Bug 1399250 - Puppet cannot run timedatectl after upgrade to RHEL 7.3
Summary: Puppet cannot run timedatectl after upgrade to RHEL 7.3
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.3
Hardware: All
OS: Linux
urgent
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks: 1400505
TreeView+ depends on / blocked
 
Reported: 2016-11-28 16:15 UTC by Zdenek Pytela
Modified: 2020-03-11 15:26 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
In Red Hat Enterprise Linux 7.3, SELinux denied communication between the Puppet configuration tool and the D-Bus interface when using the timedatectl command. The selinux-policy packages have been updated, and Puppet can now run timedatectl.
Clone Of:
: 1400505 (view as bug list)
Environment:
Last Closed: 2017-08-01 15:17:42 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2861261 0 None None None 2017-01-16 14:13:21 UTC
Red Hat Product Errata RHBA-2017:1861 0 normal SHIPPED_LIVE selinux-policy bug fix update 2017-08-01 17:50:24 UTC

Description Zdenek Pytela 2016-11-28 16:15:46 UTC
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-102.el7_3.4.noarch
puppet-3.8.3-1.el7.noarch
ruby-2.0.0.598-25.el7_1.x86_64

How reproducible:
always on customer's site

Steps to Reproduce:
1. Upgrade to RHEL 7.3
2. Run the following puppet snippet:
exec { "timedatectl set-timezone 'Europe/Zurich'": }

Actual results:
type=USER_AVC 
  msg=audit(11/21/2016 15:04:49.306:59375) : 
  pid=741 
  uid=dbus auid=unset ses=unset 
  subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 
  msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.1421 spid=31613 tpid=31615 
  scontext=system_u:system_r:systemd_timedated_t:s0 
  tcontext=system_u:system_r:puppetagent_t:s0 
  tclass=dbus  
  exe=/usr/bin/dbus-daemon sauid=dbus 
  hostname=? addr=? terminal=?'

Expected results:
<no user avc>

Additional info:
The puppet agent process run as puppetagent_t in RHEL 7.3:
system_u:system_r:puppetagent_t:s0 root  21280     1  0 10:18 ?        00:00:03 /usr/bin/ruby /usr/bin/puppet agent --no-daemonize

whereas in RHEL 7.2 it was running as unconfined_service_t:
system_u:system_r:unconfined_service_t:s0 root 1068 1  0 Oct28 ?       00:02:22 /usr/bin/ruby /usr/bin/puppet agent --no-daemonize

Comment 5 Thomas Mueller 2016-11-30 11:34:17 UTC
see our PR on Github: https://github.com/fedora-selinux/selinux-policy/pull/172

Comment 12 errata-xmlrpc 2017-08-01 15:17:42 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861


Note You need to log in before you can comment on or make changes to this bug.