Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-106138

AVC denial for domain transition from unconfined_service_t to insights_core_t during remediation execution on RHEL 10

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Yes
    • Critical
    • subs-client-tools
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • Proposed Blocker
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      When selinux is in enforcing mode insights fails to verify playbook and hence unable to run playbook.
      yggdrasil logs - 

      Jul 29 00:34:12 kvm-08-guest29.lab.eng.rdu2.dc.redhat.com systemd[1]: Starting com.redhat.Yggdrasil1.Worker1.rhc_worker_playbook.service - rhc-wo
rker-playbook worker service...
Jul 29 00:34:12 kvm-08-guest29.lab.eng.rdu2.dc.redhat.com rhc-worker-playbook[242701]: 2025/07/29 00:34:12 connecting to system bus
Jul 29 00:34:12 kvm-08-guest29.lab.eng.rdu2.dc.redhat.com systemd[1]: Started com.redhat.Yggdrasil1.Worker1.rhc_worker_playbook.service - rhc-wor
ker-playbook worker service.
Jul 29 00:34:12 kvm-08-guest29.lab.eng.rdu2.dc.redhat.com rhc-worker-playbook[242701]: 2025/07/29 00:34:12 emitting event STARTED
Jul 29 00:34:12 kvm-08-guest29.lab.eng.rdu2.dc.redhat.com rhc-worker-playbook[242701]: 2025/07/29 00:34:12 emitting event BEGIN
Jul 29 00:34:12 kvm-08-guest29.lab.eng.rdu2.dc.redhat.com rhc-worker-playbook[242701]: 2025/07/29 00:34:12 message received: message-id=ab47b173-
5b7b-4634-b3b4-1d369cc8d11b
Jul 29 00:34:15 kvm-08-guest29.lab.eng.rdu2.dc.redhat.com rhc-worker-playbook[242701]: 2025/07/29 00:34:15 cannot verify playbook: code=1 stdout=
 stderr=Traceback (most recent call last):
Jul 29 00:34:15 kvm-08-guest29.lab.eng.rdu2.dc.redhat.com rhc-worker-playbook[242701]:   File "/usr/bin/insights-client", line 11, in <module>
Jul 29 00:34:15 kvm-08-guest29.lab.eng.rdu2.dc.redhat.com rhc-worker-playbook[242701]:     _main()
Jul 29 00:34:15 kvm-08-guest29.lab.eng.rdu2.dc.redhat.com rhc-worker-playbook[242701]:   File "/usr/lib/python3.12/site-packages/insights_client/
__init__.py", line 508, in _main
Jul 29 00:34:15 kvm-08-guest29.lab.eng.rdu2.dc.redhat.com rhc-worker-playbook[242701]:     run_phase(p, client, validated_eggs)
Jul 29 00:34:15 kvm-08-guest29.lab.eng.rdu2.dc.redhat.com rhc-worker-playbook[242701]:   File "/usr/lib/python3.12/site-packages/insights_client/
__init__.py", line 334, in run_phase
Jul 29 00:34:15 kvm-08-guest29.lab.eng.rdu2.dc.redhat.com rhc-worker-playbook[242701]:     process = subprocess.Popen(insights_command, env=env)
Jul 29 00:34:15 kvm-08-guest29.lab.eng.rdu2.dc.redhat.com rhc-worker-playbook[242701]:               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Jul 29 00:34:15 kvm-08-guest29.lab.eng.rdu2.dc.redhat.com rhc-worker-playbook[242701]:   File "/usr/lib64/python3.12/subprocess.py", line 1026, i
n __init__
Jul 29 00:34:15 kvm-08-guest29.lab.eng.rdu2.dc.redhat.com rhc-worker-playbook[242701]:     self._execute_child(args, executable, preexec_fn, clos
e_fds,
Jul 29 00:34:15 kvm-08-guest29.lab.eng.rdu2.dc.redhat.com rhc-worker-playbook[242701]:   File "/usr/lib64/python3.12/subprocess.py", line 1955, i
n _execute_child
Jul 29 00:34:15 kvm-08-guest29.lab.eng.rdu2.dc.redhat.com rhc-worker-playbook[242701]:     raise child_exception_type(errno_num, err_msg, err_fil
ename)
Jul 29 00:34:15 kvm-08-guest29.lab.eng.rdu2.dc.redhat.com rhc-worker-playbook[242701]: PermissionError: [Errno 13] Permission denied: '/usr/bin/p
ython3'
Jul 29 00:34:15 kvm-08-guest29.lab.eng.rdu2.dc.redhat.com rhc-worker-playbook[242701]: 2025/07/29 00:34:15 cannot call rx: cannot verify playbook
: err=cannot verify playbook: exit status 1
Jul 29 00:34:15 kvm-08-guest29.lab.eng.rdu2.dc.redhat.com rhc-worker-playbook[242701]: 2025/07/29 00:34:15 emitting event END

       

      What is the impact of this issue to you?

      Remediations Blocked

      Please provide the package NVR for which the bug is seen:

      [root@kvm-08-guest29 ~]# rpm -qa | grep insi
      insights-core-selinux-3.7.0-1.el10.noarch
      insights-client-3.10.1-2.el10.noarch
      [root@kvm-08-guest29 ~]#

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1. rhc connect
      2. install rhc-worker-playbook
      3. create vulnerability  - chmod 777 /etc/ssh/sshd_config
      4. insights-client
      5. run remediations from consoledot

      Expected results

      User should be able to apply remediation.

      Actual results

      remediations never complete, playbook verification fails and seen avc denials in audit log - 

      type=AVC msg=audit(1753769796.052:1985): avc:  denied  { transition } for  pid=252528 comm="insights-client" path="/usr/bin/python3.12" dev="dm-0" ino=33971730 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:insights_core_t:s0 tclass=process permissive=0

       

              rhn-support-xialiu Xiangce Liu
              rhn-arpandey Archana Pandey
              Xiangce Liu Xiangce Liu
              Qianqian Zhang Qianqian Zhang
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: