Vadym,
A while back while writing policy for an app that forks, i got silent denials that were not logged in the audit.log, so i could not tell what On Mon, Nov 24, 2014 at 10:45 PM, Vadym Chepkov <vchepkov@xxxxxxxxx> wrote:
I don't have access to RHEL7 case. Should I open a new case? It is possibility related, but I can even get the current status and as I said, no avc denials.
Thanks,
VadymOn Nov 24, 2014 2:37 AM, "Milos Malik" <mmalik@xxxxxxxxxx> wrote:Hi Vadym,
here are 2 bugs which describe similar symptoms:
* https://bugzilla.redhat.com/show_bug.cgi?id=1014315 (Fedora)
* https://bugzilla.redhat.com/show_bug.cgi?id=1132411 (RHEL-7)
Milos Malik
----- Original Message -----
> Hi,
>
> I stumbled on a case in RHEL7, where selinux blocks calls to systemd
> I know it's SELinux, because everything work properly after setenforce 0
>
> I added a simple manifest rules to puppet:
>
> exec { 'update TZ':
> command => "/bin/timedatectl set-timezone ${timezone}",
> unless => "/bin/timedatectl status | /bin/grep -q ${timezone}",
> }
>
> what's interesting, even after I ran
>
> semodule --disable_dontaudit --build
>
> I don't see any denials.
>
> But then I created a simple cron job :
>
> # cat /etc/cron.d/debug
>
> * * * * * root /bin/timedatectl status &> /tmp/timedatectl.status
>
> # cat /tmp/timedatectl.status
>
> Failed to issue method call: Did not receive a reply. Possible causes
> include: the remote application did not send a reply, the message bus
> security policy blocked the reply, the reply timeout expired, or the
> network connection was broken.
>
> So it's not only puppet related.
>
> Is this intended behavior? Some boolean I have to change?
>
>
> Thanks,
>
> Vadym
>
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux