abrt version: 2.0.5 executable: /usr/bin/python hashmarkername: setroubleshoot kernel: 3.0.0-1.fc16.x86_64 reason: SELinux is preventing /bin/bash from 'getattr' accesses on the archivo /lib/systemd/system/chronyd.service. time: Wed Aug 17 07:07:43 2011 description: :SELinux is preventing /bin/bash from 'getattr' accesses on the archivo /lib/systemd/system/chronyd.service. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that bash should be allowed getattr access on the chronyd.service file by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep service /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 :Target Context system_u:object_r:systemd_unit_file_t:s0 :Target Objects /lib/systemd/system/chronyd.service [ file ] :Source service :Source Path /bin/bash :Port <Desconocido> :Host (removed) :Source RPM Packages bash-4.2.10-4.fc16 :Target RPM Packages chrony-1.26-1.fc16 :Policy RPM selinux-policy-3.10.0-15.fc16 :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.0.0-1.fc16.x86_64 #1 : SMP Fri Jul 22 16:09:29 UTC 2011 x86_64 x86_64 :Alert Count 2 :First Seen mié 17 ago 2011 07:04:10 COT :Last Seen mié 17 ago 2011 07:05:21 COT :Local ID 47930618-ac46-4c46-b4f7-7ee8bdbe4f38 : :Raw Audit Messages :type=AVC msg=audit(1313582721.26:155): avc: denied { getattr } for pid=5556 comm="service" path="/lib/systemd/system/chronyd.service" dev=dm-0 ino=26130 scontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=file : : :type=SYSCALL msg=audit(1313582721.26:155): arch=x86_64 syscall=stat success=no exit=EACCES a0=cec3c0 a1=7fffe9f04300 a2=7fffe9f04300 a3=8 items=0 ppid=5543 pid=5556 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=service exe=/bin/bash subj=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 key=(null) : :Hash: service,gnomeclock_t,systemd_unit_file_t,file,getattr : :audit2allow : :#============= gnomeclock_t ============== :allow gnomeclock_t systemd_unit_file_t:file getattr; : :audit2allow -R : :#============= gnomeclock_t ============== :allow gnomeclock_t systemd_unit_file_t:file getattr; :
Does /usr/libexec/gsd-datetime-mechanism actually need to start and stop chronyd system daemon?
(In reply to comment #1) > Does /usr/libexec/gsd-datetime-mechanism actually need to start and stop > chronyd system daemon? I would assume that that is how enabling/disabling 'Network time' works.
Then we need to add a label for chronyd unit file and make the similar change which we have for gnomeclock and ntpd. Iván, could you test it in permissive mode and add all AVC msgs which you see? # setenforce 0 re-test it. # ausearch -m avc -ts recent # setenforce 1
(In reply to comment #3) > Then we need to add a label for chronyd unit file and make the similar change > which we have for gnomeclock and ntpd. > > Iván, > could you test it in permissive mode and add all AVC msgs which you see? > > # setenforce 0 > > re-test it. > > # ausearch -m avc -ts recent > # setenforce 1 here is the output: ---- time->Mon Aug 22 19:43:30 2011 type=SYSCALL msg=audit(1314056610.487:44): arch=c000003e syscall=16 success=no exit=-13 a0=f a1=4c05 a2=7fffd39fcd60 a3=0 items=0 ppid=1 pid=1488 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udisks-daemon" exe="/usr/libexec/udisks-daemon" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1314056610.487:44): avc: denied { getattr } for pid=1488 comm="udisks-daemon" path="/osmin" dev=loop0 ino=2 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file ---- time->Mon Aug 22 19:43:30 2011 type=SYSCALL msg=audit(1314056610.543:45): arch=c000003e syscall=16 success=no exit=-13 a0=f a1=4c05 a2=7fffd39fcd60 a3=0 items=0 ppid=1 pid=1488 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udisks-daemon" exe="/usr/libexec/udisks-daemon" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1314056610.543:45): avc: denied { getattr } for pid=1488 comm="udisks-daemon" path="/LiveOS/ext3fs.img" dev=loop2 ino=3 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file ---- time->Mon Aug 22 19:50:55 2011 type=SYSCALL msg=audit(1314057055.549:56): arch=c000003e syscall=59 success=yes exit=0 a0=10e41e0 a1=10e5b10 a2=10e64e0 a3=7fff706e64e0 items=0 ppid=1820 pid=1822 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemctl" exe="/bin/systemctl" subj=system_u:system_r:gnomeclock_systemctl_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1314057055.549:56): avc: denied { use } for pid=1822 comm="systemctl" path="/dev/null" dev=devtmpfs ino=5060 scontext=system_u:system_r:gnomeclock_systemctl_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=fd ---- time->Mon Aug 22 19:50:55 2011 type=SYSCALL msg=audit(1314057055.542:55): arch=c000003e syscall=4 success=yes exit=0 a0=10e63c0 a1=7fff706e6900 a2=7fff706e6900 a3=8 items=0 ppid=1820 pid=1822 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="service" exe="/bin/bash" subj=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1314057055.542:55): avc: denied { getattr } for pid=1822 comm="service" path="/lib/systemd/system/chronyd.service" dev=dm-0 ino=26130 scontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=file Note: network time is off by default.
Were you trying to enabling/disabling 'Network time'? Also what is /osmin? You need to add label for it or mount it with the context option.
(In reply to comment #5) > Were you trying to enabling/disabling 'Network time'? yes, I enabled it clicking on the network time switch of Date and Time Settings. > Also what is /osmin? I guess it's the file LiveOS/osmin.img on the live usb. These messages are from a F16 Alpha-RC5 live usb. > > You need to add label for it or mount it with the context option.
Those are dontaudites in -20. I just added support for gnomeclock using chonyd unit file to policy. Should be in -21.
*** Bug 732840 has been marked as a duplicate of this bug. ***
Proposing as a blocker for Fedora 16 final as it violates the following release criterion [1]: In most cases, there must be no SELinux 'AVC: denied' messages or abrt crash notifications on initial boot and subsequent login [1] http://fedoraproject.org/wiki/Fedora_16_Final_Release_Criteria
Discussed at 2011-09-30. Rejected as a blocker as it doesn't actually meet the criteria - the criterion cited in comment #9 is meant to apply strictly only until you've booted the system and logged in; any AVCs that are caused by actual use of the desktop fall outside the criteria. Accepted as NTH as it's visible on the live image and hence cannot be entirely fixed with an update.
per comment #7 I think this was fixed months ago, right? Can we close it, Dan?
Yes