Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-126409

AVC denials for "fwupdmgr security --force --json"

Linking RHIVOS CVEs to...Migration: Automation ...RHELPRIO AssignedTeam ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • insights-core-3.6.9.2-1.el10
    • No
    • Moderate
    • 1
    • insights-adv-framework
    • 1
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • Framework Sprint Nov10-Nov28
    • Unspecified Release Note Type - Unknown
    • Unspecified
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      On a physical RHEL10.2 system, execute insights-core data collection by insights-client.timer, an AVC for "allow insights_core_t config_home_t:file write;" happens.

      What is the impact of this issue to you?

      Please provide the package NVR for which the bug is seen:

      insights-core-selinux-3.6.8.1-1.el10.noarch

      insights-core-3.6.8.1-1.el10.noarch

      insights-client-3.10.2-1.el10.noarch

      insights-client-ros-3.10.2-1.el10.noarch

      How reproducible is this bug?:

      Steps to reproduce

      1. On a physical RHEL-10.2-20251103.1, register insights.

      [root@virtlab809 ~]# virt-what

      [root@virtlab809 ~]# subscription-manager register --username=redhat_insights_foundations_qe --password=xxx

      Registering to: subscription.rhsm.redhat.com:443/subscription

      The system has been registered with ID: af2f84ed-6f09-4fe8-9fe3-3649033d08e4

      The registered system name is: virtlab809.virt.eng.rdu2.dc.redhat.com

       

      [root@virtlab809 ~]# insights-client --register

      Successfully registered host virtlab809.virt.eng.rdu2.dc.redhat.com

      Automatic scheduling for Insights has been enabled.

      Starting to collect Insights data for virtlab809.virt.eng.rdu2.dc.redhat.com

      Writing RHSM facts to /etc/rhsm/facts/insights-client.facts ...

      Uploading Insights data.

      Successfully uploaded report from virtlab809.virt.eng.rdu2.dc.redhat.com to account 12445849.

       

      2. Configure insights-client.timer:

      [root@virtlab809 ~]# date +'%Y-%m-%d %H:%M' --date='3 minutes'

      2025-11-04 23:10

      [root@virtlab809 ~]# grep OnCalendar -A3 /usr/lib/systemd/system/insights-client.timer

      OnCalendar=2025-11-04 23:10

      Persistent=true

      [root@virtlab809 ~]# systemctl daemon-reload

      [root@virtlab809 ~]# systemctl restart insights-client.timer

      [root@virtlab809 ~]# sleep 3m

       

      [root@virtlab809 ~]# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts boot

      type=PROCTITLE msg=audit(11/04/2025 22:12:35.804:699) : proctitle=/usr/bin/python3 /usr/bin/insights-client --check-results

      type=SYSCALL msg=audit(11/04/2025 22:12:35.804:699) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7fae8b0d5430 a2=0x7ffcce360190 a3=0x0 items=0 ppid=1 pid=18303 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=insights-client exe=/usr/bin/python3.12 subj=system_u:system_r:insights_client_t:s0 key=(null)

      type=AVC msg=audit(11/04/2025 22:12:35.804:699) : avc:  denied 

      { getattr } for  pid=18303 comm=insights-client path=/usr/bin/rpm dev="dm-0" ino=67111303 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file permissive=0

      ----

      type=PROCTITLE msg=audit(11/04/2025 23:10:00.955:768) : proctitle=/usr/bin/python3 /usr/bin/insights-client

      type=SYSCALL msg=audit(11/04/2025 23:10:00.955:768) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7fc3654cd760 a2=0x7ffe10f5a0f0 a3=0x0 items=0 ppid=1 pid=21159 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=insights-client exe=/usr/bin/python3.12 subj=system_u:system_r:insights_client_t:s0 key=(null)

      type=AVC msg=audit(11/04/2025 23:10:00.955:768) : avc:  denied  { getattr }

      for  pid=21159 comm=insights-client path=/usr/bin/rpm dev="dm-0" ino=67111303 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file permissive=0

      type=PROCTITLE msg=audit(11/04/2025 23:10:15.659:769) : proctitle=/usr/bin/fwupdmgr security --force --json

      type=SYSCALL msg=audit(11/04/2025 23:10:15.659:769) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55b231cf6940 a2=O_RDWR|O_CREAT a3=0x180 items=0 ppid=21446 pid=21447 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=fwupdmgr exe=/usr/bin/fwupdmgr subj=system_u:system_r:insights_core_t:s0 key=(null)

      type=AVC msg=audit(11/04/2025 23:10:15.659:769) : avc:  denied 

      { write } for  pid=21447 comm=fwupdmgr name=user dev="dm-0" ino=184752523 scontext=system_u:system_r:insights_core_t:s0 tcontext=unconfined_u:object_r:config_home_t:s0 tclass=file permissive=0

      ----

      type=PROCTITLE msg=audit(11/04/2025 23:10:15.659:770) : proctitle=/usr/bin/fwupdmgr security --force --json

      type=SYSCALL msg=audit(11/04/2025 23:10:15.659:770) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55b231cf64a0 a2=O_RDWR|O_CREAT a3=0x180 items=0 ppid=21446 pid=21447 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=fwupdmgr exe=/usr/bin/fwupdmgr subj=system_u:system_r:insights_core_t:s0 key=(null)

      type=AVC msg=audit(11/04/2025 23:10:15.659:770) : avc:  denied  { write }

      for  pid=21447 comm=fwupdmgr name=user dev="dm-0" ino=184752523 scontext=system_u:system_r:insights_core_t:s0 tcontext=unconfined_u:object_r:config_home_t:s0 tclass=file permissive=0

      type=PROCTITLE msg=audit(11/04/2025 23:10:15.659:771) : proctitle=/usr/bin/fwupdmgr security --force --json

      type=SYSCALL msg=audit(11/04/2025 23:10:15.659:771) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55b231cf64a0 a2=O_RDWR|O_CREAT a3=0x180 items=0 ppid=21446 pid=21447 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=fwupdmgr exe=/usr/bin/fwupdmgr subj=system_u:system_r:insights_core_t:s0 key=(null)

      type=AVC msg=audit(11/04/2025 23:10:15.659:771) : avc:  denied 

      { write } for  pid=21447 comm=fwupdmgr name=user dev="dm-0" ino=184752523 scontext=system_u:system_r:insights_core_t:s0 tcontext=unconfined_u:object_r:config_home_t:s0 tclass=file permissive=0

      ----

      type=PROCTITLE msg=audit(11/04/2025 23:10:15.659:772) : proctitle=/usr/bin/fwupdmgr security --force --json

      type=SYSCALL msg=audit(11/04/2025 23:10:15.659:772) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55b231cf64a0 a2=O_RDWR|O_CREAT a3=0x180 items=0 ppid=21446 pid=21447 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=fwupdmgr exe=/usr/bin/fwupdmgr subj=system_u:system_r:insights_core_t:s0 key=(null)

      type=AVC msg=audit(11/04/2025 23:10:15.659:772) : avc:  denied  { write }

      for  pid=21447 comm=fwupdmgr name=user dev="dm-0" ino=184752523 scontext=system_u:system_r:insights_core_t:s0 tcontext=unconfined_u:object_r:config_home_t:s0 tclass=file permissive=0

      type=PROCTITLE msg=audit(11/04/2025 23:10:15.659:773) : proctitle=/usr/bin/fwupdmgr security --force --json

      type=SYSCALL msg=audit(11/04/2025 23:10:15.659:773) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55b231d1c650 a2=O_RDWR|O_CREAT a3=0x180 items=0 ppid=21446 pid=21447 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=fwupdmgr exe=/usr/bin/fwupdmgr subj=system_u:system_r:insights_core_t:s0 key=(null)

      type=AVC msg=audit(11/04/2025 23:10:15.659:773) : avc:  denied 

      { write } for  pid=21447 comm=fwupdmgr name=user dev="dm-0" ino=184752523 scontext=system_u:system_r:insights_core_t:s0 tcontext=unconfined_u:object_r:config_home_t:s0 tclass=file permissive=0

      ----

      type=PROCTITLE msg=audit(11/04/2025 23:10:15.661:774) : proctitle=/usr/bin/fwupdmgr security --force --json

      type=SYSCALL msg=audit(11/04/2025 23:10:15.661:774) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f5418010860 a2=O_RDWR|O_CREAT a3=0x180 items=0 ppid=21446 pid=21447 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dconf worker exe=/usr/bin/fwupdmgr subj=system_u:system_r:insights_core_t:s0 key=(null)

      type=AVC msg=audit(11/04/2025 23:10:15.661:774) : avc:  denied  { write }

      for  pid=21447 comm=dconf worker name=user dev="dm-0" ino=184752523 scontext=system_u:system_r:insights_core_t:s0 tcontext=unconfined_u:object_r:config_home_t:s0 tclass=file permissive=0

      type=PROCTITLE msg=audit(11/04/2025 23:10:15.661:775) : proctitle=/usr/bin/fwupdmgr security --force --json

      type=SYSCALL msg=audit(11/04/2025 23:10:15.661:775) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f5418010860 a2=O_RDWR|O_CREAT a3=0x180 items=0 ppid=21446 pid=21447 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dconf worker exe=/usr/bin/fwupdmgr subj=system_u:system_r:insights_core_t:s0 key=(null)

      type=AVC msg=audit(11/04/2025 23:10:15.661:775) : avc:  denied 

      { write } for  pid=21447 comm=dconf worker name=user dev="dm-0" ino=184752523 scontext=system_u:system_r:insights_core_t:s0 tcontext=unconfined_u:object_r:config_home_t:s0 tclass=file permissive=0

      ----

      type=PROCTITLE msg=audit(11/04/2025 23:10:15.661:776) : proctitle=/usr/bin/fwupdmgr security --force --json

      type=SYSCALL msg=audit(11/04/2025 23:10:15.661:776) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f5418010860 a2=O_RDWR|O_CREAT a3=0x180 items=0 ppid=21446 pid=21447 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dconf worker exe=/usr/bin/fwupdmgr subj=system_u:system_r:insights_core_t:s0 key=(null)

      type=AVC msg=audit(11/04/2025 23:10:15.661:776) : avc:  denied  { write }

      for  pid=21447 comm=dconf worker name=user dev="dm-0" ino=184752523 scontext=system_u:system_r:insights_core_t:s0 tcontext=unconfined_u:object_r:config_home_t:s0 tclass=file permissive=0

      type=PROCTITLE msg=audit(11/04/2025 23:10:15.661:777) : proctitle=/usr/bin/fwupdmgr security --force --json

      type=SYSCALL msg=audit(11/04/2025 23:10:15.661:777) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f5418010860 a2=O_RDWR|O_CREAT a3=0x180 items=0 ppid=21446 pid=21447 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dconf worker exe=/usr/bin/fwupdmgr subj=system_u:system_r:insights_core_t:s0 key=(null)

      type=AVC msg=audit(11/04/2025 23:10:15.661:777) : avc:  denied 

      { write } for  pid=21447 comm=dconf worker name=user dev="dm-0" ino=184752523 scontext=system_u:system_r:insights_core_t:s0 tcontext=unconfined_u:object_r:config_home_t:s0 tclass=file permissive=0

      ----

      type=PROCTITLE msg=audit(11/04/2025 23:10:15.661:778) : proctitle=/usr/bin/fwupdmgr security --force --json

      type=SYSCALL msg=audit(11/04/2025 23:10:15.661:778) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f5418010860 a2=O_RDWR|O_CREAT a3=0x180 items=0 ppid=21446 pid=21447 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dconf worker exe=/usr/bin/fwupdmgr subj=system_u:system_r:insights_core_t:s0 key=(null)

      type=AVC msg=audit(11/04/2025 23:10:15.661:778) : avc:  denied  { write }

      for  pid=21447 comm=dconf worker name=user dev="dm-0" ino=184752523 scontext=system_u:system_r:insights_core_t:s0 tcontext=unconfined_u:object_r:config_home_t:s0 tclass=file permissive=0

      type=PROCTITLE msg=audit(11/04/2025 23:10:41.453:787) : proctitle=/usr/bin/python3 /usr/bin/insights-client --check-results

      type=SYSCALL msg=audit(11/04/2025 23:10:41.453:787) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7fc17d3e1460 a2=0x7ffeb293ec70 a3=0x0 items=0 ppid=1 pid=22483 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=insights-client exe=/usr/bin/python3.12 subj=system_u:system_r:insights_client_t:s0 key=(null)

      type=AVC msg=audit(11/04/2025 23:10:41.453:787) : avc:  denied 

      { getattr }

      for  pid=22483 comm=insights-client path=/usr/bin/rpm dev="dm-0" ino=67111303 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file permissive=0

      Expected results

      No AVC for the data collection.

      Actual results

      AVC happens.

              rhn-support-xialiu Xiangce Liu
              qianzhan@redhat.com Qianqian Zhang
              Xiangce Liu Xiangce Liu
              Qianqian Zhang Qianqian Zhang
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: