Skip to content

Powerhsell 7.x Linux not honoring opt-out env variables #16112

Closed
Closed
Powerhsell 7.x Linux not honoring opt-out env variables#16112
Labels
Issue-BugIssue has been identified as a bug in the productResolution-DuplicateThe issue is a duplicate.WG-Enginecore PowerShell engine, interpreter, and runtime
@Zimeon-

Description

@Zimeon-
Zimeon-
opened on Sep 16, 2021

Prerequisites

Steps to reproduce

I have a Rocky Linux 8 installation with powershell 7.1.4. I use powershell for monitoring and run pwsh to get a set of results. I've added opt-out environment variables as following to the systemd.

systemctl edit zabbix-server

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_telemetry?view=powershell-7.1
https://docs.microsoft.com/en-us/dotnet/core/tools/telemetry

[Service]
Environment=POWERSHELL_TELEMETRY_OPTOUT=1
Environment=DOTNET_TELEMETRY_OPTOUT=1
Environment=POWERSHELL_CLI_TELEMETRY_OPTOUT=1
Environment=DOTNET_CLI_TELEMETRY_OPTOUT=1

printenv gives me the optout parameters as expected when verifying.

printenv
LANG=en_US.UTF-8
INVOCATION_ID=69a4bad5f0c14cf4b291504873445d19
PWD=/
JOURNAL_STREAM=9:66980
CONFFILE=/etc/zabbix/zabbix_server.conf
POWERSHELL_CLI_TELEMETRY_OPTOUT=1
DOTNET_TELEMETRY_OPTOUT=1
DOTNET_CLI_TELEMETRY_OPTOUT=1
SHLVL=1
POWERSHELL_TELEMETRY_OPTOUT=1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
_=/usr/bin/printenv

Related issues would be running ps1 script create temp file in everytime #11599 and PowerShell ignoring telemetry opt-out options, tries to call home regularly #10005

Expected behavior

Expecting powershell to run without telemetry, not trying to gather data that selinux denies for the user.

Actual behavior

Each run of powershell generates a folder in /tmp/ as following;

04ad7c7a-7fd1-4465-9b31-38b83f70fcc1/
.cache/powershell/StartupProfileData-NonInteractive
15661dc5-9fdc-42ed-bf20-12d902193070/
30544f3e-6e5b-47d2-be8d-e2518802caa3/
.....

Each time a powershell script is run with the service user, selinux gives loads of denied events like the following;
#tail -f /var/log/audit/audit.log | grep denied
.......
type=AVC msg=audit(1631798453.792:11014): avc:  denied  { getattr } for  pid=5141 comm=506970656C696E6520457865637574 path="/usr/sbin/lvm" dev="dm-0" ino=492056 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1631798453.792:11016): avc:  denied  { getattr } for  pid=5141 comm=506970656C696E6520457865637574 path="/usr/bin/rpm" dev="dm-0" ino=50624503 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1631798453.792:11017): avc:  denied  { getattr } for  pid=5141 comm=506970656C696E6520457865637574 path="/usr/bin/gpg" dev="dm-0" ino=50706017 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:gpg_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1631798453.792:11018): avc:  denied  { getattr } for  pid=5141 comm=506970656C696E6520457865637574 path="/usr/bin/dnf-3" dev="dm-0" ino=50725090 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1631798453.792:11020): avc:  denied  { getattr } for  pid=5141 comm=506970656C696E6520457865637574 path="/usr/bin/sudo" dev="dm-0" ino=50755282 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1631798453.792:11021): avc:  denied  { getattr } for  pid=5141 comm=506970656C696E6520457865637574 path="/usr/bin/hostname" dev="dm-0" ino=50800802 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
.......

Error details

No response

Environment data

> uname -a
Linux 4.18.0-305.17.1.el8_4.x86_64 #1 SMP Wed Sep 8 16:42:05 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

> dnf list installed | grep powershell
powershell.x86_64                    7.1.4-1.rhel.7                            @packages-microsoft-com-prod

Visuals

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    Issue-BugIssue has been identified as a bug in the productResolution-DuplicateThe issue is a duplicate.WG-Enginecore PowerShell engine, interpreter, and runtime

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions