.SELinux policy now allows bidirectional communication on D-Bus
Previously, the SELinux policy contained rules to allow only one-way communication between two domains on the D-Bus message bus system. However, such communication must be allowed in both directions. This occurred also when the Pacemaker high-availability cluster resource manager executed the `hostnamectl` or `timedatectl` commands. As a consequence, these commands executed by Pacemaker timed out without receiving a response on D-Bus because SELinux blocked it. This update to the SELinux policy allows bidirectional communication on D-Bus. As a result, commands that require bidirectional communication on D-Bus executed by Pacemaker finish successfully.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2023:7091
A simulation of the issue on RHEL-8.9 produced the following SELinux denials in enforcing mode: ---- type=USER_AVC msg=audit(05/10/2023 03:18:18.458:324) : pid=573 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.40 spid=5845 tpid=5844 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=dbus permissive=0 exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(05/10/2023 03:18:43.436:327) : pid=573 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.42 spid=5848 tpid=5847 scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=dbus permissive=0 exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' ---- After removal of the timedatex package and unmasking the systemd-timedated service, the following SELinux denials appeared: ---- type=USER_AVC msg=audit(05/10/2023 03:22:53.131:344) : pid=573 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.51 spid=6116 tpid=6115 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=dbus permissive=0 exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(05/10/2023 03:23:18.141:348) : pid=573 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.53 spid=6122 tpid=6121 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=dbus permissive=0 exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' ---- # rpm -qa selinux\* systemd\* | sort selinux-policy-3.14.3-119.el8.noarch selinux-policy-targeted-3.14.3-119.el8.noarch systemd-239-75.el8.x86_64 systemd-libs-239-75.el8.x86_64 systemd-pam-239-75.el8.x86_64 systemd-udev-239-75.el8.x86_64 # ls -lZ /usr/bin/test.sh -rwxr-xr-x. 1 root root unconfined_u:object_r:cluster_exec_t:s0 52 May 10 03:15 /usr/bin/test.sh # cat /usr/bin/test.sh #!/bin/bash hostnamectl status timedatectl status # runcon system_u:system_r:initrc_t:s0 bash -c /usr/bin/test.sh Failed to query system properties: Connection timed out Failed to query server: Connection timed out # sesearch -s initrc_t -t cluster_exec_t -T type_transition initrc_t cluster_exec_t:process cluster_t; #