f4b4840 items=1 ppid=2764360 pid=2764362 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lsof exe=/usr/bin/lsof subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(09/06/2022 14:24:15.721:784131) : avc:  denied  { getattr } for  pid=2764362 comm=lsof path=pipe:[26746] dev="pipefs" ino=26746 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:redis_t:s0 tclass=fifo_file permissive=1 
----
type=PROCTITLE msg=audit(09/06/2022 14:24:18.022:784132) : proctitle=/usr/bin/lsof 
type=PATH msg=audit(09/06/2022 14:24:18.022:784132) : item=0 name=/proc/2763680/fd/3 inode=26746 dev=00:0d mode=fifo,600 ouid=redis ogid=redis rdev=00:00 obj=system_u:system_r:redis_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/06/2022 14:24:18.022:784132) : cwd=/ 
type=SYSCALL msg=audit(09/06/2022 14:24:18.022:784132) : arch=x86_64 syscall=stat success=yes exit=0 a0=0x7ffd74d695c0 a1=0x7ffd74d6a5d0 a2=0x7ffd74d6a5d0 a3=0x7f5e5f4b4840 items=1 ppid=2764360 pid=2764362 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lsof exe=/usr/bin/lsof subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(09/06/2022 14:24:18.022:784132) : avc:  denied  { getattr } for  pid=2764362 comm=lsof path=pipe:[26746] dev="pipefs" ino=26746 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:redis_t:s0 tclass=fifo_file permissive=1 
----
type=PROCTITLE msg=audit(09/06/2022 14:24:18.107:784134) : proctitle=/usr/bin/lsof 
type=PATH msg=audit(09/06/2022 14:24:18.107:784134) : item=0 name=/proc/2887799/task/3298813/fd/4 inode=1554664821 dev=00:0d mode=fifo,600 ouid=root ogid=root rdev=00:00 obj=system_u:system_r:pcp_pmproxy_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/06/2022 14:24:18.107:784134) : cwd=/ 
type=SYSCALL msg=audit(09/06/2022 14:24:18.107:784134) : arch=x86_64 syscall=stat success=yes exit=0 a0=0x7ffd74d695c0 a1=0x7ffd74d6a5d0 a2=0x7ffd74d6a5d0 a3=0x7f5e5f4b4840 items=1 ppid=2764360 pid=2764362 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lsof exe=/usr/bin/lsof subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(09/06/2022 14:24:18.107:784134) : avc:  denied  { getattr } for  pid=2764362 comm=lsof path=pipe:[1554664821] dev="pipefs" ino=1554664821 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:pcp_pmproxy_t:s0 tclass=fifo_file permissive=1 
~~~

Comment 39 Zdenek Pytela 2022-09-07 12:40:47 UTC

Peter,

Thank you for the reports. A new build which should address all problems is currently under way.

Comment 51 errata-xmlrpc 2022-11-15 11:14:11 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8283

Note You need to log in before you can comment on or make changes to this bug.

afarley
anuk
cj
cmarinea
derek.tc.lee
fjansen
gchamoul
jafiala
jbreitwe
jrichards2
link
lvrabec
marc
matt.bebsz
matthew.lesieur
mgoyal
mmalik
nknazeko
pakotvan
perobins
peter.vreman
pgm-rhel-tools
pvlasin
reynolds
sam
shivagup
ssekidde
stomsa
tony
vvasilev