Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow puppetagent_t to access timedated dbus #172

Merged
merged 1 commit into from
Nov 30, 2016
Merged

Allow puppetagent_t to access timedated dbus #172

merged 1 commit into from
Nov 30, 2016

Conversation

vinzent
Copy link

@vinzent vinzent commented Nov 22, 2016

Running a puppet exec resource with timedatectl as
command, auditd logs this error:

type=USER_AVC
  msg=audit(11/21/2016 15:04:49.306:59375) :
  pid=741
  uid=dbus auid=unset ses=unset
  subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
  msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.1421 spid=31613 tpid=31615
  scontext=system_u:system_r:systemd_timedated_t:s0
  tcontext=system_u:system_r:puppetagent_t:s0
  tclass=dbus
  exe=/usr/bin/dbus-daemon sauid=dbus
  hostname=? addr=? terminal=?'

Use the systemd_dbus_chat_timedated interface to allow
puppetagent_t the access.

@vinzent
Allow puppetagent_t to access timedated dbus
26ea8b2 
Running a puppet exec resource with timedatectl as
command, auditd logs this error:

type=USER_AVC
  msg=audit(11/21/2016 15:04:49.306:59375) :
  pid=741
  uid=dbus auid=unset ses=unset
  subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
  msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.1421 spid=31613 tpid=31615
  scontext=system_u:system_r:systemd_timedated_t:s0
  tcontext=system_u:system_r:puppetagent_t:s0
  tclass=dbus
  exe=/usr/bin/dbus-daemon sauid=dbus
  hostname=? addr=? terminal=?'

Use the systemd_dbus_chat_timedated interface to allow
puppetagent_t the access.
@vinzent
Copy link
Author

vinzent commented Nov 22, 2016

fixes a problem detected on RHEL 7.3 upgrade - see also RH support case 01744141

vinzent
vinzent commented Nov 22, 2016
View reviewed changes
puppet.te
@@ -350,6 +350,7 @@ optional_policy(`
')

optional_policy(`
systemd_dbus_chat_timedated(puppetagent_t)
systemd_dbus_chat_timedated(puppetmaster_t)
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

access for puppetmaster_t was already set. but I don't know what business puppetmater_t has with timedated. Maybe sliped in errorrnous?

@wrabcak wrabcak merged commit 6313e20 into fedora-selinux:rawhide-contrib Nov 30, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@vinzent @wrabcak