Bug 2193346
| Summary: | hostnamectl and timedatectl are timeouting when running through cluster_t context | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Welterlen Benoit <bwelterl> | |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | |
| Status: | CLOSED WONTFIX | QA Contact: | Milos Malik <mmalik> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 7.9 | CC: | lvrabec, mmalik, vmojzis | |
| Target Milestone: | rc | Flags: | pm-rhel:
mirror+
|
|
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2196524 (view as bug list) | Environment: | ||
| Last Closed: | 2023-05-10 09:25:22 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2196524 | |||
Red Hat Enterprise Linux 7 shipped its final minor release on September 29th, 2020. RHEL 7.9 was the last scheduled minor release. During Maintenance Support 2 Phase for Red Hat Enterprise Linux version 7, Red Hat defined Critical and Important impact Security Advisories (RHSAs) and selected (at Red Hat discretion) Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available. https://access.redhat.com/support/policy/updates/errata#Maintenance_Support_2_Phase This BZ is being closed WONTFIX. Please re-open this request if it is critical for the customer and provide a thorough business justification. As a workaround, the following local policy module can be used: # cat local_cluster_dbus.cil (allow cluster_t systemd_hostnamed_t (dbus (send_msg))) (allow systemd_hostnamed_t cluster_t (dbus (send_msg))) (allow cluster_t systemd_timedated_t (dbus (send_msg))) (allow systemd_timedated_t cluster_t (dbus (send_msg))) # semodule -i local_cluster_dbus.cil Also note fix with a similar content will be applied to RHEL 8 and RHEL 9. |
Description of problem: Customer is facing some AVC when he runs hostnamectl and timedatectl from a process created through pacemaker, thus with an inherited cluster_t context: ~~~ type=USER_AVC msg=audit(04/26/23 08:27:01.918:2156) : pid=993 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.189 spid=18983 tpid=18982 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=dbus exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' type=USER_AVC msg=audit(04/26/23 08:27:26.940:2167) : pid=993 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.191 spid=19456 tpid=19454 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=dbus exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' ~~~ Version-Release number of selected component (if applicable): RHEL 7 selinux-policy-targeted-3.13.1-268.el7.noarch How reproducible: Always Steps to Reproduce: 1. run a hostnamectl or timedatectl in cluster_t context 2. 3. Actual results: the dbus message is sent but the answer is blocked Expected results: dbus message received and no timeout Additional info: Similar issues seen for other calling app and contexts, but same purpose: https://bugzilla.redhat.com/show_bug.cgi?id=2154245 https://bugzilla.redhat.com/show_bug.cgi?id=1667016 https://bugzilla.redhat.com/show_bug.cgi?id=1656814 Current workaround from this KCS: https://access.redhat.com/solutions/3814531 Created the SELinux custom module as shown below. 1) Installed the SELinux-policy-devel package on our build server. 2) Write the custom module in the name of onlineaudit.te. # cd /usr/share/selinux/devel/ # cat onlineaudit.te module onlineaudit 1.0; require { attribute domain; class dbus send_msg; type cluster_t; This selinux type we picked from the audit log error. } # Allow all domains to send back dbus response allow domain cluster_t : dbus send_msg; 3) Compiled the custom module using the below command. # make onlineaudit.pp 4) Finally transferred the onlineaudit.pp module file to the target OCC server and loaded the custom module into the policy using the below command. # semodule -i onlineaudit.pp 5) Verified the custom module is loaded into the policy or not. Post that script works fine through java. # semanage module -l | grep onlineaudit onlineaudit 400 pp