RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2183351 - SELinux prevents the insights-client service from executing the ipcs command
Summary: SELinux prevents the insights-client service from executing the ipcs command
Keywords:
Status: CLOSED ERRATA
Alias: None
Deadline: 2023-05-01
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.7
Hardware: x86_64
OS: Linux
urgent
medium
Target Milestone: rc
: ---
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 2233929 2239086
TreeView+ depends on / blocked
 
Reported: 2023-03-30 22:35 UTC by Nikhil Gupta
Modified: 2023-11-14 17:59 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.14.3-119.el8
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 2233929 2239086 (view as bug list)
Environment:
Last Closed: 2023-11-14 15:47:46 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 1653 0 None open Allow insights-client get quotas of all filesystems 2023-04-20 19:06:29 UTC
Red Hat Issue Tracker RHELPLAN-153693 0 None None None 2023-03-30 22:36:47 UTC
Red Hat Issue Tracker RHELPLAN-153694 0 None None None 2023-03-30 22:36:49 UTC
Red Hat Product Errata RHBA-2023:7091 0 None None None 2023-11-14 15:48:23 UTC

Description Nikhil Gupta 2023-03-30 22:35:56 UTC 
Description of problem:
SELinux prevents the insights-client service from executing the ipcs command.

----
node=test.example.com type=PROCTITLE msg=audit(03/30/2023 02:03:41.721:40170) : proctitle=/usr/bin/ipcs -s -i 3
node=test.example.com type=IPC msg=audit(03/30/2023 02:03:41.721:40170) : ouid=root ogid=root mode=000,666 obj=system_u:system_r:unconfined_service_t:s0
node=test.example.com type=SYSCALL msg=audit(03/30/2023 02:03:41.721:40170) : arch=x86_64 syscall=semctl success=no exit=EACCES(Permission denied) a0=0x3 a1=0x0 a2=0xc a3=0x0 items=0 ppid=206100 pid=206101 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ipcs exe=/usr/bin/ipcs subj=system_u:system_r:insights_client_t:s0 key=(null)
node=test.example.com type=AVC msg=audit(03/30/2023 02:03:41.721:40170) : avc:  denied  { read } for  pid=206101 comm=ipcs ipc_key=1913520266  scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=sem permissive=0
----


Version-Release number of selected component (if applicable):
4.18.0-425.13.1.el8_7.x86_64
selinux-policy-targeted-3.14.3-117.el8.noarch
selinux-policy-3.14.3-117.el8.noarch

How reproducible:
Always

Steps to Reproduce:
1. Create a fresh VM with plain  RHEL8.7 with SELinux enforced.
2. After 24 hours of life this VM produced SELinux avc: denied errors

Actual results:
AVC denials for ipcs are reporting.
----
node=test.example.com type=PROCTITLE msg=audit(03/30/2023 02:03:41.727:40171) : proctitle=/usr/bin/ipcs -s -i 13
node=test.example.com type=IPC msg=audit(03/30/2023 02:03:41.727:40171) : ouid=root ogid=root mode=000,664 obj=system_u:system_r:unconfined_service_t:s0
node=test.example.com type=SYSCALL msg=audit(03/30/2023 02:03:41.727:40171) : arch=x86_64 syscall=semctl success=no exit=EACCES(Permission denied) a0=0xd a1=0x0 a2=0xc a3=0x0 items=0 ppid=206103 pid=206104 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ipcs exe=/usr/bin/ipcs subj=system_u:system_r:insights_client_t:s0 key=(null)
node=test.example.com type=AVC msg=audit(03/30/2023 02:03:41.727:40171) : avc:  denied  { read } for  pid=206104 comm=ipcs ipc_key=17695361  scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=sem permissive=0
----

Expected results:
Insights-client scheduled run should run without any avc denials.

Additional info:
#  sealert -l 14c6dfc5-a727-46db-971f-bd543147990f| grep -P ^Hash:
Hash: ipcs,insights_client_t,unconfined_service_t,sem,unix_read
Comment 2 Zdenek Pytela 2023-03-31 11:05:46 UTC 
Do you happen to know which service is being checked? It is not a part of audit records. List of services can be found e. g. with

# ps -eo pid,ppid,command,context | grep unconfined_service_[t]

In the policy there is only
rhel89# sesearch -A -s insights_client_t -t unconfined_service_t -c sem
allow insights_client_t domain:sem unix_read;

Will you be able to try a local SELinux module to check if adding the permission is sufficient?

  # cat local_unconfinedservice_semread.cil
(allow insights_client_t unconfined_service_t (sem (read)))
  # semodule -i local_unconfinedservice_semread.cil

To remove the module afterwards:
  # semodule -r local_unconfinedservice_semread
Comment 5 Zdenek Pytela 2023-04-06 10:53:29 UTC 
Hi,

So the module should contain

  # cat local_unconfinedservice_semread.cil
(allow insights_client_t unconfined_service_t (sem (getattr read)))
  # semodule -i local_unconfinedservice_semread.cil

The current version of the insights-client service should make the domain permissive which would make easier to gather all required permissions, but apparently it is not the case here - see permissive=0 in the output.

The ps command unfortunately did not help much as there are multiple services running in the unconfined_service_t domain.

Can you try to find out what is the service? Perhaps

  # ipcs -a

or another command to check IPC resources.
Thank you for the cooperation.
Comment 8 Zdenek Pytela 2023-04-20 19:06:29 UTC 
Thank you. You can enhance the local module with:

(allow insights_client_t filesystem_type (filesystem (quotaget)))
Comment 28 errata-xmlrpc 2023-11-14 15:47:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:7091
Note You need to log in before you can comment on or make changes to this bug.