2193346 – hostnamectl and timedatectl are timeouting when running through cluster_t context

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2193346 - hostnamectl and timedatectl are timeouting when running through cluster_t context

Summary: hostnamectl and timedatectl are timeouting when running through cluster_t con...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.9
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2196524
TreeView+	depends on / blocked

Reported:	2023-05-05 10:58 UTC by Welterlen Benoit
Modified:	2023-05-10 09:25 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	2196524 (view as bug list)
Environment:
Last Closed:	2023-05-10 09:25:22 UTC
Target Upstream Version:
Embargoed:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-156503	0	None	None	None	2023-05-05 10:58:50 UTC

Description Welterlen Benoit 2023-05-05 10:58:09 UTC

Description of problem:
Customer is facing some AVC when he runs hostnamectl and timedatectl from a process created through pacemaker, thus with an inherited cluster_t context:

~~~
type=USER_AVC msg=audit(04/26/23 08:27:01.918:2156) : pid=993 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.189 spid=18983 tpid=18982 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=dbus  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?'

type=USER_AVC msg=audit(04/26/23 08:27:26.940:2167) : pid=993 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.191 spid=19456 tpid=19454 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=dbus  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?'
~~~

Version-Release number of selected component (if applicable):
RHEL 7
selinux-policy-targeted-3.13.1-268.el7.noarch

How reproducible:
Always

Steps to Reproduce:
1. run a hostnamectl or timedatectl in cluster_t context
2. 
3. 

Actual results:
 the dbus message is sent but the answer is blocked

Expected results:
 dbus message received and no timeout

Additional info:

Similar issues seen for other calling app and contexts, but same purpose: https://bugzilla.redhat.com/show_bug.cgi?id=2154245
https://bugzilla.redhat.com/show_bug.cgi?id=1667016
https://bugzilla.redhat.com/show_bug.cgi?id=1656814
Current workaround from this KCS:  https://access.redhat.com/solutions/3814531


Created the SELinux custom module as shown below. 

1)	Installed the SELinux-policy-devel package on our build server. 

2)	Write the custom module in the name of onlineaudit.te. 

# cd /usr/share/selinux/devel/

# cat onlineaudit.te

module onlineaudit 1.0;

require {
    attribute domain;
    class dbus send_msg;
    type cluster_t;               This selinux type we picked from the audit log error.
}

# Allow all domains to send back dbus response
allow domain cluster_t : dbus send_msg;

3)	Compiled the custom module using the below command. 

# make onlineaudit.pp

4)	Finally transferred the onlineaudit.pp module file to the target OCC server and loaded the custom module into the policy using the below command. 

# semodule -i onlineaudit.pp

5)	Verified the custom module is loaded into the policy or not. Post that script works fine through java.

# semanage module -l | grep onlineaudit
onlineaudit               400       pp

Comment 3 Zdenek Pytela 2023-05-10 09:25:22 UTC

Red Hat Enterprise Linux 7 shipped its final minor release on September 29th, 2020. RHEL 7.9 was the last scheduled minor release.
During Maintenance Support 2 Phase for Red Hat Enterprise Linux version 7, Red Hat defined Critical and Important impact Security Advisories (RHSAs) and selected (at Red Hat discretion) Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.
https://access.redhat.com/support/policy/updates/errata#Maintenance_Support_2_Phase

This BZ is being closed WONTFIX. Please re-open this request if it is critical for the customer and provide a thorough business justification.

As a workaround, the following local policy module can be used:

  # cat local_cluster_dbus.cil
(allow cluster_t systemd_hostnamed_t (dbus (send_msg)))
(allow systemd_hostnamed_t cluster_t (dbus (send_msg)))
(allow cluster_t systemd_timedated_t (dbus (send_msg)))
(allow systemd_timedated_t cluster_t (dbus (send_msg)))

  # semodule -i local_cluster_dbus.cil

Also note fix with a similar content will be applied to RHEL 8 and RHEL 9.

Note You need to log in before you can comment on or make changes to this bug.