Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
DescriptionWelterlen Benoit
2023-05-05 10:58:09 UTC
Description of problem:
Customer is facing some AVC when he runs hostnamectl and timedatectl from a process created through pacemaker, thus with an inherited cluster_t context:
~~~
type=USER_AVC msg=audit(04/26/23 08:27:01.918:2156) : pid=993 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.189 spid=18983 tpid=18982 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=dbus exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(04/26/23 08:27:26.940:2167) : pid=993 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.191 spid=19456 tpid=19454 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=dbus exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?'
~~~
Version-Release number of selected component (if applicable):
RHEL 7
selinux-policy-targeted-3.13.1-268.el7.noarch
How reproducible:
Always
Steps to Reproduce:
1. run a hostnamectl or timedatectl in cluster_t context
2.
3.
Actual results:
the dbus message is sent but the answer is blocked
Expected results:
dbus message received and no timeout
Additional info:
Similar issues seen for other calling app and contexts, but same purpose: https://bugzilla.redhat.com/show_bug.cgi?id=2154245https://bugzilla.redhat.com/show_bug.cgi?id=1667016https://bugzilla.redhat.com/show_bug.cgi?id=1656814
Current workaround from this KCS: https://access.redhat.com/solutions/3814531
Created the SELinux custom module as shown below.
1) Installed the SELinux-policy-devel package on our build server.
2) Write the custom module in the name of onlineaudit.te.
# cd /usr/share/selinux/devel/
# cat onlineaudit.te
module onlineaudit 1.0;
require {
attribute domain;
class dbus send_msg;
type cluster_t; This selinux type we picked from the audit log error.
}
# Allow all domains to send back dbus response
allow domain cluster_t : dbus send_msg;
3) Compiled the custom module using the below command.
# make onlineaudit.pp
4) Finally transferred the onlineaudit.pp module file to the target OCC server and loaded the custom module into the policy using the below command.
# semodule -i onlineaudit.pp
5) Verified the custom module is loaded into the policy or not. Post that script works fine through java.
# semanage module -l | grep onlineaudit
onlineaudit 400 pp
Red Hat Enterprise Linux 7 shipped its final minor release on September 29th, 2020. RHEL 7.9 was the last scheduled minor release.
During Maintenance Support 2 Phase for Red Hat Enterprise Linux version 7, Red Hat defined Critical and Important impact Security Advisories (RHSAs) and selected (at Red Hat discretion) Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.
https://access.redhat.com/support/policy/updates/errata#Maintenance_Support_2_Phase
This BZ is being closed WONTFIX. Please re-open this request if it is critical for the customer and provide a thorough business justification.
As a workaround, the following local policy module can be used:
# cat local_cluster_dbus.cil
(allow cluster_t systemd_hostnamed_t (dbus (send_msg)))
(allow systemd_hostnamed_t cluster_t (dbus (send_msg)))
(allow cluster_t systemd_timedated_t (dbus (send_msg)))
(allow systemd_timedated_t cluster_t (dbus (send_msg)))
# semodule -i local_cluster_dbus.cil
Also note fix with a similar content will be applied to RHEL 8 and RHEL 9.
Description of problem: Customer is facing some AVC when he runs hostnamectl and timedatectl from a process created through pacemaker, thus with an inherited cluster_t context: ~~~ type=USER_AVC msg=audit(04/26/23 08:27:01.918:2156) : pid=993 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.189 spid=18983 tpid=18982 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=dbus exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' type=USER_AVC msg=audit(04/26/23 08:27:26.940:2167) : pid=993 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.191 spid=19456 tpid=19454 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=dbus exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' ~~~ Version-Release number of selected component (if applicable): RHEL 7 selinux-policy-targeted-3.13.1-268.el7.noarch How reproducible: Always Steps to Reproduce: 1. run a hostnamectl or timedatectl in cluster_t context 2. 3. Actual results: the dbus message is sent but the answer is blocked Expected results: dbus message received and no timeout Additional info: Similar issues seen for other calling app and contexts, but same purpose: https://bugzilla.redhat.com/show_bug.cgi?id=2154245 https://bugzilla.redhat.com/show_bug.cgi?id=1667016 https://bugzilla.redhat.com/show_bug.cgi?id=1656814 Current workaround from this KCS: https://access.redhat.com/solutions/3814531 Created the SELinux custom module as shown below. 1) Installed the SELinux-policy-devel package on our build server. 2) Write the custom module in the name of onlineaudit.te. # cd /usr/share/selinux/devel/ # cat onlineaudit.te module onlineaudit 1.0; require { attribute domain; class dbus send_msg; type cluster_t; This selinux type we picked from the audit log error. } # Allow all domains to send back dbus response allow domain cluster_t : dbus send_msg; 3) Compiled the custom module using the below command. # make onlineaudit.pp 4) Finally transferred the onlineaudit.pp module file to the target OCC server and loaded the custom module into the policy using the below command. # semodule -i onlineaudit.pp 5) Verified the custom module is loaded into the policy or not. Post that script works fine through java. # semanage module -l | grep onlineaudit onlineaudit 400 pp