RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2141311 - Additional AVC denials for insights-client in RHEL 8.7
Summary: Additional AVC denials for insights-client in RHEL 8.7
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.7
Hardware: Unspecified
OS: Linux
medium
medium
Target Milestone: rc
: 8.8
Assignee: Zdenek Pytela
QA Contact: Milos Malik
Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-11-09 13:33 UTC by Sam Morris
Modified: 2023-05-17 02:34 UTC (History)
12 users (show)

Fixed In Version: selinux-policy-3.14.3-114.el8
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-05-16 09:04:17 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-138828 0 None None None 2022-11-09 13:48:23 UTC
Red Hat Product Errata RHBA-2023:2965 0 None None None 2023-05-16 09:04:37 UTC

Description Sam Morris 2022-11-09 13:33:27 UTC 
Description of problem:
In RHEL 8.7 I'm seeing some AVC denials from insights-client - I guess a few more things need to be added to SELinux policy.

Version-Release number of selected component (if applicable):
insights-client-3.1.7-8.el8.noarch
selinux-policy-3.14.3-108.el8.noarch

How reproducible:
Always

Steps to Reproduce:
1. Register insights-client
2. systemctl start insights-client --wait
3. Check audit logs with 'ausearch -i -m avc -ts today -se insights_client_t'

Actual results:

On one system:

----
type=PROCTITLE msg=audit(09/11/22 01:25:05.541:450514) : proctitle=/usr/libexec/platform-python -Es /sbin/semanage login -l 
type=SYSCALL msg=audit(09/11/22 01:25:05.541:450514) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=igp a3=0x7f33f7e289f8 items=0 ppid=321787 pid=321788 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=semanage exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(09/11/22 01:25:05.541:450514) : avc:  denied  { create } for  pid=321788 comm=semanage scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=netlink_audit_socket permissive=0 
----
type=PROCTITLE msg=audit(09/11/22 01:25:05.622:450515) : proctitle=/usr/libexec/platform-python -Es /sbin/semanage login -l 
type=SYSCALL msg=audit(09/11/22 01:25:05.622:450515) : arch=x86_64 syscall=access success=no exit=EACCES(Permission denied) a0=0x5617a87095b0 a1=X_OK|W_OK|R_OK a2=0x0 a3=0x0 items=0 ppid=321787 pid=321788 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=semanage exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(09/11/22 01:25:05.622:450515) : avc:  denied  { write } for  pid=321788 comm=semanage name=modules dev="dm-0" ino=34847828 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:semanage_store_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(09/11/22 01:25:05.622:450516) : proctitle=/usr/libexec/platform-python -Es /sbin/semanage login -l 
type=SYSCALL msg=audit(09/11/22 01:25:05.622:450516) : arch=x86_64 syscall=access success=no exit=EACCES(Permission denied) a0=0x5617a87095b0 a1=X_OK|W_OK|R_OK a2=0x0 a3=0x100 items=0 ppid=321787 pid=321788 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=semanage exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(09/11/22 01:25:05.622:450516) : avc:  denied  { write } for  pid=321788 comm=semanage name=modules dev="dm-0" ino=34847828 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:semanage_store_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(09/11/22 01:25:08.140:450524) : proctitle=/usr/libexec/platform-python /usr/bin/vdo status 
type=SYSCALL msg=audit(09/11/22 01:25:08.140:450524) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f40af78df80 a2=O_RDWR|O_CLOEXEC a3=0x0 items=0 ppid=321795 pid=321796 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=vdo exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(09/11/22 01:25:08.140:450524) : avc:  denied  { write } for  pid=321796 comm=vdo name=_etc_vdoconf.yml.lock dev="tmpfs" ino=24856 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(09/11/22 01:25:17.534:450531) : proctitle=/usr/bin/ipcs -s -i 2 
type=SYSCALL msg=audit(09/11/22 01:25:17.534:450531) : arch=x86_64 syscall=semctl success=no exit=EACCES(Permission denied) a0=0x2 a1=0x0 a2=0xc a3=0x0 items=0 ppid=321982 pid=321983 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ipcs exe=/usr/bin/ipcs subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(09/11/22 01:25:17.534:450531) : avc:  denied  { unix_read } for  pid=321983 comm=ipcs key=\020q  scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=sem permissive=0 
----
type=PROCTITLE msg=audit(09/11/22 01:25:17.949:450533) : proctitle=/usr/bin/ipcs -s -i 3 
type=SYSCALL msg=audit(09/11/22 01:25:17.949:450533) : arch=x86_64 syscall=semctl success=no exit=EACCES(Permission denied) a0=0x3 a1=0x0 a2=0xc a3=0x0 items=0 ppid=322001 pid=322002 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ipcs exe=/usr/bin/ipcs subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(09/11/22 01:25:17.949:450533) : avc:  denied  { unix_read } for  pid=322002 comm=ipcs key=\020q  scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=sem permissive=0 

On another system:

----
type=PROCTITLE msg=audit(09/11/22 03:53:37.271:8508) : proctitle=find /etc /opt -name *.conf 
type=SYSCALL msg=audit(09/11/22 03:53:37.271:8508) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0x7 a1=0x564548486d98 a2=O_RDONLY|O_NOCTTY|O_NONBLOCK|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC a3=0x0 items=0 ppid=663611 pid=663628 auid=unset uid=hitron-exporter gid=hitron-exporter euid=hitron-exporter suid=hitron-exporter fsuid=hitron-exporter egid=hitron-exporter sgid=hitron-exporter fsgid=hitron-exporter tty=(none) ses=unset comm=find exe=/usr/bin/find subj=system_u:system_r:container_t:s0:c478,c660 key=(null) 
type=AVC msg=audit(09/11/22 03:53:37.271:8508) : avc:  denied  { read } for  pid=663628 comm=find name=nssdb dev="dm-0" ino=33983018 scontext=system_u:system_r:container_t:s0:c478,c660 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(09/11/22 03:55:33.885:8535) : proctitle=/usr/bin/ipcs -s -i 3 
type=SYSCALL msg=audit(09/11/22 03:55:33.885:8535) : arch=x86_64 syscall=semctl success=no exit=EACCES(Permission denied) a0=0x3 a1=0x0 a2=0xc a3=0x0 items=0 ppid=665316 pid=665317 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ipcs exe=/usr/bin/ipcs subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(09/11/22 03:55:33.885:8535) : avc:  denied  { unix_read } for  pid=665317 comm=ipcs ipc_key=1071980  scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=sem permissive=0 
----
type=PROCTITLE msg=audit(09/11/22 03:55:33.978:8536) : proctitle=/usr/bin/ipcs -s -i 2 
type=SYSCALL msg=audit(09/11/22 03:55:33.978:8536) : arch=x86_64 syscall=semctl success=no exit=EACCES(Permission denied) a0=0x2 a1=0x0 a2=0xc a3=0x0 items=0 ppid=665319 pid=665321 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ipcs exe=/usr/bin/ipcs subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(09/11/22 03:55:33.978:8536) : avc:  denied  { unix_read } for  pid=665321 comm=ipcs ipc_key=1071979  scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=sem permissive=0 
----
type=PROCTITLE msg=audit(09/11/22 03:55:41.686:8541) : proctitle=/usr/bin/luksmeta show -d /dev/disk/by-uuid/xxxxx 
type=SYSCALL msg=audit(09/11/22 03:55:41.686:8541) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f7aa63614e7 a2=O_RDONLY|O_NONBLOCK|O_CLOEXEC a3=0x0 items=0 ppid=665965 pid=665966 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=luksmeta exe=/usr/bin/luksmeta subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(09/11/22 03:55:41.686:8541) : avc:  denied  { read } for  pid=665966 comm=luksmeta name=random dev="devtmpfs" ino=34 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=0 
----
type=PROCTITLE msg=audit(09/11/22 03:55:41.785:8542) : proctitle=/usr/bin/luksmeta show -d /dev/disk/by-uuid/yyyyy 
type=SYSCALL msg=audit(09/11/22 03:55:41.785:8542) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f62595514e7 a2=O_RDONLY|O_NONBLOCK|O_CLOEXEC a3=0x0 items=0 ppid=665972 pid=665973 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=luksmeta exe=/usr/bin/luksmeta subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(09/11/22 03:55:41.785:8542) : avc:  denied  { read } for  pid=665973 comm=luksmeta name=random dev="devtmpfs" ino=34 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=0 
----
type=PROCTITLE msg=audit(09/11/22 03:55:41.883:8543) : proctitle=/usr/bin/luksmeta show -d /dev/disk/by-uuid/zzzzz 
type=SYSCALL msg=audit(09/11/22 03:55:41.883:8543) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7fad059c14e7 a2=O_RDONLY|O_NONBLOCK|O_CLOEXEC a3=0x0 items=0 ppid=665980 pid=665981 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=luksmeta exe=/usr/bin/luksmeta subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(09/11/22 03:55:41.883:8543) : avc:  denied  { read } for  pid=665981 comm=luksmeta name=random dev="devtmpfs" ino=34 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=0 
----
type=PROCTITLE msg=audit(09/11/22 03:55:41.986:8544) : proctitle=/usr/bin/luksmeta show -d /dev/disk/by-uuid/aaaaa 
type=SYSCALL msg=audit(09/11/22 03:55:41.986:8544) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f93a0c114e7 a2=O_RDONLY|O_NONBLOCK|O_CLOEXEC a3=0x0 items=0 ppid=665984 pid=665987 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=luksmeta exe=/usr/bin/luksmeta subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(09/11/22 03:55:41.986:8544) : avc:  denied  { read } for  pid=665987 comm=luksmeta name=random dev="devtmpfs" ino=34 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=0 
----
type=PROCTITLE msg=audit(09/11/22 03:56:17.065:8551) : proctitle=/usr/libexec/platform-python -Es /sbin/semanage login -l 
type=SYSCALL msg=audit(09/11/22 03:56:17.065:8551) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=igp a3=0x7f243224f408 items=0 ppid=666374 pid=666375 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=semanage exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(09/11/22 03:56:17.065:8551) : avc:  denied  { create } for  pid=666375 comm=semanage scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=netlink_audit_socket permissive=0 
----
type=PROCTITLE msg=audit(09/11/22 03:56:17.081:8552) : proctitle=/usr/libexec/platform-python -Es /sbin/semanage login -l 
type=SYSCALL msg=audit(09/11/22 03:56:17.081:8552) : arch=x86_64 syscall=access success=no exit=EACCES(Permission denied) a0=0x55eaf6276420 a1=X_OK|W_OK|R_OK a2=0x0 a3=0x0 items=0 ppid=666374 pid=666375 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=semanage exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(09/11/22 03:56:17.081:8552) : avc:  denied  { write } for  pid=666375 comm=semanage name=modules dev="dm-0" ino=17493966 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:semanage_store_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(09/11/22 03:56:17.081:8553) : proctitle=/usr/libexec/platform-python -Es /sbin/semanage login -l 
type=SYSCALL msg=audit(09/11/22 03:56:17.081:8553) : arch=x86_64 syscall=access success=no exit=EACCES(Permission denied) a0=0x55eaf6276420 a1=X_OK|W_OK|R_OK a2=0x0 a3=0x100 items=0 ppid=666374 pid=666375 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=semanage exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(09/11/22 03:56:17.081:8553) : avc:  denied  { write } for  pid=666375 comm=semanage name=modules dev="dm-0" ino=17493966 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:semanage_store_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(09/11/22 03:56:21.781:8555) : proctitle=/usr/libexec/platform-python /usr/bin/vdo status 
type=SYSCALL msg=audit(09/11/22 03:56:21.781:8555) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f15e560d3f8 a2=O_RDWR|O_CLOEXEC a3=0x0 items=0 ppid=666407 pid=666408 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=vdo exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(09/11/22 03:56:21.781:8555) : avc:  denied  { write } for  pid=666408 comm=vdo name=_etc_vdoconf.yml.lock dev="tmpfs" ino=33443 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(09/11/22 03:56:48.201:8566) : proctitle=/usr/sbin/gluster volume info 
type=SYSCALL msg=audit(09/11/22 03:56:48.201:8566) : arch=x86_64 syscall=access success=no exit=EACCES(Permission denied) a0=0x7feb9fc4c504 a1=R_OK a2=0x55b9e9a6ca20 a3=0x0 items=0 ppid=667221 pid=667222 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gluster exe=/usr/sbin/gluster subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(09/11/22 03:56:48.201:8566) : avc:  denied  { read } for  pid=667222 comm=gluster name=random dev="devtmpfs" ino=34 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=0 
----
type=PROCTITLE msg=audit(09/11/22 03:56:48.257:8567) : proctitle=/usr/sbin/gluster volume info 
type=PATH msg=audit(09/11/22 03:56:48.257:8567) : item=0 name=/var/log/glusterfs/cli.log inode=1937512 dev=fd:00 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_log_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/11/22 03:56:48.257:8567) : cwd=/ 
type=SYSCALL msg=audit(09/11/22 03:56:48.257:8567) : arch=x86_64 syscall=openat success=yes exit=5 a0=AT_FDCWD a1=0x55b9e88940a5 a2=O_WRONLY|O_CREAT|O_APPEND a3=0x180 items=1 ppid=667221 pid=667222 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gluster exe=/usr/sbin/gluster subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(09/11/22 03:56:48.257:8567) : avc:  denied  { create } for  pid=667222 comm=gluster name=cli.log scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0 



Expected results:
No output

Additional info:
Comment 1 Zdenek Pytela 2022-11-11 08:53:02 UTC 
Some denials have already been addressed.

These will be assessed further:
 
----
type=PROCTITLE msg=audit(09/11/22 03:56:17.081:8552) : proctitle=/usr/libexec/platform-python -Es /sbin/semanage login -l 
type=SYSCALL msg=audit(09/11/22 03:56:17.081:8552) : arch=x86_64 syscall=access success=no exit=EACCES(Permission denied) a0=0x55eaf6276420 a1=X_OK|W_OK|R_OK a2=0x0 a3=0x0 items=0 ppid=666374 pid=666375 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=semanage exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(09/11/22 03:56:17.081:8552) : avc:  denied  { write } for  pid=666375 comm=semanage name=modules dev="dm-0" ino=17493966 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:semanage_store_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(09/11/22 03:56:21.781:8555) : proctitle=/usr/libexec/platform-python /usr/bin/vdo status 
type=SYSCALL msg=audit(09/11/22 03:56:21.781:8555) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f15e560d3f8 a2=O_RDWR|O_CLOEXEC a3=0x0 items=0 ppid=666407 pid=666408 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=vdo exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(09/11/22 03:56:21.781:8555) : avc:  denied  { write } for  pid=666408 comm=vdo name=_etc_vdoconf.yml.lock dev="tmpfs" ino=33443 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(09/11/22 03:56:48.257:8567) : proctitle=/usr/sbin/gluster volume info 
type=PATH msg=audit(09/11/22 03:56:48.257:8567) : item=0 name=/var/log/glusterfs/cli.log inode=1937512 dev=fd:00 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_log_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/11/22 03:56:48.257:8567) : cwd=/ 
type=SYSCALL msg=audit(09/11/22 03:56:48.257:8567) : arch=x86_64 syscall=openat success=yes exit=5 a0=AT_FDCWD a1=0x55b9e88940a5 a2=O_WRONLY|O_CREAT|O_APPEND a3=0x180 items=1 ppid=667221 pid=667222 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gluster exe=/usr/sbin/gluster subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(09/11/22 03:56:48.257:8567) : avc:  denied  { create } for  pid=667222 comm=gluster name=cli.log scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0 
---

For these, additional data are needed:
----
type=PROCTITLE msg=audit(09/11/22 03:53:37.271:8508) : proctitle=find /etc /opt -name *.conf 
type=SYSCALL msg=audit(09/11/22 03:53:37.271:8508) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0x7 a1=0x564548486d98 a2=O_RDONLY|O_NOCTTY|O_NONBLOCK|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC a3=0x0 items=0 ppid=663611 pid=663628 auid=unset uid=hitron-exporter gid=hitron-exporter euid=hitron-exporter suid=hitron-exporter fsuid=hitron-exporter egid=hitron-exporter sgid=hitron-exporter fsgid=hitron-exporter tty=(none) ses=unset comm=find exe=/usr/bin/find subj=system_u:system_r:container_t:s0:c478,c660 key=(null) 
type=AVC msg=audit(09/11/22 03:53:37.271:8508) : avc:  denied  { read } for  pid=663628 comm=find name=nssdb dev="dm-0" ino=33983018 scontext=system_u:system_r:container_t:s0:c478,c660 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(09/11/22 03:55:33.885:8535) : proctitle=/usr/bin/ipcs -s -i 3 
type=SYSCALL msg=audit(09/11/22 03:55:33.885:8535) : arch=x86_64 syscall=semctl success=no exit=EACCES(Permission denied) a0=0x3 a1=0x0 a2=0xc a3=0x0 items=0 ppid=665316 pid=665317 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ipcs exe=/usr/bin/ipcs subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(09/11/22 03:55:33.885:8535) : avc:  denied  { unix_read } for  pid=665317 comm=ipcs ipc_key=1071980  scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=sem permissive=0 
----
Comment 2 Sam Morris 2022-11-11 09:23:46 UTC 
Thanks for taking a look.

> find /etc /opt -name *.conf

Actaully looking at what I provided I don't see insights_client_t in the AVC information. I'm not sure how it got in there given my ausearch command. This is probably my error in copying the logs from the other system, sorry about that. Let's ignore this one unless you recognize the "find /etc /opt -name *.conf" command as being something that insights-client tries to run?

> /usr/bin/ipcs -s -i 3 

If I understand correctly insights-client is displaying information about SysV semarphore array id 3.

# ipcs -s -i 3

Semaphore Array semid=3
uid=0    gid=0   cuid=0  cgid=0
mode=0666, access_perms=0666
nsems = 2
otime = Fri Nov 11 09:16:10 2022  
ctime = Tue Nov  8 11:49:00 2022  
semnum     value      ncount     zcount     pid       
0          99         0          0          2458542   
1          1          0          0          976       

[root@xoanon raddb]# ps 2458542 976
    PID TTY      STAT   TIME COMMAND
    976 ?        S<     2:03 /usr/sbin/atopacctd
2458542 ?        S<Ls   0:11 /usr/bin/atop -w /var/log/atop/atop_20221111 600

So these are owned by atop that isn't a part of RHEL.

I guess the question is: should insights_client_t be able to poke around inside unconfined_t? If not, should there be some dontaudit rules to prevent it from cluttering up the logs?
Comment 3 Zdenek Pytela 2022-11-11 09:53:45 UTC 
(In reply to Sam Morris from comment #2)
> > find /etc /opt -name *.conf
> 
> Actaully looking at what I provided I don't see insights_client_t in the AVC
> information. I'm not sure how it got in there given my ausearch command.
> This is probably my error in copying the logs from the other system, sorry
> about that. Let's ignore this one unless you recognize the "find /etc /opt
> -name *.conf" command as being something that insights-client tries to run?
I really don't know, but containers are not allowed to access data outside in general. Maybe the uid=hitron-exporter entry can work as a hint.

> > /usr/bin/ipcs -s -i 3 
> 
> If I understand correctly insights-client is displaying information about
> SysV semarphore array id 3.
> 
> # ipcs -s -i 3
> 
> Semaphore Array semid=3
> uid=0    gid=0   cuid=0  cgid=0
> mode=0666, access_perms=0666
> nsems = 2
> otime = Fri Nov 11 09:16:10 2022  
> ctime = Tue Nov  8 11:49:00 2022  
> semnum     value      ncount     zcount     pid       
> 0          99         0          0          2458542   
> 1          1          0          0          976       
> 
> [root@xoanon raddb]# ps 2458542 976
>     PID TTY      STAT   TIME COMMAND
>     976 ?        S<     2:03 /usr/sbin/atopacctd
> 2458542 ?        S<Ls   0:11 /usr/bin/atop -w /var/log/atop/atop_20221111 600
> 
> So these are owned by atop that isn't a part of RHEL.
> 
> I guess the question is: should insights_client_t be able to poke around
> inside unconfined_t? If not, should there be some dontaudit rules to prevent
> it from cluttering up the logs?
Correct and the question is also a good one, just note it is unconfined_service_t, i. e. a process/service started by systemd.
Comment 4 Sam Morris 2022-11-11 09:58:59 UTC 
> find /etc /opt -name *.conf

Looks like this could have come from https://github.com/RedHatInsights/insights-core/blob/b74fbdb7da4d937ae7e51e02afae9a64de975981/insights/specs/datasources/container/nginx_conf.py#L14 - but I don't understand why the scontext is container_t if it's being run by insights-client...
Comment 5 Sam Morris 2022-11-11 10:27:56 UTC 
Oh I see - it's running 'find /etc /opt -name *.conf' in all containers in order to search for containers that look like they're running nginx. On the one hand, insights-client's behaviour of executing commands inside all running containers on the system is a bit unexpected... on the other I guess I can say that it has revealed this problem to me. :)

The AVC denail is happening because I bind mount /etc/ipa into the container. My own code never touches /etc/ipa/nssdb so I never triggered this denial before. I've given this some thought and I think this is a bug in FreeIPA or the SELinux policy. I'm taking this to <>, so we can ignore this particular denial.
Comment 6 Sam Morris 2022-11-11 10:28:31 UTC 
Sorry for the noise, mailing list reference is <https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/EXFDIQJDN7YOGWKE52G3T6G66S5V6GYN/>
Comment 20 errata-xmlrpc 2023-05-16 09:04:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2965
Note You need to log in before you can comment on or make changes to this bug.