1399250 – Puppet cannot run timedatectl after upgrade to RHEL 7.3

Bug 1399250 - Puppet cannot run timedatectl after upgrade to RHEL 7.3

Summary: Puppet cannot run timedatectl after upgrade to RHEL 7.3

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:	Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks:	1400505
TreeView+	depends on / blocked

Reported:	2016-11-28 16:15 UTC by Zdenek Pytela
Modified:	2020-03-11 15:26 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	In Red Hat Enterprise Linux 7.3, SELinux denied communication between the Puppet configuration tool and the D-Bus interface when using the timedatectl command. The selinux-policy packages have been updated, and Puppet can now run timedatectl.
Clone Of:
Clones:	1400505 (view as bug list)
Environment:
Last Closed:	2017-08-01 15:17:42 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	2861261	0	None	None	None	2017-01-16 14:13:21 UTC
Red Hat Product Errata	RHBA-2017:1861	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2017-08-01 17:50:24 UTC

Description Zdenek Pytela 2016-11-28 16:15:46 UTC

Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-102.el7_3.4.noarch
puppet-3.8.3-1.el7.noarch
ruby-2.0.0.598-25.el7_1.x86_64

How reproducible:
always on customer's site

Steps to Reproduce:
1. Upgrade to RHEL 7.3
2. Run the following puppet snippet:
exec { "timedatectl set-timezone 'Europe/Zurich'": }

Actual results:
type=USER_AVC 
  msg=audit(11/21/2016 15:04:49.306:59375) : 
  pid=741 
  uid=dbus auid=unset ses=unset 
  subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 
  msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.1421 spid=31613 tpid=31615 
  scontext=system_u:system_r:systemd_timedated_t:s0 
  tcontext=system_u:system_r:puppetagent_t:s0 
  tclass=dbus  
  exe=/usr/bin/dbus-daemon sauid=dbus 
  hostname=? addr=? terminal=?'

Expected results:
<no user avc>

Additional info:
The puppet agent process run as puppetagent_t in RHEL 7.3:
system_u:system_r:puppetagent_t:s0 root  21280     1  0 10:18 ?        00:00:03 /usr/bin/ruby /usr/bin/puppet agent --no-daemonize

whereas in RHEL 7.2 it was running as unconfined_service_t:
system_u:system_r:unconfined_service_t:s0 root 1068 1  0 Oct28 ?       00:02:22 /usr/bin/ruby /usr/bin/puppet agent --no-daemonize

Comment 5 Thomas Mueller 2016-11-30 11:34:17 UTC

see our PR on Github: https://github.com/fedora-selinux/selinux-policy/pull/172

Comment 12 errata-xmlrpc 2017-08-01 15:17:42 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861

Note You need to log in before you can comment on or make changes to this bug.