Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 2184417

Summary: Image Builder image has incorrect selinux permissions for rhc/Insights
Product: Red Hat Hybrid Cloud Console (console.redhat.com) Reporter: Matthew Yee <myee>
Component: Image BuilderAssignee: Image Builder team <osbuilders>
Status: CLOSED DUPLICATE QA Contact: Image Builder team <osbuilders>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: sraymaek
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-04-04 15:58:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matthew Yee 2023-04-04 15:39:54 UTC 
Description of problem:
selinux is configured incorrectly in image builder generated images. The misconfiguration causes remediations to fail upon execution in console dot.  


Version-Release number of selected component (if applicable):


How reproducible:
Always


Steps to Reproduce:
1. Create an image in image builder.
2. Launch in AWS.
3. Run an advisor remediation.

Actual results:

journal error:
Apr 04 15:07:04 ip-172-31-31-228.ec2.internal rhcd[19631]: [rhcd] 2023/04/04 15:07:04 /builddir/build/BUILD/rhc/yggdrasil-0.2.1/cmd/yggd/grpc.go:168: cannot send message 5fdc0da1-5195-4a60-a3da-72253374fce5: rpc error: code = Unknown desc = Exception calling application:

selinux error:
[root@ip-172-31-31-228 log]# ausearch -m AVC,USER_AVC -ts recent
----
time->Tue Apr  4 15:07:04 2023
type=PROCTITLE msg=audit(1680620824.336:3817): proctitle=2F7573722F62696E2F677067002D2D766572696679002D2D6B657972696E67002F6574632F696E7369676874732D636C69656E742F726564686174746F6F6C732E7075622E677067002F7661722F6C69622F696E7369676874732F6C6173745F737461626C652E6567672E617363002F7661722F6C69622F696E736967687473
type=SYSCALL msg=audit(1680620824.336:3817): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55a20c99b0a0 a2=0 a3=0 items=0 ppid=24724 pid=24725 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gpg" exe="/usr/bin/gpg" subj=system_u:system_r:gpg_t:s0 key=(null)
type=AVC msg=audit(1680620824.336:3817): avc:  denied  { read } for  pid=24725 comm="gpg" name="pubring.kbx" dev="xvda4" ino=1324502 scontext=system_u:system_r:gpg_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=0
----
time->Tue Apr  4 15:07:04 2023
type=PROCTITLE msg=audit(1680620824.336:3818): proctitle=2F7573722F62696E2F677067002D2D766572696679002D2D6B657972696E67002F6574632F696E7369676874732D636C69656E742F726564686174746F6F6C732E7075622E677067002F7661722F6C69622F696E7369676874732F6C6173745F737461626C652E6567672E617363002F7661722F6C69622F696E736967687473
type=SYSCALL msg=audit(1680620824.336:3818): arch=c000003e syscall=21 success=no exit=-13 a0=55a20c99b0a0 a1=4 a2=1 a3=0 items=0 ppid=24724 pid=24725 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gpg" exe="/usr/bin/gpg" subj=system_u:system_r:gpg_t:s0 key=(null)
type=AVC msg=audit(1680620824.336:3818): avc:  denied  { read } for  pid=24725 comm="gpg" name="pubring.kbx" dev="xvda4" ino=1324502 scontext=system_u:system_r:gpg_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=0
----
time->Tue Apr  4 15:07:04 2023
type=PROCTITLE msg=audit(1680620824.345:3819): proctitle=2F7573722F62696E2F677067002D2D766572696679002D2D6B657972696E67002F6574632F696E7369676874732D636C69656E742F726564686174746F6F6C732E7075622E677067002F7661722F6C69622F696E7369676874732F6C6173745F737461626C652E6567672E617363002F7661722F6C69622F696E736967687473
type=SYSCALL msg=audit(1680620824.345:3819): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55a20c9c39e0 a2=2 a3=0 items=0 ppid=24724 pid=24725 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gpg" exe="/usr/bin/gpg" subj=system_u:system_r:gpg_t:s0 key=(null)
type=AVC msg=audit(1680620824.345:3819): avc:  denied  { read write } for  pid=24725 comm="gpg" name="trustdb.gpg" dev="xvda4" ino=1325584 scontext=system_u:system_r:gpg_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=0
----
time->Tue Apr  4 15:07:04 2023
type=PROCTITLE msg=audit(1680620824.345:3820): proctitle=2F7573722F62696E2F677067002D2D766572696679002D2D6B657972696E67002F6574632F696E7369676874732D636C69656E742F726564686174746F6F6C732E7075622E677067002F7661722F6C69622F696E7369676874732F6C6173745F737461626C652E6567672E617363002F7661722F6C69622F696E736967687473
type=SYSCALL msg=audit(1680620824.345:3820): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55a20c9c39e0 a2=0 a3=0 items=0 ppid=24724 pid=24725 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gpg" exe="/usr/bin/gpg" subj=system_u:system_r:gpg_t:s0 key=(null)
type=AVC msg=audit(1680620824.345:3820): avc:  denied  { read } for  pid=24725 comm="gpg" name="trustdb.gpg" dev="xvda


Expected results:
The playbook should execute without errors.

Additional info:

I performed the following steps to find this problem:
1) Launched remediation playbook test-006.
2) Check journalctl with journalctl -fu rhcd.service.
3) Found the error Apr 04 15:07:04 ip-172-31-31-228.ec2.internal rhcd[19631]: [rhcd] 2023/04/04 15:07:04 /builddir/build/BUILD/rhc/yggdrasil-0.2.1/cmd/yggd/grpc.go:168: cannot send message 5fdc0da1-5195-4a60-a3da-72253374fce5: rpc error: code = Unknown desc = Exception calling application:
4) Checked selinux with ausearch command above.
5) Set selinux to disabled, rebooted.
6) Submitted test-0007 remediation.
7) Job runs and completes successfully.
Comment 1 Sanne Raymaekers 2023-04-04 15:58:22 UTC 

*** This bug has been marked as a duplicate of bug 2162663 ***