Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2125803

Summary: SELinux is preventing /usr/bin/gpg from write access on the file trustdb.gpg + pubring.kbx
Product: Red Hat Enterprise Linux 9 Reporter: Marc <marc>
Component: insights-clientAssignee: Nobody <nobody>
Status: CLOSED DUPLICATE QA Contact: Nobody <nobody>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 9.0CC: cmarinea, fjansen, gchamoul, stomsa
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-09-12 13:05:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marc 2022-09-10 15:30:19 UTC 
###############################################################################
Description of Problem:
###############################################################################

SELinux is preventing /usr/bin/gpg from write access on the file trustdb.gpg. For complete SELinux messages run: sealert -l f4d7ff01-5c64-4118-ba21-943ae0bd0a84

SELinux is preventing /usr/bin/gpg from write access on the file pubring.kbx. For complete SELinux messages run: sealert -l f4d7ff01-5c64-4118-ba21-943ae0bd0a84

###############################################################################

# sealert -l f4d7ff01-5c64-4118-ba21-943ae0bd0a84
SELinux is preventing /usr/bin/gpg from write access on the file trustdb.gpg.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that gpg should be allowed write access on the trustdb.gpg file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gpg' --raw | audit2allow -M my-gpg
# semodule -X 300 -i my-gpg.pp


Additional Information:
Source Context                system_u:system_r:insights_client_t:s0
Target Context                unconfined_u:object_r:admin_home_t:s0
Target Objects                trustdb.gpg [ file ]
Source                        gpg
Source Path                   /usr/bin/gpg
Port                          <Unknown>
Host                          WRK1
Source RPM Packages           gnupg2-2.3.3-1.el9.x86_64
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-34.1.29-1.el9_0.2.noarch
Local Policy RPM              selinux-policy-targeted-34.1.29-1.el9_0.2.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     WRK1
Platform                      Linux WRK1 5.14.0-70.22.1.el9_0.x86_64 #1 SMP
                              PREEMPT Tue Aug 2 10:02:12 EDT 2022 x86_64 x86_64
Alert Count                   155
First Seen                    2022-09-04 11:27:00 EDT
Last Seen                     2022-09-10 07:54:51 EDT
Local ID                      f4d7ff01-5c64-4118-ba21-943ae0bd0a84

Raw Audit Messages
type=AVC msg=audit(1662810891.445:1082): avc:  denied  { write } for  pid=53453 comm="gpg" name="trustdb.gpg" dev="dm-0" ino=134429487 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1662810891.445:1082): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffff9c a1=56237d719340 a2=2 a3=0 items=0 ppid=52619 pid=53453 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=gpg exe=/usr/bin/gpg subj=system_u:system_r:insights_client_t:s0 key=(null)

Hash: gpg,insights_client_t,admin_home_t,file,write


###############################################################################
Version-Release number of selected component (if applicable):
###############################################################################

# insights-client --version
Client: 3.1.7
Core: 3.0.292-1


###############################################################################
Steps to Reproduce:
###############################################################################

1. Install RHEL9
2. Register Insights Client to the Red Hat Insights Service
3. Reboot + Login
4. Unregister Insights Client from the Red Hat Insights Service
5. Reboot + Login
6. Suspend PC
7. Wakeup PC


###############################################################################
Actual results:
###############################################################################

SELinux policy prevents Insights Client access to trustdb.gpg + pubring.kbx


###############################################################################
Expected results:
###############################################################################

SELinux policy does not report a conflict with Insights Client


###############################################################################
Additional Information:
###############################################################################

NOTE:
This error seems to happen regardless of status.

# insights-client --status
System is NOT registered locally via .registered file.
Insights API says this machine is NOT registered.

# insights-client --test-connection
Running Connection Tests...
=== Begin Upload URL Connection Test ===
Testing: https://cert-api.access.redhat.com/r/insights/uploads/
POST https://cert-api.access.redhat.com/r/insights/uploads/
HTTP Status: 200 OK
HTTP Response Text: {"request_id":"b3e5ade1093f40948692b6e5baa75f78","upload":{"account_number":"xxxxxxxx","org_id":"xxxxxxxx"}}
Successfully connected to: https://cert-api.access.redhat.com/r/insights/uploads/
=== End Upload URL Connection Test: SUCCESS ===

=== Begin API URL Connection Test ===
Testing: https://cert-api.access.redhat.com/r/insights/
GET https://cert-api.access.redhat.com/r/insights/
HTTP Status: 200 OK
HTTP Response Text: lub-dub
Successfully connected to: https://cert-api.access.redhat.com/r/insights/
=== End API URL Connection Test: SUCCESS ===

Connectivity tests completed successfully
See /var/log/insights-client/insights-client.log for more details.
Comment 1 Marc 2022-09-11 13:53:50 UTC 
#####################################################

Insights Client Bug - Reproduced Again Today:

#####################################################

1. Woke ThinkPad Laptop PC from Suspension
2. Login to my Admin Account
3. Dialog #1 appears "Authentication Required: Authentication is required to update information about software"
4. Dialog #2 appears "Authentication Required: Authentication is required to update metadata"
5. Entering password in Dialog #1 introduces another Dialog #1 repeatedly until Dialog #2 prompts for authentication which introduces another Dialog #2, repeatedly until both completely disappear
6. SETroubleshoot Alert List shows Source Process: gpg Attempted Access: write On this: trustdb.gpg Occurred: 184 Last seen: 2022-09-11 06:45:49
7. SETroubleshoot Alert List shows Source Process: python3.9 Attempted Access: create On this: .unregistered Occurred: 13 Last seen: 2022-09-11 06:45:55

NOTE: the SE python3.9 alert has been observed alongside the original bug but not associated with this bug report until today due to the sealert message as follows:

"SELinux is preventing /usr/bin/python3.9 from create access on the file .unregistered."

#####################################################

# sealert -l a0551964-7aef-4c5b-b16e-4d749bf306cf
SELinux is preventing /usr/bin/python3.9 from create access on the file .unregistered.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that python3.9 should be allowed create access on the .unregistered file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'platform-python' --raw | audit2allow -M my-platformpython
# semodule -X 300 -i my-platformpython.pp


Additional Information:
Source Context                system_u:system_r:insights_client_t:s0
Target Context                system_u:object_r:insights_client_etc_t:s0
Target Objects                .unregistered [ file ]
Source                        platform-python
Source Path                   /usr/bin/python3.9
Port                          <Unknown>
Host                          WRK1
Source RPM Packages           python3-3.9.10-2.el9.x86_64
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-34.1.29-1.el9_0.2.noarch
Local Policy RPM              selinux-policy-targeted-34.1.29-1.el9_0.2.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     WRK1
Platform                      Linux WRK1 5.14.0-70.22.1.el9_0.x86_64 #1 SMP
                              PREEMPT Tue Aug 2 10:02:12 EDT 2022 x86_64 x86_64
Alert Count                   13
First Seen                    2022-09-06 10:22:11 EDT
Last Seen                     2022-09-11 06:45:55 EDT
Local ID                      a0551964-7aef-4c5b-b16e-4d749bf306cf

Raw Audit Messages
type=AVC msg=audit(1662893155.495:292): avc:  denied  { create } for  pid=6983 comm="platform-python" name=".unregistered" scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:insights_client_etc_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1662893155.495:292): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffff9c a1=7fdd327bb280 a2=80241 a3=1b6 items=0 ppid=6500 pid=6983 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=platform-python exe=/usr/bin/python3.9 subj=system_u:system_r:insights_client_t:s0 key=(null)

Hash: platform-python,insights_client_t,insights_client_etc_t,file,create
Comment 2 Marc 2022-09-11 14:05:32 UTC 
PLEASE NOTE:

No other SE Alerts are occurring on my registered workstation, and...

All of the SE Alerts documented so far in this bug report share the same Source Context:

system_u:system_r:insights_client_t:s0


#####################################################

ALSO NOTE:

# subscription-manager status
+-------------------------------------------+
   System Status Details
+-------------------------------------------+
Overall Status: Current

System Purpose Status: Matched


# subscription-manager list
+-------------------------------------------+
    Installed Product Status
+-------------------------------------------+
Product Name:   Red Hat Enterprise Linux for x86_64
Product ID:     479
Version:        9.0
Arch:           x86_64
Status:         Subscribed
Status Details: 
Starts:         08/17/2022
Ends:           08/16/2023
Comment 3 Gaël Chamoulaud 2022-09-12 13:05:27 UTC 
Hi Marc, 

Thanks for reporting this issue which is already tracked by https://bugzilla.redhat.com/show_bug.cgi?id=2106147.
A fix for that will be shipped as soon as possible via the selinux-policy rpm.

Sorry for the inconvenience.

Gaël

*** This bug has been marked as a duplicate of bug 2106147 ***