2162663 – Can't register to Insights using a cloud-init script

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2162663 - Can't register to Insights using a cloud-init script

Summary: Can't register to Insights using a cloud-init script

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Deadline:	2023-04-18
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	9.1
Hardware:	Unspecified
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	9.3
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:	Petr Hybl
URL:
Whiteboard:
Duplicates (1):	2184417 (view as bug list)
Depends On:
Blocks:	2188391
TreeView+	depends on / blocked

Reported:	2023-01-20 12:36 UTC by Juan Orti
Modified:	2023-11-07 11:22 UTC (History)
CC List:	10 users (show)
Fixed In Version:	selinux-policy-38.1.12-1.el9
Doc Type:	Bug Fix
Doc Text:	.Registration to Insights through `cloud-init` is no longer blocked by SELinux Previously, the SELinux policy did not contain a rule that allows the `cloud-init` script to run the `insights-client` service. Consequently, an attempt to run the `insights-client --register` command by the `cloud-init` script failed. With this update, the missing rule has been added to the policy, and you can register to Insights through `cloud-init` with SELinux in enforcing mode.
Clone Of:
Clones:	2188391 (view as bug list)
Environment:
Last Closed:	2023-11-07 08:52:17 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)
local_insights.pp module from 2023.04.06 (82.39 KB, application/octet-stream) 2023-04-06 15:15 UTC, Zdenek Pytela	no flags	Details
View All

Links
System	ID	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1610	None	Merged	Allow cloud-init domain transition to insights-client domain	2023-04-13 09:52:51 UTC
Red Hat Issue Tracker	RHELPLAN-145895	None	None	None	2023-02-08 19:22:29 UTC
Red Hat Product Errata	RHBA-2023:6617	None	None	None	2023-11-07 08:52:36 UTC

Description Juan Orti 2023-01-20 12:36:09 UTC

Description of problem:
Running "insights-client --register" from a cloud-init script fails with several AVCs

Version-Release number of selected component (if applicable):
selinux-policy-34.1.43-1.el9.noarch
insights-client-3.1.7-8.el9.noarch

How reproducible:
Always

Steps to Reproduce:
1. Provision new RHEL 9.1 VM using the standard qcow2 image and using a cloud-init data like this:

~~~
  #cloud-config
  user: cloud-user
  ssh_authorized_keys:
    - ssh-rsa XXXXXX
  rh_subscription:
    activation-key: XXXXX
    org: XXXX
    auto-attach: true
  runcmd:
    - insights-client --register
~~~

Actual results:
The VM is subscribed, but insights-client failed:

# journalctl -b --no-hostname -u insights-client-results.service
Jan 20 07:18:28 systemd[1]: Starting Check for insights from Red Hat Cloud Services...
Jan 20 07:18:29 insights-client[15387]: No GPG-verified eggs can be found
Jan 20 07:18:29 systemd[1]: insights-client-results.service: Main process exited, code=exited, status=1/FAILURE
Jan 20 07:18:29 systemd[1]: insights-client-results.service: Failed with result 'exit-code'.
Jan 20 07:18:29 systemd[1]: Failed to start Check for insights from Red Hat Cloud Services.


These AVCs were logged:

type=AVC msg=audit(1674217088.556:144): avc:  denied  { write } for  pid=14350 comm="dmidecode" path="/var/tmp/insights-client/insights-archive-1tjdmiqg/insights-rhel9-then-prawn-20230120121807/data/insights_commands/dmidecode" dev="vda4" ino=41943191 scontext=system_u:system_r:dmidecode_t:s0 tcontext=system_u:object_r:cloud_init_tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1674217088.556:144): avc:  denied  { write } for  pid=14350 comm="dmidecode" path="/var/tmp/insights-client/insights-archive-1tjdmiqg/insights-rhel9-then-prawn-20230120121807/data/insights_commands/dmidecode" dev="vda4" ino=41943191 scontext=system_u:system_r:dmidecode_t:s0 tcontext=system_u:object_r:cloud_init_tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1674217089.288:146): avc:  denied  { write } for  pid=14425 comm="dmidecode" path="/var/tmp/insights-client/insights-archive-1tjdmiqg/insights-rhel9-then-prawn-20230120121807/data/insights_commands/dmidecode_-s_system-uuid" dev="vda4" ino=41943193 scontext=system_u:system_r:dmidecode_t:s0 tcontext=system_u:object_r:cloud_init_tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1674217089.288:146): avc:  denied  { write } for  pid=14425 comm="dmidecode" path="/var/tmp/insights-client/insights-archive-1tjdmiqg/insights-rhel9-then-prawn-20230120121807/data/insights_commands/dmidecode_-s_system-uuid" dev="vda4" ino=41943193 scontext=system_u:system_r:dmidecode_t:s0 tcontext=system_u:object_r:cloud_init_tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1674217097.495:148): avc:  denied  { sendto } for  pid=696 comm="chronyd" path="/run/chrony/chronyc.14988.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1674217098.503:149): avc:  denied  { sendto } for  pid=696 comm="chronyd" path="/run/chrony/chronyc.14988.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1674217100.506:150): avc:  denied  { sendto } for  pid=696 comm="chronyd" path="/run/chrony/chronyc.14988.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1674217109.016:155): avc:  denied  { read } for  pid=15388 comm="gpg" name="pubring.kbx" dev="vda4" ino=13287 scontext=system_u:system_r:gpg_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=0
type=AVC msg=audit(1674217109.021:156): avc:  denied  { read } for  pid=15388 comm="gpg" name="pubring.kbx" dev="vda4" ino=13287 scontext=system_u:system_r:gpg_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=0
type=AVC msg=audit(1674217109.029:157): avc:  denied  { read write } for  pid=15388 comm="gpg" name="trustdb.gpg" dev="vda4" ino=13289 scontext=system_u:system_r:gpg_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=0
type=AVC msg=audit(1674217109.030:158): avc:  denied  { read } for  pid=15388 comm="gpg" name="trustdb.gpg" dev="vda4" ino=13289 scontext=system_u:system_r:gpg_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=0


Expected results:
We want to automate the insights registration at provisioning time.

Additional info:

Comment 1 Zdenek Pytela 2023-01-27 09:28:58 UTC

Juan,

Could you enable full auditing and use the latest selinux-policy build?
https://kojihub.stream.rdu2.redhat.com/koji/buildinfo?buildID=29781


1) Open the /etc/audit/rules.d/audit.rules file in an editor.
2) Remove the following line if it exists:
-a task,never
3) Add the following line to the end of the file:
-w /etc/shadow -p w
4) Restart the audit daemon:
  # service auditd restart
5) Re-run your scenario.
6) Collect AVC denials:
  # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today

As we have very little experience with cloud-init, will you also be able to describe briefly the chain of commands?

Comment 2 Juan Orti 2023-01-27 12:31:45 UTC

(In reply to Zdenek Pytela from comment #1)
> Juan,
> 
> Could you enable full auditing and use the latest selinux-policy build?
> https://kojihub.stream.rdu2.redhat.com/koji/buildinfo?buildID=29781

It's still failing:

# journalctl -b --no-hostname -u insights-client-results.service
Jan 27 07:04:07 systemd[1]: Starting Check for insights from Red Hat Cloud Services...
Jan 27 07:04:08 insights-client[16468]: No GPG-verified eggs can be found
Jan 27 07:04:08 systemd[1]: insights-client-results.service: Main process exited, code=exited, status=1/FAILURE
Jan 27 07:04:08 systemd[1]: insights-client-results.service: Failed with result 'exit-code'.
Jan 27 07:04:08 systemd[1]: Failed to start Check for insights from Red Hat Cloud Services.

# rpm -qa |grep selinux-policy
selinux-policy-38.1.5-1.el9.noarch
selinux-policy-targeted-38.1.5-1.el9.noarch

# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
----
type=PROCTITLE msg=audit(01/27/23 07:02:39.213:56) : proctitle=sss_cache -UG 
type=EXECVE msg=audit(01/27/23 07:02:39.213:56) : argc=2 a0=sss_cache a1=-UG 
type=SYSCALL msg=audit(01/27/23 07:02:39.213:56) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x560fb7a89ce4 a1=0x7fff1d7b3850 a2=0x7fff1d7b3848 a3=0x7f21ad230008 items=0 ppid=1292 pid=1310 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sss_cache exe=/usr/sbin/sss_cache subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(01/27/23 07:02:39.213:56) : avc:  denied  { write } for  pid=1310 comm=sss_cache path=pipe:[23156] dev="pipefs" ino=23156 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=fifo_file permissive=0 
type=AVC msg=audit(01/27/23 07:02:39.213:56) : avc:  denied  { write } for  pid=1310 comm=sss_cache path=pipe:[23155] dev="pipefs" ino=23155 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=fifo_file permissive=0 
type=AVC msg=audit(01/27/23 07:02:39.213:56) : avc:  denied  { read } for  pid=1310 comm=sss_cache path=pipe:[23154] dev="pipefs" ino=23154 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=fifo_file permissive=0 
----
type=PROCTITLE msg=audit(01/27/23 07:02:39.241:58) : proctitle=sss_cache -U 
type=EXECVE msg=audit(01/27/23 07:02:39.241:58) : argc=2 a0=sss_cache a1=-U 
type=SYSCALL msg=audit(01/27/23 07:02:39.241:58) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x560fb7a89ce4 a1=0x7fff1d7b3c80 a2=0x7fff1d7b3c78 a3=0x7f21ad230008 items=0 ppid=1292 pid=1313 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sss_cache exe=/usr/sbin/sss_cache subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(01/27/23 07:02:39.241:58) : avc:  denied  { write } for  pid=1313 comm=sss_cache path=pipe:[23156] dev="pipefs" ino=23156 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=fifo_file permissive=0 
type=AVC msg=audit(01/27/23 07:02:39.241:58) : avc:  denied  { write } for  pid=1313 comm=sss_cache path=pipe:[23155] dev="pipefs" ino=23155 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=fifo_file permissive=0 
type=AVC msg=audit(01/27/23 07:02:39.241:58) : avc:  denied  { read } for  pid=1313 comm=sss_cache path=pipe:[23154] dev="pipefs" ino=23154 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=fifo_file permissive=0 
----
type=PROCTITLE msg=audit(01/27/23 07:03:47.633:187) : proctitle=/usr/sbin/dmidecode -s system-uuid 
type=PATH msg=audit(01/27/23 07:03:47.633:187) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=16797841 dev=fc:04 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(01/27/23 07:03:47.633:187) : item=0 name=/usr/sbin/dmidecode inode=8388753 dev=fc:04 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:dmidecode_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/27/23 07:03:47.633:187) : cwd=/ 
type=EXECVE msg=audit(01/27/23 07:03:47.633:187) : argc=3 a0=/usr/sbin/dmidecode a1=-s a2=system-uuid 
type=SYSCALL msg=audit(01/27/23 07:03:47.633:187) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7ffdb02aef78 a1=0x7ffdb02acfa8 a2=0x7ffdb02acfc8 a3=0x8 items=2 ppid=15302 pid=15303 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dmidecode exe=/usr/sbin/dmidecode subj=system_u:system_r:dmidecode_t:s0 key=(null) 
type=AVC msg=audit(01/27/23 07:03:47.633:187) : avc:  denied  { write } for  pid=15303 comm=dmidecode path=/var/tmp/insights-client/insights-archive-w8wczyrc/insights-rhel9-defeated-cobra-20230127120347/data/insights_commands/dmidecode_-s_system-uuid dev="vda4" ino=92275230 scontext=system_u:system_r:dmidecode_t:s0 tcontext=system_u:object_r:cloud_init_tmp_t:s0 tclass=file permissive=0 
type=AVC msg=audit(01/27/23 07:03:47.633:187) : avc:  denied  { write } for  pid=15303 comm=dmidecode path=/var/tmp/insights-client/insights-archive-w8wczyrc/insights-rhel9-defeated-cobra-20230127120347/data/insights_commands/dmidecode_-s_system-uuid dev="vda4" ino=92275230 scontext=system_u:system_r:dmidecode_t:s0 tcontext=system_u:object_r:cloud_init_tmp_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(01/27/23 07:03:48.517:188) : proctitle=/usr/sbin/dmidecode 
type=PATH msg=audit(01/27/23 07:03:48.517:188) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=16797841 dev=fc:04 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(01/27/23 07:03:48.517:188) : item=0 name=/usr/sbin/dmidecode inode=8388753 dev=fc:04 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:dmidecode_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/27/23 07:03:48.517:188) : cwd=/ 
type=EXECVE msg=audit(01/27/23 07:03:48.517:188) : argc=1 a0=/usr/sbin/dmidecode 
type=SYSCALL msg=audit(01/27/23 07:03:48.517:188) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7ffc7f6fbf87 a1=0x7ffc7f6fb5e8 a2=0x7ffc7f6fb5f8 a3=0x8 items=2 ppid=15383 pid=15384 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dmidecode exe=/usr/sbin/dmidecode subj=system_u:system_r:dmidecode_t:s0 key=(null) 
type=AVC msg=audit(01/27/23 07:03:48.517:188) : avc:  denied  { write } for  pid=15384 comm=dmidecode path=/var/tmp/insights-client/insights-archive-w8wczyrc/insights-rhel9-defeated-cobra-20230127120347/data/insights_commands/dmidecode dev="vda4" ino=92275240 scontext=system_u:system_r:dmidecode_t:s0 tcontext=system_u:object_r:cloud_init_tmp_t:s0 tclass=file permissive=0 
type=AVC msg=audit(01/27/23 07:03:48.517:188) : avc:  denied  { write } for  pid=15384 comm=dmidecode path=/var/tmp/insights-client/insights-archive-w8wczyrc/insights-rhel9-defeated-cobra-20230127120347/data/insights_commands/dmidecode dev="vda4" ino=92275240 scontext=system_u:system_r:dmidecode_t:s0 tcontext=system_u:object_r:cloud_init_tmp_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(01/27/23 07:03:52.707:191) : proctitle=/usr/sbin/chronyd -F 2 
type=PATH msg=audit(01/27/23 07:03:52.707:191) : item=0 name=/run/chrony/chronyc.15578.sock inode=1220 dev=00:19 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:chronyd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/27/23 07:03:52.707:191) : cwd=/ 
type=SOCKADDR msg=audit(01/27/23 07:03:52.707:191) : saddr={ saddr_fam=local path=/run/chrony/chronyc.15578.sock } 
type=SYSCALL msg=audit(01/27/23 07:03:52.707:191) : arch=x86_64 syscall=sendmsg success=no exit=EACCES(Permission denied) a0=0x7 a1=0x7ffe3c2e3a10 a2=0x0 a3=0x7f9e5d93a3e0 items=1 ppid=1 pid=696 auid=unset uid=chrony gid=chrony euid=chrony suid=chrony fsuid=chrony egid=chrony sgid=chrony fsgid=chrony tty=(none) ses=unset comm=chronyd exe=/usr/sbin/chronyd subj=system_u:system_r:chronyd_t:s0 key=(null) 
type=AVC msg=audit(01/27/23 07:03:52.707:191) : avc:  denied  { sendto } for  pid=696 comm=chronyd path=/run/chrony/chronyc.15578.sock scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=unix_dgram_socket permissive=0 
----
type=PROCTITLE msg=audit(01/27/23 07:03:53.713:192) : proctitle=/usr/sbin/chronyd -F 2 
type=PATH msg=audit(01/27/23 07:03:53.713:192) : item=0 name=/run/chrony/chronyc.15578.sock inode=1220 dev=00:19 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:chronyd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/27/23 07:03:53.713:192) : cwd=/ 
type=SOCKADDR msg=audit(01/27/23 07:03:53.713:192) : saddr={ saddr_fam=local path=/run/chrony/chronyc.15578.sock } 
type=SYSCALL msg=audit(01/27/23 07:03:53.713:192) : arch=x86_64 syscall=sendmsg success=no exit=EACCES(Permission denied) a0=0x7 a1=0x7ffe3c2e3a10 a2=0x0 a3=0x7f9e5d93a3e0 items=1 ppid=1 pid=696 auid=unset uid=chrony gid=chrony euid=chrony suid=chrony fsuid=chrony egid=chrony sgid=chrony fsgid=chrony tty=(none) ses=unset comm=chronyd exe=/usr/sbin/chronyd subj=system_u:system_r:chronyd_t:s0 key=(null) 
type=AVC msg=audit(01/27/23 07:03:53.713:192) : avc:  denied  { sendto } for  pid=696 comm=chronyd path=/run/chrony/chronyc.15578.sock scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=unix_dgram_socket permissive=0 
----
type=PROCTITLE msg=audit(01/27/23 07:03:55.715:193) : proctitle=/usr/sbin/chronyd -F 2 
type=PATH msg=audit(01/27/23 07:03:55.715:193) : item=0 name=/run/chrony/chronyc.15578.sock inode=1220 dev=00:19 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:chronyd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/27/23 07:03:55.715:193) : cwd=/ 
type=SOCKADDR msg=audit(01/27/23 07:03:55.715:193) : saddr={ saddr_fam=local path=/run/chrony/chronyc.15578.sock } 
type=SYSCALL msg=audit(01/27/23 07:03:55.715:193) : arch=x86_64 syscall=sendmsg success=no exit=EACCES(Permission denied) a0=0x7 a1=0x7ffe3c2e3a10 a2=0x0 a3=0x7f9e5d93a3e0 items=1 ppid=1 pid=696 auid=unset uid=chrony gid=chrony euid=chrony suid=chrony fsuid=chrony egid=chrony sgid=chrony fsgid=chrony tty=(none) ses=unset comm=chronyd exe=/usr/sbin/chronyd subj=system_u:system_r:chronyd_t:s0 key=(null) 
type=AVC msg=audit(01/27/23 07:03:55.715:193) : avc:  denied  { sendto } for  pid=696 comm=chronyd path=/run/chrony/chronyc.15578.sock scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=unix_dgram_socket permissive=0 
----
type=PROCTITLE msg=audit(01/27/23 07:04:08.004:199) : proctitle=/usr/bin/gpg --verify --keyring /etc/insights-client/redhattools.pub.gpg /etc/insights-client/rpm.egg.asc /etc/insights-client/r 
type=PATH msg=audit(01/27/23 07:04:08.004:199) : item=0 name=/root/.gnupg/pubring.kbx inode=67109390 dev=fc:04 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/27/23 07:04:08.004:199) : cwd=/ 
type=SYSCALL msg=audit(01/27/23 07:04:08.004:199) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55657c18f6a0 a2=O_RDONLY a3=0x0 items=1 ppid=16468 pid=16469 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gpg exe=/usr/bin/gpg subj=system_u:system_r:gpg_t:s0 key=(null) 
type=AVC msg=audit(01/27/23 07:04:08.004:199) : avc:  denied  { read } for  pid=16469 comm=gpg name=pubring.kbx dev="vda4" ino=67109390 scontext=system_u:system_r:gpg_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(01/27/23 07:04:08.010:200) : proctitle=/usr/bin/gpg --verify --keyring /etc/insights-client/redhattools.pub.gpg /etc/insights-client/rpm.egg.asc /etc/insights-client/r 
type=PATH msg=audit(01/27/23 07:04:08.010:200) : item=0 name=/root/.gnupg/pubring.kbx inode=67109390 dev=fc:04 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/27/23 07:04:08.010:200) : cwd=/ 
type=SYSCALL msg=audit(01/27/23 07:04:08.010:200) : arch=x86_64 syscall=access success=no exit=EACCES(Permission denied) a0=0x55657c18f6a0 a1=R_OK a2=0x1 a3=0x0 items=1 ppid=16468 pid=16469 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gpg exe=/usr/bin/gpg subj=system_u:system_r:gpg_t:s0 key=(null) 
type=AVC msg=audit(01/27/23 07:04:08.010:200) : avc:  denied  { read } for  pid=16469 comm=gpg name=pubring.kbx dev="vda4" ino=67109390 scontext=system_u:system_r:gpg_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(01/27/23 07:04:08.018:201) : proctitle=/usr/bin/gpg --verify --keyring /etc/insights-client/redhattools.pub.gpg /etc/insights-client/rpm.egg.asc /etc/insights-client/r 
type=PATH msg=audit(01/27/23 07:04:08.018:201) : item=0 name=/root/.gnupg/trustdb.gpg inode=67109392 dev=fc:04 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/27/23 07:04:08.018:201) : cwd=/ 
type=SYSCALL msg=audit(01/27/23 07:04:08.018:201) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55657c1b8ed0 a2=O_RDWR a3=0x0 items=1 ppid=16468 pid=16469 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gpg exe=/usr/bin/gpg subj=system_u:system_r:gpg_t:s0 key=(null) 
type=AVC msg=audit(01/27/23 07:04:08.018:201) : avc:  denied  { read write } for  pid=16469 comm=gpg name=trustdb.gpg dev="vda4" ino=67109392 scontext=system_u:system_r:gpg_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(01/27/23 07:04:08.018:202) : proctitle=/usr/bin/gpg --verify --keyring /etc/insights-client/redhattools.pub.gpg /etc/insights-client/rpm.egg.asc /etc/insights-client/r 
type=PATH msg=audit(01/27/23 07:04:08.018:202) : item=0 name=/root/.gnupg/trustdb.gpg inode=67109392 dev=fc:04 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/27/23 07:04:08.018:202) : cwd=/ 
type=SYSCALL msg=audit(01/27/23 07:04:08.018:202) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55657c1b8ed0 a2=O_RDONLY a3=0x0 items=1 ppid=16468 pid=16469 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gpg exe=/usr/bin/gpg subj=system_u:system_r:gpg_t:s0 key=(null) 
type=AVC msg=audit(01/27/23 07:04:08.018:202) : avc:  denied  { read } for  pid=16469 comm=gpg name=trustdb.gpg dev="vda4" ino=67109392 scontext=system_u:system_r:gpg_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=0

Comment 4 Zdenek Pytela 2023-02-08 19:22:06 UTC

Juan,

I still have 2 questions:
1. Directories like /var/tmp/insights-client/insights-archive-w8wczyrc/ should have the insights_client_tmp_t type, but they have cloud_init_tmp_t: were they created by cloud-init? Similar for gpg, did it run gpg client?
2. Chronyd wants to communicate with a client which has the cloud_init_t type: was chronyc started by cloud-init? Similar for sssd client.


type=PROCTITLE msg=audit(01/27/23 07:03:48.517:188) : proctitle=/usr/sbin/dmidecode 
type=PATH msg=audit(01/27/23 07:03:48.517:188) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=16797841 dev=fc:04 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(01/27/23 07:03:48.517:188) : item=0 name=/usr/sbin/dmidecode inode=8388753 dev=fc:04 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:dmidecode_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/27/23 07:03:48.517:188) : cwd=/ 
type=EXECVE msg=audit(01/27/23 07:03:48.517:188) : argc=1 a0=/usr/sbin/dmidecode 
type=SYSCALL msg=audit(01/27/23 07:03:48.517:188) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7ffc7f6fbf87 a1=0x7ffc7f6fb5e8 a2=0x7ffc7f6fb5f8 a3=0x8 items=2 ppid=15383 pid=15384 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dmidecode exe=/usr/sbin/dmidecode subj=system_u:system_r:dmidecode_t:s0 key=(null) 
type=AVC msg=audit(01/27/23 07:03:48.517:188) : avc:  denied  { write } for  pid=15384 comm=dmidecode path=/var/tmp/insights-client/insights-archive-w8wczyrc/insights-rhel9-defeated-cobra-20230127120347/data/insights_commands/dmidecode dev="vda4" ino=92275240 scontext=system_u:system_r:dmidecode_t:s0 tcontext=system_u:object_r:cloud_init_tmp_t:s0 tclass=file permissive=0 
type=AVC msg=audit(01/27/23 07:03:48.517:188) : avc:  denied  { write } for  pid=15384 comm=dmidecode path=/var/tmp/insights-client/insights-archive-w8wczyrc/insights-rhel9-defeated-cobra-20230127120347/data/insights_commands/dmidecode dev="vda4" ino=92275240 scontext=system_u:system_r:dmidecode_t:s0 tcontext=system_u:object_r:cloud_init_tmp_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(01/27/23 07:03:52.707:191) : proctitle=/usr/sbin/chronyd -F 2 
type=PATH msg=audit(01/27/23 07:03:52.707:191) : item=0 name=/run/chrony/chronyc.15578.sock inode=1220 dev=00:19 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:chronyd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/27/23 07:03:52.707:191) : cwd=/ 
type=SOCKADDR msg=audit(01/27/23 07:03:52.707:191) : saddr={ saddr_fam=local path=/run/chrony/chronyc.15578.sock } 
type=SYSCALL msg=audit(01/27/23 07:03:52.707:191) : arch=x86_64 syscall=sendmsg success=no exit=EACCES(Permission denied) a0=0x7 a1=0x7ffe3c2e3a10 a2=0x0 a3=0x7f9e5d93a3e0 items=1 ppid=1 pid=696 auid=unset uid=chrony gid=chrony euid=chrony suid=chrony fsuid=chrony egid=chrony sgid=chrony fsgid=chrony tty=(none) ses=unset comm=chronyd exe=/usr/sbin/chronyd subj=system_u:system_r:chronyd_t:s0 key=(null) 
type=AVC msg=audit(01/27/23 07:03:52.707:191) : avc:  denied  { sendto } for  pid=696 comm=chronyd path=/run/chrony/chronyc.15578.sock scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=unix_dgram_socket permissive=0 
----

Comment 6 Juan Orti 2023-02-09 11:41:42 UTC

(In reply to Zdenek Pytela from comment #4)
> Juan,
> 
> I still have 2 questions:
> 1. Directories like /var/tmp/insights-client/insights-archive-w8wczyrc/
> should have the insights_client_tmp_t type, but they have cloud_init_tmp_t:
> were they created by cloud-init? Similar for gpg, did it run gpg client?


In the user data I'm providing to cloud-init there's the "runcmd" module with a list of commands that are run by cloud-init using the sh shell.

Both the /var/tmp/insights-client and gpg files are created when cloud-init runs the "insights-client --register" command.


> 2. Chronyd wants to communicate with a client which has the cloud_init_t
> type: was chronyc started by cloud-init? Similar for sssd client.

I've checked the logs and the sss AVC happened right after cloud-init changed the password of the user and restarted the sshd service.
About chrony, I see that it happened after enabling and starting insights-client.timer as part of the "insights-client --register" command.

Comment 7 Zdenek Pytela 2023-02-15 12:55:43 UTC

Juan,

Could you try the following SELinux custom module?

rhel92# dnf -y install selinux-policy-devel
rhel92# cat local_insights.te
policy_module(local_insights, 1.0)

gen_require(`
        type cloud_init_t;
')


insights_client_domtrans(cloud_init_t);

rhel92# make -f /usr/share/selinux/devel/Makefile local_insights.pp
rhel92# semodule -i local_insights.pp

reproduce and look for current denials?

rhel92# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today

Comment 9 Juan Orti 2023-02-17 14:55:01 UTC

(In reply to Zdenek Pytela from comment #7)
> Juan,
> 
> Could you try the following SELinux custom module?


You mean testing with that module in addition to the packages from comment #1?

Comment 10 Zdenek Pytela 2023-02-17 17:25:53 UTC

(In reply to Juan Orti from comment #9)
> (In reply to Zdenek Pytela from comment #7)
> > Juan,
> > 
> > Could you try the following SELinux custom module?
> 
> 
> You mean testing with that module in addition to the packages from comment
> #1?

Yes, I meant use the updated packages which contain support for all features known until now if this is possible.
Additionally, use the module from #c7 (or #c8) to see if the new permission set is sufficient.

Comment 11 Juan Orti 2023-02-18 09:33:07 UTC

Tested again adding the custom SELinux module. I paste the results below.

Note that for this test I had to boot 2 times and the boot in which cloud-init runs "insights-client --register" starts at 2023-02-18 04:22:10


# rpm -qa|grep selinux-policy
selinux-policy-38.1.5-1.el9.noarch
selinux-policy-targeted-38.1.5-1.el9.noarch
selinux-policy-devel-38.1.5-1.el9.noarch

# semodule -l |grep local_insights
local_insights

# journalctl --list-boots
 0 d7cdbed47cce4ec98ae54be323c3edbb Sat 2023-02-18 04:22:10 EST—Sat 2023-02-18 04:23:13 EST

# journalctl -b --no-hostname -u insights-client-results.service
Feb 18 04:22:57 systemd[1]: Starting Check for insights from Red Hat Cloud Services...
Feb 18 04:22:57 insights-client[2622]: No GPG-verified eggs can be found
Feb 18 04:22:57 systemd[1]: insights-client-results.service: Main process exited, code=exited, status=1/FAILURE
Feb 18 04:22:57 systemd[1]: insights-client-results.service: Failed with result 'exit-code'.
Feb 18 04:22:57 systemd[1]: Failed to start Check for insights from Red Hat Cloud Services.
 
# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
----
type=PROCTITLE msg=audit(02/18/23 04:13:49.664:57) : proctitle=sss_cache -UG 
type=EXECVE msg=audit(02/18/23 04:13:49.664:57) : argc=2 a0=sss_cache a1=-UG 
type=SYSCALL msg=audit(02/18/23 04:13:49.664:57) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x5645be26ace4 a1=0x7fffe0c3f240 a2=0x7fffe0c3f238 a3=0x7f40d05e0008 items=0 ppid=1289 pid=1305 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sss_cache exe=/usr/sbin/sss_cache subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(02/18/23 04:13:49.664:57) : avc:  denied  { write } for  pid=1305 comm=sss_cache path=pipe:[23163] dev="pipefs" ino=23163 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=fifo_file permissive=0 
type=AVC msg=audit(02/18/23 04:13:49.664:57) : avc:  denied  { write } for  pid=1305 comm=sss_cache path=pipe:[23162] dev="pipefs" ino=23162 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=fifo_file permissive=0 
type=AVC msg=audit(02/18/23 04:13:49.664:57) : avc:  denied  { read } for  pid=1305 comm=sss_cache path=pipe:[23161] dev="pipefs" ino=23161 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=fifo_file permissive=0 
----
type=PROCTITLE msg=audit(02/18/23 04:13:49.693:59) : proctitle=sss_cache -U 
type=EXECVE msg=audit(02/18/23 04:13:49.693:59) : argc=2 a0=sss_cache a1=-U 
type=SYSCALL msg=audit(02/18/23 04:13:49.693:59) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x5645be26ace4 a1=0x7fffe0c3f670 a2=0x7fffe0c3f668 a3=0x7f40d05e0008 items=0 ppid=1289 pid=1311 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sss_cache exe=/usr/sbin/sss_cache subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(02/18/23 04:13:49.693:59) : avc:  denied  { write } for  pid=1311 comm=sss_cache path=pipe:[23163] dev="pipefs" ino=23163 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=fifo_file permissive=0 
type=AVC msg=audit(02/18/23 04:13:49.693:59) : avc:  denied  { write } for  pid=1311 comm=sss_cache path=pipe:[23162] dev="pipefs" ino=23162 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=fifo_file permissive=0 
type=AVC msg=audit(02/18/23 04:13:49.693:59) : avc:  denied  { read } for  pid=1311 comm=sss_cache path=pipe:[23161] dev="pipefs" ino=23161 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=fifo_file permissive=0 
----
type=PROCTITLE msg=audit(02/18/23 04:22:36.282:80) : proctitle=/usr/sbin/dmidecode 
type=PATH msg=audit(02/18/23 04:22:36.282:80) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=16797841 dev=fc:04 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(02/18/23 04:22:36.282:80) : item=0 name=/usr/sbin/dmidecode inode=8388753 dev=fc:04 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:dmidecode_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/18/23 04:22:36.282:80) : cwd=/ 
type=EXECVE msg=audit(02/18/23 04:22:36.282:80) : argc=1 a0=/usr/sbin/dmidecode 
type=SYSCALL msg=audit(02/18/23 04:22:36.282:80) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7ffe0ab8bf87 a1=0x7ffe0ab8a348 a2=0x7ffe0ab8a358 a3=0x8 items=2 ppid=1494 pid=1495 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dmidecode exe=/usr/sbin/dmidecode subj=system_u:system_r:dmidecode_t:s0 key=(null) 
type=AVC msg=audit(02/18/23 04:22:36.282:80) : avc:  denied  { write } for  pid=1495 comm=dmidecode path=/var/tmp/insights-client/insights-archive-ariy92mj/insights-rhel9-idr8j3x7qjmpl155-20230218092235/data/insights_commands/dmidecode dev="vda4" ino=50336263 scontext=system_u:system_r:dmidecode_t:s0 tcontext=system_u:object_r:cloud_init_tmp_t:s0 tclass=file permissive=0 
type=AVC msg=audit(02/18/23 04:22:36.282:80) : avc:  denied  { write } for  pid=1495 comm=dmidecode path=/var/tmp/insights-client/insights-archive-ariy92mj/insights-rhel9-idr8j3x7qjmpl155-20230218092235/data/insights_commands/dmidecode dev="vda4" ino=50336263 scontext=system_u:system_r:dmidecode_t:s0 tcontext=system_u:object_r:cloud_init_tmp_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(02/18/23 04:22:36.325:82) : proctitle=/usr/sbin/dmidecode -s system-uuid 
type=PATH msg=audit(02/18/23 04:22:36.325:82) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=16797841 dev=fc:04 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(02/18/23 04:22:36.325:82) : item=0 name=/usr/sbin/dmidecode inode=8388753 dev=fc:04 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:dmidecode_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/18/23 04:22:36.325:82) : cwd=/ 
type=EXECVE msg=audit(02/18/23 04:22:36.325:82) : argc=3 a0=/usr/sbin/dmidecode a1=-s a2=system-uuid 
type=SYSCALL msg=audit(02/18/23 04:22:36.325:82) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7ffe0768bf78 a1=0x7ffe0768a928 a2=0x7ffe0768a948 a3=0x8 items=2 ppid=1503 pid=1504 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dmidecode exe=/usr/sbin/dmidecode subj=system_u:system_r:dmidecode_t:s0 key=(null) 
type=AVC msg=audit(02/18/23 04:22:36.325:82) : avc:  denied  { write } for  pid=1504 comm=dmidecode path=/var/tmp/insights-client/insights-archive-ariy92mj/insights-rhel9-idr8j3x7qjmpl155-20230218092235/data/insights_commands/dmidecode_-s_system-uuid dev="vda4" ino=50336265 scontext=system_u:system_r:dmidecode_t:s0 tcontext=system_u:object_r:cloud_init_tmp_t:s0 tclass=file permissive=0 
type=AVC msg=audit(02/18/23 04:22:36.325:82) : avc:  denied  { write } for  pid=1504 comm=dmidecode path=/var/tmp/insights-client/insights-archive-ariy92mj/insights-rhel9-idr8j3x7qjmpl155-20230218092235/data/insights_commands/dmidecode_-s_system-uuid dev="vda4" ino=50336265 scontext=system_u:system_r:dmidecode_t:s0 tcontext=system_u:object_r:cloud_init_tmp_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(02/18/23 04:22:42.093:111) : proctitle=/usr/sbin/chronyd -F 2 
type=PATH msg=audit(02/18/23 04:22:42.093:111) : item=0 name=/run/chrony/chronyc.2012.sock inode=1119 dev=00:19 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:chronyd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/18/23 04:22:42.093:111) : cwd=/ 
type=SOCKADDR msg=audit(02/18/23 04:22:42.093:111) : saddr={ saddr_fam=local path=/run/chrony/chronyc.2012.sock } 
type=SYSCALL msg=audit(02/18/23 04:22:42.093:111) : arch=x86_64 syscall=sendmsg success=no exit=EACCES(Permission denied) a0=0x7 a1=0x7ffe4504aeb0 a2=0x0 a3=0x7f26353fe3e0 items=1 ppid=1 pid=693 auid=unset uid=chrony gid=chrony euid=chrony suid=chrony fsuid=chrony egid=chrony sgid=chrony fsgid=chrony tty=(none) ses=unset comm=chronyd exe=/usr/sbin/chronyd subj=system_u:system_r:chronyd_t:s0 key=(null) 
type=AVC msg=audit(02/18/23 04:22:42.093:111) : avc:  denied  { sendto } for  pid=693 comm=chronyd path=/run/chrony/chronyc.2012.sock scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=unix_dgram_socket permissive=0 
----
type=PROCTITLE msg=audit(02/18/23 04:22:43.102:112) : proctitle=/usr/sbin/chronyd -F 2 
type=PATH msg=audit(02/18/23 04:22:43.102:112) : item=0 name=/run/chrony/chronyc.2012.sock inode=1119 dev=00:19 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:chronyd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/18/23 04:22:43.102:112) : cwd=/ 
type=SOCKADDR msg=audit(02/18/23 04:22:43.102:112) : saddr={ saddr_fam=local path=/run/chrony/chronyc.2012.sock } 
type=SYSCALL msg=audit(02/18/23 04:22:43.102:112) : arch=x86_64 syscall=sendmsg success=no exit=EACCES(Permission denied) a0=0x7 a1=0x7ffe4504aeb0 a2=0x0 a3=0x7f26353fe3e0 items=1 ppid=1 pid=693 auid=unset uid=chrony gid=chrony euid=chrony suid=chrony fsuid=chrony egid=chrony sgid=chrony fsgid=chrony tty=(none) ses=unset comm=chronyd exe=/usr/sbin/chronyd subj=system_u:system_r:chronyd_t:s0 key=(null) 
type=AVC msg=audit(02/18/23 04:22:43.102:112) : avc:  denied  { sendto } for  pid=693 comm=chronyd path=/run/chrony/chronyc.2012.sock scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=unix_dgram_socket permissive=0 
----
type=PROCTITLE msg=audit(02/18/23 04:22:45.104:117) : proctitle=/usr/sbin/chronyd -F 2 
type=PATH msg=audit(02/18/23 04:22:45.104:117) : item=0 name=/run/chrony/chronyc.2012.sock inode=1119 dev=00:19 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:chronyd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/18/23 04:22:45.104:117) : cwd=/ 
type=SOCKADDR msg=audit(02/18/23 04:22:45.104:117) : saddr={ saddr_fam=local path=/run/chrony/chronyc.2012.sock } 
type=SYSCALL msg=audit(02/18/23 04:22:45.104:117) : arch=x86_64 syscall=sendmsg success=no exit=EACCES(Permission denied) a0=0x7 a1=0x7ffe4504aeb0 a2=0x0 a3=0x7f26353fe3e0 items=1 ppid=1 pid=693 auid=unset uid=chrony gid=chrony euid=chrony suid=chrony fsuid=chrony egid=chrony sgid=chrony fsgid=chrony tty=(none) ses=unset comm=chronyd exe=/usr/sbin/chronyd subj=system_u:system_r:chronyd_t:s0 key=(null) 
type=AVC msg=audit(02/18/23 04:22:45.104:117) : avc:  denied  { sendto } for  pid=693 comm=chronyd path=/run/chrony/chronyc.2012.sock scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=unix_dgram_socket permissive=0 
----
type=PROCTITLE msg=audit(02/18/23 04:22:57.132:119) : proctitle=/usr/bin/gpg --verify --keyring /etc/insights-client/redhattools.pub.gpg /etc/insights-client/rpm.egg.asc /etc/insights-client/r 
type=PATH msg=audit(02/18/23 04:22:57.132:119) : item=0 name=/root/.gnupg/pubring.kbx inode=84207591 dev=fc:04 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/18/23 04:22:57.132:119) : cwd=/ 
type=SYSCALL msg=audit(02/18/23 04:22:57.132:119) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x5642683bc6a0 a2=O_RDONLY a3=0x0 items=1 ppid=2622 pid=2623 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gpg exe=/usr/bin/gpg subj=system_u:system_r:gpg_t:s0 key=(null) 
type=AVC msg=audit(02/18/23 04:22:57.132:119) : avc:  denied  { read } for  pid=2623 comm=gpg name=pubring.kbx dev="vda4" ino=84207591 scontext=system_u:system_r:gpg_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(02/18/23 04:22:57.138:120) : proctitle=/usr/bin/gpg --verify --keyring /etc/insights-client/redhattools.pub.gpg /etc/insights-client/rpm.egg.asc /etc/insights-client/r 
type=PATH msg=audit(02/18/23 04:22:57.138:120) : item=0 name=/root/.gnupg/pubring.kbx inode=84207591 dev=fc:04 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/18/23 04:22:57.138:120) : cwd=/ 
type=SYSCALL msg=audit(02/18/23 04:22:57.138:120) : arch=x86_64 syscall=access success=no exit=EACCES(Permission denied) a0=0x5642683bc6a0 a1=R_OK a2=0x1 a3=0x0 items=1 ppid=2622 pid=2623 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gpg exe=/usr/bin/gpg subj=system_u:system_r:gpg_t:s0 key=(null) 
type=AVC msg=audit(02/18/23 04:22:57.138:120) : avc:  denied  { read } for  pid=2623 comm=gpg name=pubring.kbx dev="vda4" ino=84207591 scontext=system_u:system_r:gpg_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(02/18/23 04:22:57.147:121) : proctitle=/usr/bin/gpg --verify --keyring /etc/insights-client/redhattools.pub.gpg /etc/insights-client/rpm.egg.asc /etc/insights-client/r 
type=PATH msg=audit(02/18/23 04:22:57.147:121) : item=0 name=/root/.gnupg/trustdb.gpg inode=84207593 dev=fc:04 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/18/23 04:22:57.147:121) : cwd=/ 
type=SYSCALL msg=audit(02/18/23 04:22:57.147:121) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x5642683e5ed0 a2=O_RDWR a3=0x0 items=1 ppid=2622 pid=2623 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gpg exe=/usr/bin/gpg subj=system_u:system_r:gpg_t:s0 key=(null) 
type=AVC msg=audit(02/18/23 04:22:57.147:121) : avc:  denied  { read write } for  pid=2623 comm=gpg name=trustdb.gpg dev="vda4" ino=84207593 scontext=system_u:system_r:gpg_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(02/18/23 04:22:57.153:122) : proctitle=/usr/bin/gpg --verify --keyring /etc/insights-client/redhattools.pub.gpg /etc/insights-client/rpm.egg.asc /etc/insights-client/r 
type=PATH msg=audit(02/18/23 04:22:57.153:122) : item=0 name=/root/.gnupg/trustdb.gpg inode=84207593 dev=fc:04 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/18/23 04:22:57.153:122) : cwd=/ 
type=SYSCALL msg=audit(02/18/23 04:22:57.153:122) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x5642683e5ed0 a2=O_RDONLY a3=0x0 items=1 ppid=2622 pid=2623 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gpg exe=/usr/bin/gpg subj=system_u:system_r:gpg_t:s0 key=(null) 
type=AVC msg=audit(02/18/23 04:22:57.153:122) : avc:  denied  { read } for  pid=2623 comm=gpg name=trustdb.gpg dev="vda4" ino=84207593 scontext=system_u:system_r:gpg_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=0

Comment 13 Matthew Yee 2023-04-04 15:57:53 UTC

Problem exists with RHEL 9.0 and 9.1.

Comment 14 Sanne Raymaekers 2023-04-04 15:58:22 UTC

*** Bug 2184417 has been marked as a duplicate of this bug. ***

Comment 17 Zdenek Pytela 2023-04-06 15:15:07 UTC

Try the following module update or use the attached compiled pp module. Please let me know which packages you use, and if possible, use the latest package version which is selinux-policy-34.1.43-1.el9_1.2 in RHEL 9.1 and selinux-policy-38.1.11-2 in RHEL 9.2.

1a.
rhel92# dnf -y install selinux-policy-devel
rhel92# cat local_insights.te
policy_module(local_insights, 1.0)

gen_require(`
        type cloud_init_t, cloud_init_tmp_t;
        type chronyd_t, dmidecode_t, sssd_t;
')

insights_client_domtrans(cloud_init_t)

allow chronyd_t cloud_init_t:unix_dgram_socket sendto;
allow dmidecode_t cloud_init_tmp_t:file write;
allow sssd_t cloud_init_t:fifo_file { read write };

1b.
Download local_insights.pp from today

2.
rhel92# make -f /usr/share/selinux/devel/Makefile local_insights.pp
rhel92# semodule -i local_insights.pp
rhel92# mv /root/.gnupg /root/.gnupg.old

3.
<reproduce>

rhel92# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
rhel92# ls -laZ /root/.gnupg


Unfortunately, I don't know if the .gnupg directory has been created before the previous test, so we need to let it create again and find out which service created it if the context is not correct.

@myee, please test with the provided SELinux local module.
I the meantime, I'll update the Fedora PR.

Comment 18 Zdenek Pytela 2023-04-06 15:15:57 UTC

Created attachment 1956096 [details]
local_insights.pp module from 2023.04.06

Comment 38 errata-xmlrpc 2023-11-07 08:52:17 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6617

Note You need to log in before you can comment on or make changes to this bug.