Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-145268

AVC for "allow insights_core_t admin_home_t:dir create;" when collecting spec ansible_telemetry

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • rhel-9.8.z
    • rhel-9.8
    • insights-core
    • None
    • None
    • None
    • insights-adv-framework
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      When collecting spec "ansible_telemetry" by insights-core rpm, an AVC shows up.

      What is the impact of this issue to you?

      Please provide the package NVR for which the bug is seen:

      [root@koza-3 ~]# rpm -qa | egrep "insights|selinux-p|ansible"

      selinux-policy-38.1.72-1.el9.noarch

      selinux-policy-targeted-38.1.72-1.el9.noarch

      insights-client-3.9.3-1.el9.noarch

      ansible-core-2.14.18-2.el9.x86_64

      insights-core-3.7.1.2-99.1.20260129074404636018.pr4684.4.ge332982ef.el9.noarch

      insights-core-selinux-3.7.2.1-41.dev.2.el9.noarch

      How reproducible is this bug?:

      always

      Steps to reproduce

      1. Install ansible-core
      2. Create a test playbooks:
      1. cat > /tmp/test.yml << 'EOF'

      • name: Test playbook

        hosts: localhost

        connection: local

        tasks:

          - ansible.builtin.ping:

      EOF

      1. Run "ansible-playbook /tmp/test.yml"
      1. Empty the lastupload file by runing `echo "" > /etc/insights-client/.lastupload`
      1. Trigger data collection:

      [root@kvm-08-guest38 ~]# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent

      <no matches>

      [root@kvm-08-guest38 ~]# date +'%Y-%m-%d %H:%M' --date='3 minutes'

      2026-01-30 01:44

      [root@kvm-08-guest38 ~]#  vi /usr/lib/systemd/system/insights-client.timer

      [root@kvm-08-guest38 ~]# systemctl daemon-reload

      [root@kvm-08-guest38 ~]# systemctl restart insights-client.timer

      [root@kvm-08-guest38 ~]# sleep 3m

      6. check AVC

      [root@kvm-08-guest38 ~]# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent

      ----

type=PROCTITLE msg=audit(01/30/2026 01:45:17.229:227) : proctitle=python3 /usr/share/ansible/telemetry/telemetry.py 

type=PATH msg=audit(01/30/2026 01:45:17.229:227) : item=1 name=/root/.ansible/tmp/ansible-local-997364he_t5m nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 

type=PATH msg=audit(01/30/2026 01:45:17.229:227) : item=0 name=/root/.ansible/tmp/ inode=101256459 dev=fd:00 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 

type=CWD msg=audit(01/30/2026 01:45:17.229:227) : cwd=/ 

type=SYSCALL msg=audit(01/30/2026 01:45:17.229:227) : arch=x86_64 syscall=mkdir success=no exit=EACCES(Permission denied) a0=0x7ff94a8a76b0 a1=0700 a2=0x0 a3=0x7ff94c111cb8 items=2 ppid=9972 pid=9973 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=python3 exe=/usr/bin/python3.12 subj=system_u:system_r:insights_core_t:s0 key=(null) 

type=AVC msg=audit(01/30/2026 01:45:17.229:227) : avc:  denied  \{ create } for  pid=9973 comm=python3 name=ansible-local-997364he_t5m scontext=system_u:system_r:insights_core_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir permissive=0

      Expected results

      Actual results

              rhn-support-xialiu Xiangce Liu
              qianzhan@redhat.com Qianqian Zhang
              Xiangce Liu Xiangce Liu
              Qianqian Zhang Qianqian Zhang
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: