2183351 – SELinux prevents the insights-client service from executing the ipcs command

Bug 2183351 - SELinux prevents the insights-client service from executing the ipcs command

Summary: SELinux prevents the insights-client service from executing the ipcs command

Keywords:
Status:	VERIFIED
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.7
Hardware:	x86_64
OS:	Linux
Priority:	urgent
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-03-30 22:35 UTC by Nikhil Gupta
Modified:	2023-08-15 07:44 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.14.3-119.el8
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1653	None	open	Allow insights-client get quotas of all filesystems	2023-04-20 19:06:29 UTC
Red Hat Issue Tracker	RHELPLAN-153693	None	None	None	2023-03-30 22:36:47 UTC
Red Hat Issue Tracker	RHELPLAN-153694	None	None	None	2023-03-30 22:36:49 UTC

Description Nikhil Gupta 2023-03-30 22:35:56 UTC

Description of problem:
SELinux prevents the insights-client service from executing the ipcs command.

----
node=test.example.com type=PROCTITLE msg=audit(03/30/2023 02:03:41.721:40170) : proctitle=/usr/bin/ipcs -s -i 3
node=test.example.com type=IPC msg=audit(03/30/2023 02:03:41.721:40170) : ouid=root ogid=root mode=000,666 obj=system_u:system_r:unconfined_service_t:s0
node=test.example.com type=SYSCALL msg=audit(03/30/2023 02:03:41.721:40170) : arch=x86_64 syscall=semctl success=no exit=EACCES(Permission denied) a0=0x3 a1=0x0 a2=0xc a3=0x0 items=0 ppid=206100 pid=206101 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ipcs exe=/usr/bin/ipcs subj=system_u:system_r:insights_client_t:s0 key=(null)
node=test.example.com type=AVC msg=audit(03/30/2023 02:03:41.721:40170) : avc:  denied  { read } for  pid=206101 comm=ipcs ipc_key=1913520266  scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=sem permissive=0
----


Version-Release number of selected component (if applicable):
4.18.0-425.13.1.el8_7.x86_64
selinux-policy-targeted-3.14.3-117.el8.noarch
selinux-policy-3.14.3-117.el8.noarch

How reproducible:
Always

Steps to Reproduce:
1. Create a fresh VM with plain  RHEL8.7 with SELinux enforced.
2. After 24 hours of life this VM produced SELinux avc: denied errors

Actual results:
AVC denials for ipcs are reporting.
----
node=test.example.com type=PROCTITLE msg=audit(03/30/2023 02:03:41.727:40171) : proctitle=/usr/bin/ipcs -s -i 13
node=test.example.com type=IPC msg=audit(03/30/2023 02:03:41.727:40171) : ouid=root ogid=root mode=000,664 obj=system_u:system_r:unconfined_service_t:s0
node=test.example.com type=SYSCALL msg=audit(03/30/2023 02:03:41.727:40171) : arch=x86_64 syscall=semctl success=no exit=EACCES(Permission denied) a0=0xd a1=0x0 a2=0xc a3=0x0 items=0 ppid=206103 pid=206104 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ipcs exe=/usr/bin/ipcs subj=system_u:system_r:insights_client_t:s0 key=(null)
node=test.example.com type=AVC msg=audit(03/30/2023 02:03:41.727:40171) : avc:  denied  { read } for  pid=206104 comm=ipcs ipc_key=17695361  scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=sem permissive=0
----

Expected results:
Insights-client scheduled run should run without any avc denials.

Additional info:
#  sealert -l 14c6dfc5-a727-46db-971f-bd543147990f| grep -P ^Hash:
Hash: ipcs,insights_client_t,unconfined_service_t,sem,unix_read

Comment 2 Zdenek Pytela 2023-03-31 11:05:46 UTC

Do you happen to know which service is being checked? It is not a part of audit records. List of services can be found e. g. with

# ps -eo pid,ppid,command,context | grep unconfined_service_[t]

In the policy there is only
rhel89# sesearch -A -s insights_client_t -t unconfined_service_t -c sem
allow insights_client_t domain:sem unix_read;

Will you be able to try a local SELinux module to check if adding the permission is sufficient?

  # cat local_unconfinedservice_semread.cil
(allow insights_client_t unconfined_service_t (sem (read)))
  # semodule -i local_unconfinedservice_semread.cil

To remove the module afterwards:
  # semodule -r local_unconfinedservice_semread

Comment 5 Zdenek Pytela 2023-04-06 10:53:29 UTC

Hi,

So the module should contain

  # cat local_unconfinedservice_semread.cil
(allow insights_client_t unconfined_service_t (sem (getattr read)))
  # semodule -i local_unconfinedservice_semread.cil

The current version of the insights-client service should make the domain permissive which would make easier to gather all required permissions, but apparently it is not the case here - see permissive=0 in the output.

The ps command unfortunately did not help much as there are multiple services running in the unconfined_service_t domain.

Can you try to find out what is the service? Perhaps

  # ipcs -a

or another command to check IPC resources.
Thank you for the cooperation.

Comment 8 Zdenek Pytela 2023-04-20 19:06:29 UTC

Thank you. You can enhance the local module with:

(allow insights_client_t filesystem_type (filesystem (quotaget)))

Note You need to log in before you can comment on or make changes to this bug.