RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2158605 - [RHEL8.6/Insights/SELinux/Bug] SELinux AVC insights-client with selinux-policy-3.14.3-95.el8_6.5
Summary: [RHEL8.6/Insights/SELinux/Bug] SELinux AVC insights-client with selinux-polic...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.6
Hardware: x86_64
OS: Linux
high
medium
Target Milestone: rc
: 8.8
Assignee: Zdenek Pytela
QA Contact: Milos Malik
Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-01-05 19:49 UTC by Rajesh Dulhani
Modified: 2023-05-16 11:03 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-05-16 09:04:49 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-144059 0 None None None 2023-01-05 20:31:40 UTC
Red Hat Product Errata RHBA-2023:2965 0 None None None 2023-05-16 09:04:57 UTC

Description Rajesh Dulhani 2023-01-05 19:49:03 UTC 
Description of problem:

AVCs not caught by the latest SELinux policy in RHEL8.6.

~~~
----
type=PROCTITLE msg=audit(12/30/2022 09:59:06.257:7041) : proctitle=/usr/libexec/platform-python /usr/sbin/subscription-manager facts
type=MMAP msg=audit(12/30/2022 09:59:06.257:7041) : fd=9 flags=MAP_SHARED
type=SYSCALL msg=audit(12/30/2022 09:59:06.257:7041) : arch=x86_64 syscall=mmap success=yes exit=140682622324736 a0=0x0 a1=0x20 a2=PROT_READ a3=MAP_SHARED items=0 ppid=10959 pid=10960 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=subscription-ma exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null)
type=AVC msg=audit(12/30/2022 09:59:06.257:7041) : avc:  denied  { map } for  pid=10960 comm=subscription-ma path=/dev/mem dev="devtmpfs" ino=9361 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file permissive=1
----
type=PROCTITLE msg=audit(12/30/2022 09:59:36.139:7052) : proctitle=python3 /usr/bin/pmrep -t 1s -T 1s network.interface.out.packets network.interface.collisions swap.pagesout mssql.memory_manager
type=PATH msg=audit(12/30/2022 09:59:36.139:7052) : item=0 name=/run/pcp/pmcd.socket inode=30825 dev=00:18 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:pcp_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(12/30/2022 09:59:36.139:7052) : cwd=/
type=SOCKADDR msg=audit(12/30/2022 09:59:36.139:7052) : saddr={ saddr_fam=local path=/run/pcp/pmcd.socket }
type=SYSCALL msg=audit(12/30/2022 09:59:36.139:7052) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x5 a1=0x7ffe2498d840 a2=0x6e a3=0x7ffe2498d8a8 items=1 ppid=11385 pid=11386 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=python3 exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null)
type=AVC msg=audit(12/30/2022 09:59:36.139:7052) : avc:  denied  { connectto } for  pid=11386 comm=python3 path=/run/pcp/pmcd.socket scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=unix_stream_socket permissive=1
----
type=PROCTITLE msg=audit(12/30/2022 09:59:37.733:7053) : proctitle=/usr/libexec/platform-python -Es /sbin/semanage login -l
type=PATH msg=audit(12/30/2022 09:59:37.733:7053) : item=0 name=/var/lib/selinux/targeted/active/modules inode=27505137 dev=fd:00 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:semanage_store_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(12/30/2022 09:59:37.733:7053) : cwd=/
type=SYSCALL msg=audit(12/30/2022 09:59:37.733:7053) : arch=x86_64 syscall=access success=yes exit=0 a0=0x55de53ac4f30 a1=X_OK|W_OK|R_OK a2=0x0 a3=0x0 items=1 ppid=11408 pid=11409 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=semanage exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null)
type=AVC msg=audit(12/30/2022 09:59:37.733:7053) : avc:  denied  { write } for  pid=11409 comm=semanage name=modules dev="dm-0" ino=27505137 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:semanage_store_t:s0 tclass=dir permissive=1
----
type=PROCTITLE msg=audit(12/30/2022 09:59:44.137:7097) : proctitle=/usr/sbin/gluster volume info
type=PATH msg=audit(12/30/2022 09:59:44.137:7097) : item=1 name=/var/log/glusterfs/cli.log inode=18899384 dev=fd:00 mode=file,600 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:var_log_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(12/30/2022 09:59:44.137:7097) : item=0 name=/var/log/glusterfs/ inode=18875820 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_log_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(12/30/2022 09:59:44.137:7097) : cwd=/
type=SYSCALL msg=audit(12/30/2022 09:59:44.137:7097) : arch=x86_64 syscall=openat success=yes exit=5 a0=AT_FDCWD a1=0x564499c7e0a5 a2=O_WRONLY|O_CREAT|O_APPEND a3=0x180 items=2 ppid=11679 pid=11680 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gluster exe=/usr/sbin/gluster subj=system_u:system_r:insights_client_t:s0 key=(null)
type=AVC msg=audit(12/30/2022 09:59:44.137:7097) : avc:  denied  { create } for  pid=11680 comm=gluster name=cli.log scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(12/30/2022 10:00:46.837:7117) : proctitle=/usr/bin/journalctl --no-pager --header
type=PATH msg=audit(12/30/2022 10:00:46.837:7117) : item=0 name=/proc/1/environ nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(12/30/2022 10:00:46.837:7117) : cwd=/
type=SYSCALL msg=audit(12/30/2022 10:00:46.837:7117) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ffdd567bde0 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=12282 pid=12283 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=journalctl exe=/usr/bin/journalctl subj=system_u:system_r:journalctl_t:s0 key=(null)
type=AVC msg=audit(12/30/2022 10:00:46.837:7117) : avc:  denied  { search } for  pid=12283 comm=journalctl name=1 dev="proc" ino=11462 scontext=system_u:system_r:journalctl_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=0
----
type=PROCTITLE msg=audit(12/30/2022 10:00:46.837:7118) : proctitle=/usr/bin/journalctl --no-pager --header
type=PATH msg=audit(12/30/2022 10:00:46.837:7118) : item=0 name=/proc/1/sched nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(12/30/2022 10:00:46.837:7118) : cwd=/
type=SYSCALL msg=audit(12/30/2022 10:00:46.837:7118) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7fe2d53da2f6 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=12282 pid=12283 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=journalctl exe=/usr/bin/journalctl subj=system_u:system_r:journalctl_t:s0 key=(null)
type=AVC msg=audit(12/30/2022 10:00:46.837:7118) : avc:  denied  { search } for  pid=12283 comm=journalctl name=1 dev="proc" ino=11462 scontext=system_u:system_r:journalctl_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=0
----
type=USER_AVC msg=audit(12/30/2022 10:00:48.264:7119) : pid=943 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=org.freedesktop.timedate1 spid=12369 tpid=12370 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=1  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?'
----
type=USER_AVC msg=audit(12/30/2022 10:00:48.358:7122) : pid=943 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.136 spid=12370 tpid=12369 scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=dbus permissive=0  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?'
+ sudo audit2allow -a


#============= insights_client_t ==============
allow insights_client_t memory_device_t:chr_file map;
allow insights_client_t pcp_pmcd_t:unix_stream_socket connectto;
allow insights_client_t semanage_store_t:dir write;
allow insights_client_t timedatex_t:dbus send_msg;
allow insights_client_t var_log_t:file create;

#============= journalctl_t ==============
allow journalctl_t init_t:dir search;
~~~


One more on 'vdo status'

~~~
----
type=PROCTITLE msg=audit(01/05/2023 16:19:41.662:9609380) : proctitle=/usr/libexec/platform-python /usr/bin/vdo status
type=PATH msg=audit(01/05/2023 16:19:41.662:9609380) : item=0 name=/run/lock/vdo/_etc_vdoconf.yml.lock inode=375904 dev=00:18 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lock_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(01/05/2023 16:19:41.662:9609380) : cwd=/
type=SYSCALL msg=audit(01/05/2023 16:19:41.662:9609380) : arch=x86_64 syscall=openat success=yes exit=4 a0=AT_FDCWD a1=0x7f949e5f8a70 a2=O_RDWR|O_CLOEXEC a3=0x0 items=1 ppid=3543119 pid=3543120 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=vdo exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null)
type=AVC msg=audit(01/05/2023 16:19:41.662:9609380) : avc:  denied  { write } for  pid=3543120 comm=vdo name=_etc_vdoconf.yml.lock dev="tmpfs" ino=375904 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1

#============= insights_client_t ==============
allow insights_client_t var_lock_t:file write;
~~~


Version-Release number of selected component (if applicable):

selinux-policy-3.14.3-95.el8_6.5
Comment 1 Zdenek Pytela 2023-01-06 16:18:36 UTC 
Most of the permissions are in the current policy.
What is still missing is:

type=PROCTITLE msg=audit(12/30/2022 09:59:36.139:7052) : proctitle=python3 /usr/bin/pmrep -t 1s -T 1s network.interface.out.packets network.interface.collisions swap.pagesout mssql.memory_manager
type=PATH msg=audit(12/30/2022 09:59:36.139:7052) : item=0 name=/run/pcp/pmcd.socket inode=30825 dev=00:18 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:pcp_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(12/30/2022 09:59:36.139:7052) : cwd=/
type=SOCKADDR msg=audit(12/30/2022 09:59:36.139:7052) : saddr={ saddr_fam=local path=/run/pcp/pmcd.socket }
type=SYSCALL msg=audit(12/30/2022 09:59:36.139:7052) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x5 a1=0x7ffe2498d840 a2=0x6e a3=0x7ffe2498d8a8 items=1 ppid=11385 pid=11386 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=python3 exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null)
type=AVC msg=audit(12/30/2022 09:59:36.139:7052) : avc:  denied  { connectto } for  pid=11386 comm=python3 path=/run/pcp/pmcd.socket scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=unix_stream_socket permissive=1

pmrep is not confined, so this requires a new pcp interface or even a more general solution

journalctl one is not related, it would require explicit usage of init_read_state(), a solution different to upstream policy
Comment 13 errata-xmlrpc 2023-05-16 09:04:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2965
Note You need to log in before you can comment on or make changes to this bug.