2177607 – [RHEL8.6/Insights/SELinux/Bug] AVC Compliance irq with selinux-policy-3.14.3-95.el8_6.6

Bug 2177607 - [RHEL8.6/Insights/SELinux/Bug] AVC Compliance irq with selinux-policy-3.14.3-95.el8_6.6

Summary: [RHEL8.6/Insights/SELinux/Bug] AVC Compliance irq with selinux-policy-3.14.3-...

Keywords:
Status:	VERIFIED
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.6
Hardware:	Unspecified
OS:	Linux
Priority:	urgent
Severity:	low
Target Milestone:	rc
Target Release:	8.9
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2209890
TreeView+	depends on / blocked

Reported:	2023-03-13 06:32 UTC by Nikhil Gupta
Modified:	2023-08-08 09:21 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-3.14.3-118.el8
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	2209890 (view as bug list)
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1627	0	None	open	Allow insights-client read all sysctls	2023-03-20 14:29:33 UTC
Red Hat Issue Tracker	RHELPLAN-151526	0	None	None	None	2023-03-13 06:33:08 UTC

Description Nikhil Gupta 2023-03-13 06:32:29 UTC

Description of problem:

Something newly introduced by SCAP CIS policy and/or the selinux-policy released this week together triggers this AVC for insights compliance on the CIS policy:
~~~
$ rpm -q selinux-policy scap-security-guide
selinux-policy-3.14.3-95.el8_6.6.noarch
scap-security-guide-0.1.66-1.el8_6.noarch
~~~

~~~
sudo audit2allow -t insights_client_t -a
----
node=host.example.com type=PROCTITLE msg=audit(03/10/2023 06:24:21.245:32929) : proctitle=oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_server_l1 --lts /var/tmp/insights-client/insights-archiv
node=host.example.com type=PATH msg=audit(03/10/2023 06:24:21.245:32929) : item=0 name=/proc/irq inode=4026531861 dev=00:05 mode=dir,555 ouid=root ogid=root rdev=00:00 obstem_u:object_r:sysctl_irq_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
node=host.example.com type=CWD msg=audit(03/10/2023 06:24:21.245:32929) : cwd=/root
node=host.example.com type=SYSCALL msg=audit(03/10/2023 06:24:21.245:32929) : arch=x86_64 syscall=openat success=yes exit=27 a0=AT_FDCWD a1=0x5601f768ca10 a2=O_RDONLY|O_NOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=1 ppid=494573 pid=498401 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(nones=unset comm=probe_worker exe=/usr/bin/oscap subj=system_u:system_r:insights_client_t:s0-s0:c0.c1023 key=(null)
node=host.example.com type=AVC msg=audit(03/10/2023 06:24:21.245:32929) : avc:  denied  { read } for  pid=498401 comm=probe_worker name=irq dev="proc" ino=4026531861 scon=system_u:system_r:insights_client_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir permissive=1
----
node=host.example.com type=PROCTITLE msg=audit(03/10/2023 06:24:21.245:32930) : proctitle=oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_server_l1 --lts /var/tmp/insights-client/insights-archiv
node=host.example.com type=PATH msg=audit(03/10/2023 06:24:21.245:32930) : item=0 name=/proc/irq/default_smp_affinity inode=4026531862 dev=00:05 mode=file,644 ouid=root oroot rdev=00:00 obj=system_u:object_r:sysctl_irq_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
node=host.example.com type=CWD msg=audit(03/10/2023 06:24:21.245:32930) : cwd=/root
node=host.example.com type=SYSCALL msg=audit(03/10/2023 06:24:21.245:32930) : arch=x86_64 syscall=lstat success=yes exit=0 a0=0x5601f768ca10 a1=0x5601f7692de0 a2=0x5601f7e0 a3=0x0 items=1 ppid=494573 pid=498401 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=probe_er exe=/usr/bin/oscap subj=system_u:system_r:insights_client_t:s0-s0:c0.c1023 key=(null)
node=host.example.com type=AVC msg=audit(03/10/2023 06:24:21.245:32930) : avc:  denied  { getattr } for  pid=498401 comm=probe_worker path=/proc/irq/default_smp_affinity "proc" ino=4026531862 scontext=system_u:system_r:insights_client_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=file permissive=1


$ sudo audit2allow -t insights_client_t -a

#============= insights_client_t ==============

allow insights_client_t sysctl_irq_t:dir read;
allow insights_client_t sysctl_irq_t:file getattr;
~~~


Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-95.el8_6.6

How reproducible:
Always

Steps to Reproduce:
1. Register RHEL 8.6 host, having selinux-policy-3.14.3-95.el8_6.6, with Insights 
2. Register it to the cis_server_l1 compliance policy.
3. Run `insights-client --compliance` command

Actual results:
Triggers this AVC for insights compliance on the CIS policy .

Expected results:
The compliance command should finish successfully without any AVC triggered.

Comment 2 Zdenek Pytela 2023-03-20 14:29:34 UTC

insights-client hasn't been allowed this permission in the latest selinux-policy package version

Comment 4 Zdenek Pytela 2023-03-27 15:59:07 UTC

Commit to backport:
174e5da36 (HEAD -> rawhide, upstream/rawhide) Allow insights-client read all sysctls

Note You need to log in before you can comment on or make changes to this bug.