2229559 – [RHEL8/Insights/SELinux/Bug] SELinux AVC denials for insights-client var-log-t

Bug 2229559 - [RHEL8/Insights/SELinux/Bug] SELinux AVC denials for insights-client var-log-t

Summary: [RHEL8/Insights/SELinux/Bug] SELinux AVC denials for insights-client var-log-t

Keywords:
Status:	VERIFIED
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.8
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-08-07 02:11 UTC by Nikhil Gupta
Modified:	2023-08-16 06:34 UTC (History)
CC List:	4 users (show)
Fixed In Version:	selinux-policy-3.14.3-126.el8
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1834	0	None	open	Insights update 2	2023-08-11 14:55:23 UTC
Red Hat Issue Tracker	RHELPLAN-164683	0	None	None	None	2023-08-07 02:13:53 UTC

Description Nikhil Gupta 2023-08-07 02:11:04 UTC

Description of problem:

I see the https://github.com/RedHatInsights/insights-core/pull/3850 that is recently added, but actually it lacks the SELinux policy to allow it.

+ sudo ausearch -i -m avc,user_avc -ts today
~~~
node=abc-host type=PROCTITLE msg=audit(08/03/2023 13:52:01.275:156177) : proctitle=/usr/libexec/platform-python /usr/lib/python3.6/site-packages/insights_client/run.py --retry 3
node=abc-host type=PATH msg=audit(08/03/2023 13:52:01.275:156177) : item=1 name=/var/log/log_lock.pid inode=2241455 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_log_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
node=abc-host type=PATH msg=audit(08/03/2023 13:52:01.275:156177) : item=0 name=/var/log/ inode=2097865 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_log_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
node=abc-host type=CWD msg=audit(08/03/2023 13:52:01.275:156177) : cwd=/
node=abc-host type=SYSCALL msg=audit(08/03/2023 13:52:01.275:156177) : arch=x86_64 syscall=openat success=yes exit=12 a0=AT_FDCWD a1=0x7f21c7781be8 a2=O_RDWR|O_CREAT|O_CLOEXEC a3=0x1a4 items=2 ppid=2966557 pid=2966623 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=platform-python exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null)
node=abc-host type=AVC msg=audit(08/03/2023 13:52:01.275:156177) : avc:  denied  { write } for  pid=2966623 comm=platform-python path=/var/log/log_lock.pid dev="dm-0" ino=2241455 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
node=abc-host type=AVC msg=audit(08/03/2023 13:52:01.275:156177) : avc:  denied  { create } for  pid=2966623 comm=platform-python name=log_lock.pid scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
----
node=abc-host type=PROCTITLE msg=audit(08/03/2023 13:52:01.275:156178) : proctitle=/usr/libexec/platform-python /usr/lib/python3.6/site-packages/insights_client/run.py --retry 3
node=abc-host type=PATH msg=audit(08/03/2023 13:52:01.275:156178) : item=0 name=/var/log/dnf.log inode=2242945 dev=fd:00 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_log_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
node=abc-host type=CWD msg=audit(08/03/2023 13:52:01.275:156178) : cwd=/
node=abc-host type=SYSCALL msg=audit(08/03/2023 13:52:01.275:156178) : arch=x86_64 syscall=chmod success=yes exit=0 a0=0x7f21c7781be8 a1=0600 a2=0x0 a3=0x2 items=1 ppid=2966557 pid=2966623 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=platform-python exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null)
node=abc-host type=AVC msg=audit(08/03/2023 13:52:01.275:156178) : avc:  denied  { setattr } for  pid=2966623 comm=platform-python name=dnf.log dev="dm-0" ino=2242945 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
----
node=abc-host type=PROCTITLE msg=audit(08/03/2023 13:52:01.275:156179) : proctitle=/usr/libexec/platform-python /usr/lib/python3.6/site-packages/insights_client/run.py --retry 3
node=abc-host type=PATH msg=audit(08/03/2023 13:52:01.275:156179) : item=1 name=/var/log/log_lock.pid inode=2241455 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_log_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
node=abc-host type=PATH msg=audit(08/03/2023 13:52:01.275:156179) : item=0 name=/var/log/ inode=2097865 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_log_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
node=abc-host type=CWD msg=audit(08/03/2023 13:52:01.275:156179) : cwd=/
node=abc-host type=SYSCALL msg=audit(08/03/2023 13:52:01.275:156179) : arch=x86_64 syscall=unlink success=yes exit=0 a0=0x7f21c7781be8 a1=0x0 a2=0x0 a3=0x1 items=2 ppid=2966557 pid=2966623 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=platform-python exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:insights_client_t:s0 key=(null)
node=abc-host type=AVC msg=audit(08/03/2023 13:52:01.275:156179) : avc:  denied  { unlink } for  pid=2966623 comm=platform-python name=log_lock.pid dev="dm-0" ino=2241455 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
...
+ sudo audit2allow -a
#============= insights_client_t ==============
allow insights_client_t var_log_t:file { create setattr unlink write };
~~~


Version-Release number of selected component (if applicable):
RHEL 8.8
selinux-policy-devel-3.14.3-124.el8.noarch
selinux-policy-3.14.3-124.el8.noarch
selinux-policy-targeted-3.14.3-124.el8.noarch

How reproducible:
Always

Steps to Reproduce:
1. Register RHEL 8.8 host with Insights
2. Install latest(pre-released) selinux-policy packages
3. Restart `insights-client` service

Actual results:
SELinux AVC denials for insights-client var-log-t 

Expected results:
Insights upload should complete without any AVC triggered.

Comment 1 Zdenek Pytela 2023-08-11 16:24:58 UTC

Commit to backport:
97f7155ab Allow insights-client create all rpm logs with a correct label
8f443b560 Allow insights-client manage generic logs

Note You need to log in before you can comment on or make changes to this bug.