2196524 – hostnamectl and timedatectl are timeouting when running through cluster_t context

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2196524 - hostnamectl and timedatectl are timeouting when running through cluster_t context

Summary: hostnamectl and timedatectl are timeouting when running through cluster_t con...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.6
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:	Jan Fiala
URL:
Whiteboard:
Depends On:	2193346
Blocks:
TreeView+	depends on / blocked

Reported:	2023-05-09 12:01 UTC by Welterlen Benoit
Modified:	2023-11-14 17:59 UTC (History)
CC List:	6 users (show)
Fixed In Version:	selinux-policy-3.14.3-120.el8
Doc Type:	Bug Fix
Doc Text:	.SELinux policy now allows bidirectional communication on D-Bus Previously, the SELinux policy contained rules to allow only one-way communication between two domains on the D-Bus message bus system. However, such communication must be allowed in both directions. This occurred also when the Pacemaker high-availability cluster resource manager executed the `hostnamectl` or `timedatectl` commands. As a consequence, these commands executed by Pacemaker timed out without receiving a response on D-Bus because SELinux blocked it. This update to the SELinux policy allows bidirectional communication on D-Bus. As a result, commands that require bidirectional communication on D-Bus executed by Pacemaker finish successfully.
Clone Of:	2193346
Environment:
Last Closed:	2023-11-14 15:47:46 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1680	None	Merged	Allow cluster_t dbus chat with various services	2023-05-10 09:26:51 UTC
Red Hat Issue Tracker	RHELPLAN-156737	None	None	None	2023-05-09 12:03:02 UTC
Red Hat Product Errata	RHBA-2023:7091	None	None	None	2023-11-14 15:48:23 UTC

Comment 2 Milos Malik 2023-05-10 07:31:25 UTC

A simulation of the issue on RHEL-8.9 produced the following SELinux denials in enforcing mode:
----
type=USER_AVC msg=audit(05/10/2023 03:18:18.458:324) : pid=573 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.40 spid=5845 tpid=5844 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=dbus permissive=0  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(05/10/2023 03:18:43.436:327) : pid=573 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.42 spid=5848 tpid=5847 scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=dbus permissive=0  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----

After removal of the timedatex package and unmasking the systemd-timedated service, the following SELinux denials appeared:
----
type=USER_AVC msg=audit(05/10/2023 03:22:53.131:344) : pid=573 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.51 spid=6116 tpid=6115 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=dbus permissive=0  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(05/10/2023 03:23:18.141:348) : pid=573 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.53 spid=6122 tpid=6121 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=dbus permissive=0  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----

# rpm -qa selinux\* systemd\* | sort
selinux-policy-3.14.3-119.el8.noarch
selinux-policy-targeted-3.14.3-119.el8.noarch
systemd-239-75.el8.x86_64
systemd-libs-239-75.el8.x86_64
systemd-pam-239-75.el8.x86_64
systemd-udev-239-75.el8.x86_64
# ls -lZ /usr/bin/test.sh 
-rwxr-xr-x. 1 root root unconfined_u:object_r:cluster_exec_t:s0 52 May 10 03:15 /usr/bin/test.sh
# cat /usr/bin/test.sh 
#!/bin/bash

hostnamectl status
timedatectl status

# runcon system_u:system_r:initrc_t:s0 bash -c /usr/bin/test.sh
Failed to query system properties: Connection timed out
Failed to query server: Connection timed out
# sesearch -s initrc_t -t cluster_exec_t -T
type_transition initrc_t cluster_exec_t:process cluster_t;
#

Comment 3 Zdenek Pytela 2023-05-10 09:26:51 UTC

Commit to backport:
ef0d2d76e (HEAD -> rawhide, upstream/rawhide) Allow cluster_t dbus chat with various services

Comment 17 errata-xmlrpc 2023-11-14 15:47:46 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:7091

Note You need to log in before you can comment on or make changes to this bug.