RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2132230 - [RHEL8/Insights/Bug] SELinux violations insights client with Satellite 6.11
Summary: [RHEL8/Insights/Bug] SELinux violations insights client with Satellite 6.11
Keywords:
Status: CLOSED ERRATA
Alias: None
Deadline: 2022-10-04
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.6
Hardware: Unspecified
OS: Linux
medium
medium
Target Milestone: rc
: 8.8
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 2136762 2136764
TreeView+ depends on / blocked
 
Reported: 2022-10-05 07:27 UTC by Nikhil Gupta
Modified: 2023-09-19 04:27 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.14.3-110.el8
Doc Type: Bug Fix
Doc Text:
Cause: selinux-policy does not support insights-client interacting with PostgreSQL and password checks Consequence: Some commands may fail when started from insights Fix: Support for services execution was added to selinux-policy Result: Services started from insights run successfully
Clone Of:
: 2136762 2136764 (view as bug list)
Environment:
Last Closed: 2023-05-16 09:04:16 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 1433 0 None open Insights rhcd fixes 2022-10-07 10:25:35 UTC
Red Hat Issue Tracker RHELPLAN-135618 0 None None None 2022-10-05 07:33:03 UTC
Red Hat Product Errata RHBA-2023:2965 0 None None None 2023-05-16 09:04:37 UTC

Description Nikhil Gupta 2022-10-05 07:27:47 UTC 
Description of problem:
SELinux violations insights client with Satellite 6.11
~~~
#============= insights_client_t ==============
allow insights_client_t admin_home_t:file append;
allow insights_client_t foreman_rails_t:fifo_file getattr;
allow insights_client_t postgresql_t:fifo_file getattr;

#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
allow insights_client_t postgresql_t:unix_stream_socket connectto;
allow insights_client_t postgresql_var_run_t:sock_file write;
allow insights_client_t pulpcore_server_t:fifo_file getattr;
allow insights_client_t pulpcore_t:fifo_file getattr;
allow insights_client_t shadow_t:file { open read };
allow insights_client_t tomcat_t:fifo_file getattr;
allow insights_client_t websm_port_t:tcp_socket name_connect;
~~~

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Zdenek Pytela 2022-10-05 08:12:27 UTC 
These issues have not been addressed yet:
----
type=PROCTITLE msg=audit(1.1.1970 01:00:10.000:0)  : proctitle=/usr/bin/psql
type=AVC msg=audit(1.1.1970 01:00:10.000:0)  : avc:  denied  { write } for  pid=2090233 comm=psql name=.s.PGSQL.5432 dev="tmpfs" ino=30746 scontext=system_u:system_r:insights_client_t:s0 tcontext=sy tem_u:object_r:postgresql_var_run_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1.1.1970 01:00:10.000:0)  : avc:  denied  { connectto } for  pid=2090233 comm=psql path=/run/postgresql/.s.PGSQL.5432 scontext=system_u:system_r:insights_client_t:s0 tcontext=syst m_u:system_r:postgresql_t:s0 tclass=unix_stream_socket permissive=1
type=SYSCALL msg=audit(1.1.1970 01:00:10.000:0)  : arch=unknown-elf-type(x86_64) syscall=read success=yes exit=0 a0=0x0x4 a1=0x0x5587f5469d70 a2=0x0x6e a3=0x0x0 items=1 ppid=2090224 pid=2090233 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=psql exe=/usr/bin/psql subj=system_u:system_r:insights_client_t:s0 key=(null)
type=SOCKADDR msg=audit(1.1.1970 01:00:10.000:0)  : saddr=malformed-host({) saddr_fam=local path=/var/run/postgresql/.s.PGSQL.5432
type=CWD msg=audit(1.1.1970 01:00:10.000:0)  : cwd=/var/lib/pgsql\015
type=PATH msg=audit(1.1.1970 01:00:10.000:0)  : item=0 name=/var/run/postgresql/.s.PGSQL.5432 inode=30746 dev=00:18 mode=000,000 777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:postgresql_v r_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0

----
type=PROCTITLE msg=audit(10/04/2022 11:50:42.240:257143) : proctitle=/usr/sbin/unix_chkpwd root chkexpiry
type=PATH msg=audit(10/04/2022 11:50:42.240:257143) : item=0 name=/etc/shadow inode=4602846 dev=fd:00 mode=file,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shadow_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(10/04/2022 11:50:42.240:257143) : cwd=/
type=SYSCALL msg=audit(10/04/2022 11:50:42.240:257143) : arch=x86_64 syscall=openat success=yes exit=5 a0=AT_FDCWD a1=0x147810507ec6 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=2090224 pid=2090225 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=unix_chkpwd exe=/usr/sbin/unix_chkpwd subj=system_u:system_r:insights_client_t:s0 key=(null)
type=AVC msg=audit(10/04/2022 11:50:42.240:257143) : avc:  denied  { open } for  pid=2090225 comm=unix_chkpwd path=/etc/shadow dev="dm-0" ino=4602846 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
type=AVC msg=audit(10/04/2022 11:50:42.240:257143) : avc:  denied  { read } for  pid=2090225 comm=unix_chkpwd name=shadow dev="dm-0" ino=4602846 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
----
Comment 19 errata-xmlrpc 2023-05-16 09:04:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2965
Comment 20 Red Hat Bugzilla 2023-09-19 04:27:47 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days
Note You need to log in before you can comment on or make changes to this bug.