Bug 2184417 - Image Builder image has incorrect selinux permissions for rhc/Insights
Summary: Image Builder image has incorrect selinux permissions for rhc/Insights
Keywords:
Status: CLOSED DUPLICATE of bug 2162663
Alias: None
Product: Red Hat Hybrid Cloud Console (console.redhat.com)
Classification: Red Hat
Component: Image Builder
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
: ---
Assignee: Image Builder team
QA Contact: Image Builder team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-04-04 15:39 UTC by Matthew Yee
Modified: 2023-04-04 15:58 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-04-04 15:58:22 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHINENG-293 0 None None None 2023-04-04 15:58:47 UTC

Description Matthew Yee 2023-04-04 15:39:54 UTC 
Description of problem:
selinux is configured incorrectly in image builder generated images. The misconfiguration causes remediations to fail upon execution in console dot.  


Version-Release number of selected component (if applicable):


How reproducible:
Always


Steps to Reproduce:
1. Create an image in image builder.
2. Launch in AWS.
3. Run an advisor remediation.

Actual results:

journal error:
Apr 04 15:07:04 ip-172-31-31-228.ec2.internal rhcd[19631]: [rhcd] 2023/04/04 15:07:04 /builddir/build/BUILD/rhc/yggdrasil-0.2.1/cmd/yggd/grpc.go:168: cannot send message 5fdc0da1-5195-4a60-a3da-72253374fce5: rpc error: code = Unknown desc = Exception calling application:

selinux error:
[root@ip-172-31-31-228 log]# ausearch -m AVC,USER_AVC -ts recent
----
time->Tue Apr  4 15:07:04 2023
type=PROCTITLE msg=audit(1680620824.336:3817): proctitle=2F7573722F62696E2F677067002D2D766572696679002D2D6B657972696E67002F6574632F696E7369676874732D636C69656E742F726564686174746F6F6C732E7075622E677067002F7661722F6C69622F696E7369676874732F6C6173745F737461626C652E6567672E617363002F7661722F6C69622F696E736967687473
type=SYSCALL msg=audit(1680620824.336:3817): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55a20c99b0a0 a2=0 a3=0 items=0 ppid=24724 pid=24725 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gpg" exe="/usr/bin/gpg" subj=system_u:system_r:gpg_t:s0 key=(null)
type=AVC msg=audit(1680620824.336:3817): avc:  denied  { read } for  pid=24725 comm="gpg" name="pubring.kbx" dev="xvda4" ino=1324502 scontext=system_u:system_r:gpg_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=0
----
time->Tue Apr  4 15:07:04 2023
type=PROCTITLE msg=audit(1680620824.336:3818): proctitle=2F7573722F62696E2F677067002D2D766572696679002D2D6B657972696E67002F6574632F696E7369676874732D636C69656E742F726564686174746F6F6C732E7075622E677067002F7661722F6C69622F696E7369676874732F6C6173745F737461626C652E6567672E617363002F7661722F6C69622F696E736967687473
type=SYSCALL msg=audit(1680620824.336:3818): arch=c000003e syscall=21 success=no exit=-13 a0=55a20c99b0a0 a1=4 a2=1 a3=0 items=0 ppid=24724 pid=24725 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gpg" exe="/usr/bin/gpg" subj=system_u:system_r:gpg_t:s0 key=(null)
type=AVC msg=audit(1680620824.336:3818): avc:  denied  { read } for  pid=24725 comm="gpg" name="pubring.kbx" dev="xvda4" ino=1324502 scontext=system_u:system_r:gpg_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=0
----
time->Tue Apr  4 15:07:04 2023
type=PROCTITLE msg=audit(1680620824.345:3819): proctitle=2F7573722F62696E2F677067002D2D766572696679002D2D6B657972696E67002F6574632F696E7369676874732D636C69656E742F726564686174746F6F6C732E7075622E677067002F7661722F6C69622F696E7369676874732F6C6173745F737461626C652E6567672E617363002F7661722F6C69622F696E736967687473
type=SYSCALL msg=audit(1680620824.345:3819): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55a20c9c39e0 a2=2 a3=0 items=0 ppid=24724 pid=24725 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gpg" exe="/usr/bin/gpg" subj=system_u:system_r:gpg_t:s0 key=(null)
type=AVC msg=audit(1680620824.345:3819): avc:  denied  { read write } for  pid=24725 comm="gpg" name="trustdb.gpg" dev="xvda4" ino=1325584 scontext=system_u:system_r:gpg_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=0
----
time->Tue Apr  4 15:07:04 2023
type=PROCTITLE msg=audit(1680620824.345:3820): proctitle=2F7573722F62696E2F677067002D2D766572696679002D2D6B657972696E67002F6574632F696E7369676874732D636C69656E742F726564686174746F6F6C732E7075622E677067002F7661722F6C69622F696E7369676874732F6C6173745F737461626C652E6567672E617363002F7661722F6C69622F696E736967687473
type=SYSCALL msg=audit(1680620824.345:3820): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55a20c9c39e0 a2=0 a3=0 items=0 ppid=24724 pid=24725 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gpg" exe="/usr/bin/gpg" subj=system_u:system_r:gpg_t:s0 key=(null)
type=AVC msg=audit(1680620824.345:3820): avc:  denied  { read } for  pid=24725 comm="gpg" name="trustdb.gpg" dev="xvda


Expected results:
The playbook should execute without errors.

Additional info:

I performed the following steps to find this problem:
1) Launched remediation playbook test-006.
2) Check journalctl with journalctl -fu rhcd.service.
3) Found the error Apr 04 15:07:04 ip-172-31-31-228.ec2.internal rhcd[19631]: [rhcd] 2023/04/04 15:07:04 /builddir/build/BUILD/rhc/yggdrasil-0.2.1/cmd/yggd/grpc.go:168: cannot send message 5fdc0da1-5195-4a60-a3da-72253374fce5: rpc error: code = Unknown desc = Exception calling application:
4) Checked selinux with ausearch command above.
5) Set selinux to disabled, rebooted.
6) Submitted test-0007 remediation.
7) Job runs and completes successfully.
Comment 1 Sanne Raymaekers 2023-04-04 15:58:22 UTC 

*** This bug has been marked as a duplicate of bug 2162663 ***
Note You need to log in before you can comment on or make changes to this bug.