2214572 – Insight generates AVC for command "systemctl status --all" when system has persistent journal.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2214572 - Insight generates AVC for command "systemctl status --all" when system has persistent journal.

Summary: Insight generates AVC for command "systemctl status --all" when system has pe...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.8
Hardware:	All
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-06-13 12:46 UTC by Ameya Patil
Modified:	2023-11-14 17:58 UTC (History)
CC List:	3 users (show)
Fixed In Version:	selinux-policy-3.14.3-122.el8
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Clones:	2214581 (view as bug list)
Environment:
Last Closed:	2023-11-14 15:47:52 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1732	None	open	Allow insights-client map generic log files	2023-06-13 15:15:35 UTC
Red Hat Issue Tracker	RHELPLAN-159712	None	None	None	2023-06-13 13:16:33 UTC
Red Hat Product Errata	RHBA-2023:7091	None	None	None	2023-11-14 15:48:09 UTC

Description Ameya Patil 2023-06-13 12:46:38 UTC

Description of problem:

Insight generates AVC for command "systemctl status --all" when system has persistent journal.

The AVC produced show that `insights_client_t` is trying to access the context `var_log_t` when "systemctl status --all" command is run for `{ map }` access and fail.
----
type=PROCTITLE msg=audit(06/13/2023 08:21:20.521:3138) : proctitle=/bin/systemctl status --all 
type=MMAP msg=audit(06/13/2023 08:21:20.521:3138) : fd=5 flags=MAP_SHARED 
type=SYSCALL msg=audit(06/13/2023 08:21:20.521:3138) : arch=x86_64 syscall=mmap success=yes exit=140486428573696 a0=0x0 a1=0x800000 a2=PROT_READ a3=MAP_SHARED items=0 ppid=97396 pid=97397 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:insights_client_t:s0 key=(null) 
type=AVC msg=audit(06/13/2023 08:21:20.521:3138) : avc:  denied  { map } for  pid=97397 comm=systemctl path=/var/log/journal/system dev="dm-0" ino=151680 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1 
----

As per the insights-client.log it looks like it tries to reach to the API gives a JSON response on what the command information is needed.
~~~
2023-06-13 08:22:37,680    DEBUG insights.client.collection_rules Attemping to download collection rules from https://cert-api.access.redhat.com/r/insights/v1/static/uploader.v2.json
2023-06-13 08:22:37,680  NETWORK insights.client.connection GET https://cert-api.access.redhat.com/r/insights/v1/static/uploader.v2.json
2023-06-13 08:22:37,703  NETWORK insights.client.connection HTTP Status: 200 OK

<...output skipped...>

        {
            "command": "/bin/systemctl status --all",
            "pattern": [
                "Failed: ",
                "Jobs: ",
                "State: "
            ],
            "symbolic_name": "systemctl_status_all"
        },

<...output skipped...>

~~~


This is happening because the system journal is persistent and logging to /var/log/journal/ which has the context of var_log_t.

I confirmed in the latest SELinux rules this permission is not allowed.
~~~
# sesearch -A -s insights_client_t -t var_log_t -c file -p map
allow domain file_type:file map; [ domain_can_mmap_files ]:True

# sesearch -A -s insights_client_t -t var_log_t -c file 
allow daemon logfile:file { append getattr ioctl lock };
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow insights_client_t file_type:file getattr;
allow insights_client_t non_security_file_type:file { getattr ioctl lock open read };
~~~


This does not happen for non-persistent journal. 
We see that when the destination file context is "syslogd_var_run_t" i.e. file presents in (/run/log/journal/<..something..>.journal) it does not show this error and has the `{ map }` present.
~~~
# sesearch -A -s insights_client_t -t syslogd_var_run_t -c file -p map
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow insights_client_t syslogd_var_run_t:file map;
~~~





Version-Release number of selected component (if applicable):
insights-client-3.1.7-12.el8.noarch
selinux-policy-3.14.3-117.el8.noarch
selinux-policy-targeted-3.14.3-117.el8.noarch


How reproducible:
Everytime

Steps to Reproduce:
1. Ensure that you have a persistent journal following along the Step from - https://access.redhat.com/solutions/696893

  # sed -i 's/#Storage=auto/Storage=persistent/' /etc/systemd/journald.conf
  # systemctl restart systemd-journald.service
  # journalctl --flush


2. Start insights-client service and wait for it to complete.
 
  # systemctl start  insights-client
  # systemctl status insights-client

3. Checked the audit logs to see the AVC

  # ausearch -m AVC,USER_AVC -i -ts recent


Actual results:
Insight service provide AVC when systemctl status is run

Expected results:
Insights service should complete without AVC.

Additional info:

Comment 4 Zdenek Pytela 2023-06-14 07:58:56 UTC

Commit s to backport:
9c4297009 Allow insights-client getsession process permission
abc4d5a60 Allow insights-client work with pipe and socket tmp files
959c6270c Allow insights-client map generic log files

Comment 5 Nikola Knazekova 2023-06-15 16:09:56 UTC


*** This bug has been marked as a duplicate of bug 2207819 ***

Comment 16 errata-xmlrpc 2023-11-14 15:47:52 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:7091

Note You need to log in before you can comment on or make changes to this bug.