SELinux is preventing "some services" from append access on the file /var/lib/GuestConfig/gc_agent_logs/gc_agent.log

Question

SELinux is preventing "some services" from append access on the file /var/lib/GuestConfig/gc_agent_logs/gc_agent.log

Opened this issue 2 years ago · 0 comments

This issue exists on the servers with SELinux. We get a lot of messages and inside of /var/log/messages we can see the following notifications:

Mar  1 12:46:28 ora-scm-0 setroubleshoot[607564]: SELinux is preventing /usr/sbin/sshd from append access on the file /var/lib/GuestConfig/gc_agent_logs/gc_agent.log. For complete SELinux messages run: sealert -l 8f38df4b-f9d6-41b4-bafd-84a7f3b43ae5
Mar  1 12:46:28 ora-scm-0 setroubleshoot[607564]: SELinux is preventing /usr/sbin/sshd from append access on the file /var/lib/GuestConfig/gc_agent_logs/gc_agent.log.#012#012*****  Plugin leaks (86.2 confidence) suggests   *****************************#012#012If you want to ignore sshd trying to append access the gc_agent.log file, because you believe it should not need this access.#012Then you should report this as a bug.  #012You can generate a local policy module to dontaudit this access.#012Do#012# ausearch -x /usr/sbin/sshd --raw | audit2allow -D -M my-sshd#012# semodule -X 300 -i my-sshd.pp#012#012*****  Plugin catchall (14.7 confidence) suggests   **************************#012#012If you believe that sshd should be allowed append access on the gc_agent.log file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'sshd' --raw | audit2allow -M my-sshd#012# semodule -X 300 -i my-sshd.pp#012

Mar  1 12:46:28 ora-scm-0 setroubleshoot[607564]: SELinux is preventing /usr/sbin/xtables-nft-multi from append access on the file /var/lib/GuestConfig/gc_agent_logs/gc_agent.log. For complete SELinux messages run: sealert -l 29c2967a-bc43-422c-9823-98b4a7b9ceeb
Mar  1 12:46:28 ora-scm-0 setroubleshoot[607564]: SELinux is preventing /usr/sbin/xtables-nft-multi from append access on the file /var/lib/GuestConfig/gc_agent_logs/gc_agent.log.#012#012*****  Plugin leaks (86.2 confidence) suggests   *****************************#012#012If you want to ignore xtables-nft-multi trying to append access the gc_agent.log file, because you believe it should not need this access.#012Then you should report this as a bug.  #012You can generate a local policy module to dontaudit this access.#012Do#012# ausearch -x /usr/sbin/xtables-nft-multi --raw | audit2allow -D -M my-iptables#012# semodule -X 300 -i my-iptables.pp#012#012*****  Plugin catchall (14.7 confidence) suggests   **************************#012#012If you believe that xtables-nft-multi should be allowed append access on the gc_agent.log file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'iptables' --raw | audit2allow -M my-iptables#012# semodule -X 300 -i my-iptables.pp#012

Mar  1 12:46:23 ora-scm-0 setroubleshoot[607564]: SELinux is preventing /usr/sbin/ip from append access on the file /var/lib/GuestConfig/gc_agent_logs/gc_agent.log. For complete SELinux messages run: sealert -l cb345d13-a4af-4fd4-b6fd-9366f99d4fa0
Mar  1 12:46:23 ora-scm-0 setroubleshoot[607564]: SELinux is preventing /usr/sbin/ip from append access on the file /var/lib/GuestConfig/gc_agent_logs/gc_agent.log.#012#012*****  Plugin leaks (86.2 confidence) suggests   *****************************#012#012If you want to ignore ip trying to append access the gc_agent.log file, because you believe it should not need this access.#012Then you should report this as a bug.  #012You can generate a local policy module to dontaudit this access.#012Do#012# ausearch -x /usr/sbin/ip --raw | audit2allow -D -M my-ip#012# semodule -X 300 -i my-ip.pp#012#012*****  Plugin catchall (14.7 confidence) suggests   **************************#012#012If you believe that ip should be allowed append access on the gc_agent.log file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'ip' --raw | audit2allow -M my-ip#012# semodule -X 300 -i my-ip.pp#012

Could you tell me if this behavior is OK? How can we solve it without the SELinux context changing? Why are these services trying to append some access the gc_agent.log?

OS: Red Hat Enterprise Linux 8.6
Guest Configuration Agent for Linux version: 1.26.39