Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Do you happen to know which service is being checked? It is not a part of audit records. List of services can be found e. g. with
# ps -eo pid,ppid,command,context | grep unconfined_service_[t]
In the policy there is only
rhel89# sesearch -A -s insights_client_t -t unconfined_service_t -c sem
allow insights_client_t domain:sem unix_read;
Will you be able to try a local SELinux module to check if adding the permission is sufficient?
# cat local_unconfinedservice_semread.cil
(allow insights_client_t unconfined_service_t (sem (read)))
# semodule -i local_unconfinedservice_semread.cil
To remove the module afterwards:
# semodule -r local_unconfinedservice_semread
Hi,
So the module should contain
# cat local_unconfinedservice_semread.cil
(allow insights_client_t unconfined_service_t (sem (getattr read)))
# semodule -i local_unconfinedservice_semread.cil
The current version of the insights-client service should make the domain permissive which would make easier to gather all required permissions, but apparently it is not the case here - see permissive=0 in the output.
The ps command unfortunately did not help much as there are multiple services running in the unconfined_service_t domain.
Can you try to find out what is the service? Perhaps
# ipcs -a
or another command to check IPC resources.
Thank you for the cooperation.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2023:7091
Description of problem: SELinux prevents the insights-client service from executing the ipcs command. ---- node=test.example.com type=PROCTITLE msg=audit(03/30/2023 02:03:41.721:40170) : proctitle=/usr/bin/ipcs -s -i 3 node=test.example.com type=IPC msg=audit(03/30/2023 02:03:41.721:40170) : ouid=root ogid=root mode=000,666 obj=system_u:system_r:unconfined_service_t:s0 node=test.example.com type=SYSCALL msg=audit(03/30/2023 02:03:41.721:40170) : arch=x86_64 syscall=semctl success=no exit=EACCES(Permission denied) a0=0x3 a1=0x0 a2=0xc a3=0x0 items=0 ppid=206100 pid=206101 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ipcs exe=/usr/bin/ipcs subj=system_u:system_r:insights_client_t:s0 key=(null) node=test.example.com type=AVC msg=audit(03/30/2023 02:03:41.721:40170) : avc: denied { read } for pid=206101 comm=ipcs ipc_key=1913520266 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=sem permissive=0 ---- Version-Release number of selected component (if applicable): 4.18.0-425.13.1.el8_7.x86_64 selinux-policy-targeted-3.14.3-117.el8.noarch selinux-policy-3.14.3-117.el8.noarch How reproducible: Always Steps to Reproduce: 1. Create a fresh VM with plain RHEL8.7 with SELinux enforced. 2. After 24 hours of life this VM produced SELinux avc: denied errors Actual results: AVC denials for ipcs are reporting. ---- node=test.example.com type=PROCTITLE msg=audit(03/30/2023 02:03:41.727:40171) : proctitle=/usr/bin/ipcs -s -i 13 node=test.example.com type=IPC msg=audit(03/30/2023 02:03:41.727:40171) : ouid=root ogid=root mode=000,664 obj=system_u:system_r:unconfined_service_t:s0 node=test.example.com type=SYSCALL msg=audit(03/30/2023 02:03:41.727:40171) : arch=x86_64 syscall=semctl success=no exit=EACCES(Permission denied) a0=0xd a1=0x0 a2=0xc a3=0x0 items=0 ppid=206103 pid=206104 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ipcs exe=/usr/bin/ipcs subj=system_u:system_r:insights_client_t:s0 key=(null) node=test.example.com type=AVC msg=audit(03/30/2023 02:03:41.727:40171) : avc: denied { read } for pid=206104 comm=ipcs ipc_key=17695361 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=sem permissive=0 ---- Expected results: Insights-client scheduled run should run without any avc denials. Additional info: # sealert -l 14c6dfc5-a727-46db-971f-bd543147990f| grep -P ^Hash: Hash: ipcs,insights_client_t,unconfined_service_t,sem,unix_read