Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2123610

Summary: insight-client selinux denial creating .unregistered file
Product: Red Hat Enterprise Linux 8 Reporter: Iago Rubio <iago>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: low Docs Contact:
Priority: medium    
Version: 8.6CC: ahitacat, cmarinea, fjansen, lvrabec, mmalik, pakotvan, stomsa, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: 8.8Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-16 09:03:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Iago Rubio 2022-09-02 06:54:11 UTC 
Description of problem:

SELinux is preventing /usr/libexec/platform-python3.6 from 'create' accesses on the file .unregistered.


Version-Release number of selected component (if applicable):

insights-client  3.1.7
selinux-policy   3.14.3

How reproducible:

Start insights client and wait few seconds for a selinux denial

Steps to Reproduce:
1. Start insights client
2. Wait a little bit
3. Check denial
4. Check status of insights client

Actual results:

Insights client is dead by failing to create the file /etc/insights-client/.unregistered

A selinux denial show selinx prevents to write in the insights_client_etc_t context the proccess with context  insights_client_t 

Expected results:

Insights client should not die and should be able to write in /etc/insights-client or set other directory in /var to store the status files .registered and .unregistered.

Additional info:

Sealert output
=================================================

SELinux is preventing /usr/libexec/platform-python3.6 from create access on the file .unregistered.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that platform-python3.6 should be allowed create access on the .unregistered file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'platform-python' --raw | audit2allow -M my-platformpython
# semodule -X 300 -i my-platformpython.pp

Additional Information:
Source Context                system_u:system_r:insights_client_t:s0
Target Context                system_u:object_r:insights_client_etc_t:s0
Target Objects                .unregistered [ file ]
Source                        platform-python
Source Path                   /usr/libexec/platform-python3.6
Port                          <Unknown>
Host                          telaar.localdomain
Source RPM Packages           platform-python-3.6.8-45.el8.x86_64
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.3-95.el8_6.4.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-95.el8_6.4.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     telaar.localdomain
Platform                      Linux telaar.localdomain
                              4.18.0-372.19.1.el8_6.x86_64 #1 SMP Mon Jul 18
                              11:14:02 EDT 2022 x86_64 x86_64
Alert Count                   7
First Seen                    2022-09-01 01:02:56 CEST
Last Seen                     2022-09-02 08:40:11 CEST
Local ID                      add312ee-8507-4d66-bef0-8e8e7b5426ae

Raw Audit Messages
type=AVC msg=audit(1662100811.211:288): avc:  denied  { create } for  pid=45383 comm="platform-python" name=".unregistered" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:insights_client_etc_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1662100811.211:288): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffff9c a1=7f4c56378710 a2=80241 a3=1b6 items=0 ppid=45308 pid=45383 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=platform-python exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null)

Hash: platform-python,insights_client_t,insights_client_etc_t,file,create


=================================================

systemctl status insights-client output 

=================================================

● insights-client.service - Insights Client
   Loaded: loaded (/usr/lib/systemd/system/insights-client.service; static; vendor preset: disabled)
   Active: failed (Result: exit-code) since Fri 2022-09-02 08:40:11 CEST; 14min ago
     Docs: man:insights-client(8)
  Process: 45310 ExecStartPost=/bin/bash -c echo 1G >/dev/null 2>&1 > /sys/fs/cgroup/memory/system.slice/insights-client.service/memory.soft_limit_in_bytes (code=exited, status=0/SUCCE>
  Process: 45309 ExecStartPost=/bin/bash -c echo 2G >/dev/null 2>&1 > /sys/fs/cgroup/memory/system.slice/insights-client.service/memory.memsw.limit_in_bytes (code=exited, status=0/SUCC>
  Process: 45308 ExecStart=/usr/bin/insights-client --retry 3 (code=exited, status=1/FAILURE)
 Main PID: 45308 (code=exited, status=1/FAILURE)

Sep 02 08:40:11 telaar.localdomain insights-client[45383]:     return _legacy_handle_registration(config, pconn)
Sep 02 08:40:11 telaar.localdomain insights-client[45383]:   File "/etc/insights-client/rpm.egg/insights/client/client.py", line 170, in _legacy_handle_registration
Sep 02 08:40:11 telaar.localdomain insights-client[45383]:     write_unregistered_file(date=check['unreg_date'])
Sep 02 08:40:11 telaar.localdomain insights-client[45383]:   File "/etc/insights-client/rpm.egg/insights/client/utilities.py", line 99, in write_unregistered_file
Sep 02 08:40:11 telaar.localdomain insights-client[45383]:     write_to_disk(f, content=str(date))
Sep 02 08:40:11 telaar.localdomain insights-client[45383]:   File "/etc/insights-client/rpm.egg/insights/client/utilities.py", line 127, in write_to_disk
Sep 02 08:40:11 telaar.localdomain insights-client[45383]:     with open(filename, 'wb') as f:
Sep 02 08:40:11 telaar.localdomain insights-client[45383]: PermissionError: [Errno 13] Permission denied: '/etc/insights-client/.unregistered'
Sep 02 08:40:11 telaar.localdomain systemd[1]: insights-client.service: Main process exited, code=exited, status=1/FAILURE
Sep 02 08:40:11 telaar.localdomain systemd[1]: insights-client.service: Failed with result 'exit-code'.
Comment 1 Iago Rubio 2022-09-02 08:15:28 UTC 
It's missing on selinux-policy-targeted rpm, selinux-policy-contrib-f659db9cce300873aabec1a11fcc39d69e043267/insights_client.fc file a write reference to the ".unregistered" file.

============================================================================================================================
selinux-policy-contrib-f659db9cce300873aabec1a11fcc39d69e043267/insights_client.fc
============================================================================================================================

/etc/insights-client                                    -d      gen_context(system_u:object_r:insights_client_etc_t,s0)
/etc/insights-client/[^/]+                              --      gen_context(system_u:object_r:insights_client_etc_t,s0)
/etc/insights-client/\.cache\.json\.asc                 --      gen_context(system_u:object_r:insights_client_etc_rw_t,s0)
/etc/insights-client/\.cache\.json                      --      gen_context(system_u:object_r:insights_client_etc_rw_t,s0)
/etc/insights-client/\.insights-core\.etag              --      gen_context(system_u:object_r:insights_client_etc_rw_t,s0)
/etc/insights-client/\.insights-core-gpg-sig\.etag      --      gen_context(system_u:object_r:insights_client_etc_rw_t,s0)
/etc/insights-client/\.lastupload                       --      gen_context(system_u:object_r:insights_client_etc_rw_t,s0)
/etc/insights-client/\.last-upload\.results             --      gen_context(system_u:object_r:insights_client_etc_rw_t,s0)
/etc/insights-client/\.registered                       --      gen_context(system_u:object_r:insights_client_etc_rw_t,s0)
/etc/insights-client/insights-client-egg-release        --      gen_context(system_u:object_r:insights_client_etc_rw_t,s0)
/etc/insights-client/machine-id                         --      gen_context(system_u:object_r:insights_client_etc_rw_t,s0)

/usr/bin/insights-client                                --      gen_context(system_u:object_r:insights_client_exec_t,s0)
/usr/bin/redhat-access-insights                         --      gen_context(system_u:object_r:insights_client_exec_t,s0)

/var/cache/insights(/.*)?                                       gen_context(system_u:object_r:insights_client_cache_t,s0)

/var/lib/insights(/.*)?                                         gen_context(system_u:object_r:insights_client_var_lib_t,s0)

/var/log/insights-client(/.*)?                                  gen_context(system_u:object_r:insights_client_var_log_t,s0)

/var/run/insights-client\.pid                           --      gen_context(system_u:object_r:insights_client_var_run_t,s0)

/var/tmp/insights-archive(/.*)?                                 gen_context(system_u:object_r:insights_client_tmp_t,s0)
/var/tmp/insights-client(/.*)?                                  gen_context(system_u:object_r:insights_client_tmp_t,s0)


==============================================================================================================================


It should be added:

/etc/insights-client/\.unregistered                    --      gen_context(system_u:object_r:insights_client_etc_rw_t,s0)
Comment 2 Zdenek Pytela 2022-09-05 10:20:58 UTC 
This is expected fixed since selinux-policy-3.14.3-107:

rhel87# matchpathcon /etc/insights-client/.unregistered
/etc/insights-client/.unregistered      system_u:object_r:insights_client_etc_rw_t:s0
rhel87# rpm -q selinux-policy
selinux-policy-3.14.3-108.el8.noarch
Comment 3 Milos Malik 2022-09-05 15:05:58 UTC 
I agree with comment#2:

# rpm -qa selinux\*
selinux-policy-3.14.3-107.el8.noarch
selinux-policy-targeted-3.14.3-107.el8.noarch
# matchpathcon /etc/insights-client/.unregistered
/etc/insights-client/.unregistered	system_u:object_r:insights_client_etc_rw_t:s0
# matchpathcon /etc/insights-client/.registered
/etc/insights-client/.registered	system_u:object_r:insights_client_etc_rw_t:s0
# sesearch -c file -T | grep '\.registered'
type_transition insights_client_t insights_client_etc_t:file insights_client_etc_rw_t .registered;
type_transition sysadm_t insights_client_etc_t:file insights_client_etc_rw_t .registered;
type_transition unconfined_t insights_client_etc_t:file insights_client_etc_rw_t .registered;
# sesearch -c file -T | grep '\.unregistered'
type_transition insights_client_t insights_client_etc_t:file insights_client_etc_rw_t .unregistered;
type_transition sysadm_t insights_client_etc_t:file insights_client_etc_rw_t .unregistered;
type_transition unconfined_t insights_client_etc_t:file insights_client_etc_rw_t .unregistered;
# matchpathcon /etc/insights-client/
/etc/insights-client	system_u:object_r:insights_client_etc_t:s0
# sesearch -s insights_client_t -t insights_client_etc_rw_t -c file -p create -A
allow insights_client_t insights_client_etc_rw_t:file { append create getattr ioctl link lock open read rename setattr unlink write };
# sesearch -s unconfined_t -t insights_client_etc_rw_t -c file -p create -A
allow files_unconfined_type file_type:file { append audit_access create execute execute_no_trans getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink write };
# sesearch -s sysadm_t -t insights_client_etc_rw_t -c file -p create -A
allow files_unconfined_type file_type:file { append audit_access create execute execute_no_trans getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink write };
allow sysadm_t non_security_file_type:file { append create getattr ioctl link lock open read relabelfrom relabelto rename setattr unlink write };
#
Comment 13 errata-xmlrpc 2023-05-16 09:03:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2965