Bug 1399250

Summary: Puppet cannot run timedatectl after upgrade to RHEL 7.3
Product: Red Hat Enterprise Linux 7 Reporter: Zdenek Pytela <zpytela>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact: Mirek Jahoda <mjahoda>
Priority: urgent    
Version: 7.3CC: fkrska, lvrabec, mgrepl, mjahoda, mmalik, mueller, plautrba, pvrabec, ssekidde
Target Milestone: rcKeywords: Regression, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
In Red Hat Enterprise Linux 7.3, SELinux denied communication between the Puppet configuration tool and the D-Bus interface when using the timedatectl command. The selinux-policy packages have been updated, and Puppet can now run timedatectl.
 Story Points: ---
Clone Of:
: 1400505 (view as bug list) Environment:
Last Closed: 2017-08-01 15:17:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1400505    

Description Zdenek Pytela 2016-11-28 16:15:46 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-102.el7_3.4.noarch
puppet-3.8.3-1.el7.noarch
ruby-2.0.0.598-25.el7_1.x86_64

How reproducible:
always on customer's site

Steps to Reproduce:
1. Upgrade to RHEL 7.3
2. Run the following puppet snippet:
exec { "timedatectl set-timezone 'Europe/Zurich'": }

Actual results:
type=USER_AVC 
  msg=audit(11/21/2016 15:04:49.306:59375) : 
  pid=741 
  uid=dbus auid=unset ses=unset 
  subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 
  msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.1421 spid=31613 tpid=31615 
  scontext=system_u:system_r:systemd_timedated_t:s0 
  tcontext=system_u:system_r:puppetagent_t:s0 
  tclass=dbus  
  exe=/usr/bin/dbus-daemon sauid=dbus 
  hostname=? addr=? terminal=?'

Expected results:
<no user avc>

Additional info:
The puppet agent process run as puppetagent_t in RHEL 7.3:
system_u:system_r:puppetagent_t:s0 root  21280     1  0 10:18 ?        00:00:03 /usr/bin/ruby /usr/bin/puppet agent --no-daemonize

whereas in RHEL 7.2 it was running as unconfined_service_t:
system_u:system_r:unconfined_service_t:s0 root 1068 1  0 Oct28 ?       00:02:22 /usr/bin/ruby /usr/bin/puppet agent --no-daemonize
Comment 5 Thomas Mueller 2016-11-30 11:34:17 UTC 
see our PR on Github: https://github.com/fedora-selinux/selinux-policy/pull/172
Comment 12 errata-xmlrpc 2017-08-01 15:17:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861