RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2122958 - insights-client raises SELinux dbus issue
Summary: insights-client raises SELinux dbus issue
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: selinux-policy
Version: 9.1
Hardware: x86_64
OS: Linux
high
high
Target Milestone: rc
: 9.2
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 2124327
TreeView+ depends on / blocked
 
Reported: 2022-08-31 12:42 UTC by Alba Hita
Modified: 2023-05-09 10:20 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-34.1.43-1.el9
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 2124327 (view as bug list)
Environment:
Last Closed: 2023-05-09 08:16:32 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-132814 0 None None None 2022-08-31 12:48:41 UTC
Red Hat Product Errata RHBA-2023:2483 0 None None None 2023-05-09 08:16:51 UTC

Description Alba Hita 2022-08-31 12:42:58 UTC 
>>> Description of problem:
Insights-client is raising SELinux issues


Version-Release number of selected component (if applicable):


>>> Steps to Reproduce:
1. Installed the last SELinux-policy and insights-client version. 
2. Configure SELinux with the enforcing policy.

3. Run insights-client --register.
4. Run insights-client systemd service


>>> Actual results:

> sudo systemctl status insights-client
○ insights-client.service - Insights Client
     Loaded: loaded (/usr/lib/systemd/system/insights-client.service; static)
     Active: inactive (dead) since Wed 2022-08-31 11:24:05 CEST; 1s ago
TriggeredBy: ● insights-client.timer
       Docs: man:insights-client(8)
    Process: 2754 ExecStart=/usr/bin/insights-client --retry 3 (code=exited, status=0/SUCCESS)
    Process: 2755 ExecStartPost=/bin/bash -c echo 2G >/dev/null 2>&1 > /sys/fs/cgroup/memory/system.slice/insights-client.service/memory.memsw.limit_in_bytes (code=exited, status=1/FAILURE)
    Process: 2756 ExecStartPost=/bin/bash -c echo 1G >/dev/null 2>&1 > /sys/fs/cgroup/memory/system.slice/insights-client.service/memory.soft_limit_in_bytes (code=exited, status=1/FAILURE)
   Main PID: 2754 (code=exited, status=0/SUCCESS)
        CPU: 27.108s

Aug 31 11:22:32 localhost.localdomain systemd[1]: Started Insights Client.
Aug 31 11:22:42 localhost.localdomain insights-client[2765]: Unable to fetch egg url. Defaulting to /release
Aug 31 11:22:54 localhost.localdomain insights-client[2784]: Starting to collect Insights data for localhost.localdomain
Aug 31 11:23:32 localhost.localdomain /usr/bin/sealert[3211]: attempt to open server connection failed: Permission denied
Aug 31 11:24:04 localhost.localdomain insights-client[2784]: Uploading Insights data.
Aug 31 11:24:05 localhost.localdomain insights-client[2784]: Successfully uploaded report from localhost.localdomain to account 5910538.
Aug 31 11:24:05 localhost.localdomain insights-client[2784]: View details about this system on cloud.redhat.com:
Aug 31 11:24:05 localhost.localdomain insights-client[2784]: https://cloud.redhat.com/insights/inventory/95ca7bdc-85b3-4ffe-bf89-f7595b74f096
Aug 31 11:24:05 localhost.localdomain systemd[1]: insights-client.service: Deactivated successfully.
Aug 31 11:24:05 localhost.localdomain systemd[1]: insights-client.service: Consumed 27.108s CPU time.

> sudo ausearch -m avc -m user_avc -m selinux_err -i -ts boot
----
type=USER_AVC msg=audit(08/31/2022 11:23:09.249:188) : pid=690 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=dbus permissive=0  exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(08/31/2022 11:23:09.249:189) : pid=690 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=dbus permissive=0  exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(08/31/2022 11:23:09.249:190) : pid=690 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=dbus permissive=0  exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(08/31/2022 11:23:09.249:191) : pid=690 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=dbus permissive=0  exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(08/31/2022 11:23:09.250:192) : pid=690 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=dbus permissive=0  exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' 
----
type=PROCTITLE msg=audit(08/31/2022 11:23:32.864:218) : proctitle=/usr/bin/python3 -Es /usr/bin/sealert -l * 
type=SYSCALL msg=audit(08/31/2022 11:23:32.864:218) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x5 a1=0x7ffc96601e80 a2=0x2f a3=0x7f09834b49b9 items=0 ppid=3210 pid=3211 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sealert exe=/usr/bin/python3.9 subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(08/31/2022 11:23:32.864:218) : avc:  denied  { write } for  pid=3211 comm=sealert name=setroubleshoot_server dev="tmpfs" ino=1174 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:setroubleshoot_var_run_t:s0 tclass=sock_file permissive=0 


Additional info:
> rpm -qa selinux\* insights\* | sort
insights-client-3.1.7-6.el9_0.noarch
selinux-policy-34.1.42-1.el9.noarch
selinux-policy-targeted-34.1.42-1.el9.noarch
Comment 13 errata-xmlrpc 2023-05-09 08:16:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2483
Note You need to log in before you can comment on or make changes to this bug.