Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-108824

rhc-worker-playbook writes to /root/.ansible

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • No
    • Moderate
    • subs-client-tools
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • All
    • None

      rhc-worker-playbook creates and writes to /root/.ansible. In my opinion it has the following issues:

      • /root has root:root:0550 permissions, so it is not expected to write to it
      • system service should not write to user data space
      • selinux-policy would be unnecesarily complex
      type=PROCTITLE msg=audit(08/12/2025 04:32:11.697:932) : proctitle=/usr/bin/python3 -m ansible_runner start --ident c42e3ae7-0b58-459e-b9b4-8e39ab62c0be --playbook /var/lib/rhc-worker-playbook/c4 
type=AVC msg=audit(08/12/2025 04:32:11.697:932) : avc:  denied  { dac_override } for  pid=41910 comm=ansible-playboo capability=dac_override  scontext=system_u:system_r:rhc_worker_t:s0 tcontext=system_u:system_r:rhc_worker_t:s0 tclass=capability permissive=1 
type=AVC msg=audit(08/12/2025 04:32:11.697:932) : avc:  denied  { write } for  pid=41910 comm=ansible-playboo name=root dev="dm-0" ino=100663430 scontext=system_u:system_r:rhc_worker_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir permissive=1 
type=AVC msg=audit(08/12/2025 04:32:11.697:932) : avc:  denied  { add_name } for  pid=41910 comm=ansible-playboo name=.ansible scontext=system_u:system_r:rhc_worker_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir permissive=1 
type=AVC msg=audit(08/12/2025 04:32:11.697:932) : avc:  denied  { create } for  pid=41910 comm=ansible-playboo name=.ansible scontext=system_u:system_r:rhc_worker_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir permissive=1 
type=SYSCALL msg=audit(08/12/2025 04:32:11.697:932) : arch=x86_64 syscall=mkdir success=yes exit=0 a0=0x7f2f831d49e0 a1=0777 a2=0x0 a3=0x7f2f84a33ff0 items=2 ppid=41909 pid=41910 auid=unset uid=root gid=yggdrasil-worker euid=root suid=root fsuid=root egid=yggdrasil-worker sgid=yggdrasil-worker fsgid=yggdrasil-worker tty=pts2 ses=unset comm=ansible-playboo exe=/usr/bin/python3.12 subj=system_u:system_r:rhc_worker_t:s0 key=(null) 
type=CWD msg=audit(08/12/2025 04:32:11.697:932) : cwd=/var/lib/rhc-worker-playbook/runs 
type=PATH msg=audit(08/12/2025 04:32:11.697:932) : item=0 name=(null) inode=100663430 dev=fd:00 mode=dir,550 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(08/12/2025 04:32:11.697:932) : item=1 name=(null) inode=101424265 dev=fd:00 mode=dir,777 ouid=root ogid=yggdrasil-worker rdev=00:00 obj=system_u:object_r:admin_home_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0

        1. rhcworker20250811-2.tgz
          16 kB
        2. audit_log_PR75.txt
          194 kB

              rh-ee-jlocash Joshua Locash
              rhn-support-zpytela Zdenek Pytela
              Jason Jerome
              CSI Client Tools Bugs Bot CSI Client Tools Bugs Bot
              Archana Pandey Archana Pandey
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: