Bug 1549580

Summary: SELinux prevents systemd-timesyncd from starting
Product: [Fedora] Fedora Reporter: Milos Malik <mmalik>
Component: systemdAssignee: systemd-maint
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 28CC: dwalsh, lnykryn, lvrabec, mgrepl, mmalik, mpitt, msekleta, plautrba, pmoore, ssahani, s, systemd-maint, zbyszek
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-22 08:03:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milos Malik 2018-02-27 12:58:08 UTC 
Description of problem:

Version-Release number of selected component (if applicable):
kernel-4.16.0-0.rc2.git0.1.fc28.x86_64
kernel-core-4.16.0-0.rc2.git0.1.fc28.x86_64
kernel-modules-4.16.0-0.rc2.git0.1.fc28.x86_64
selinux-policy-3.14.1-8.fc28.noarch
selinux-policy-targeted-3.14.1-8.fc28.noarch
systemd-237-1.git78bd769.fc28.x86_64
systemd-libs-237-1.git78bd769.fc28.x86_64
systemd-pam-237-1.git78bd769.fc28.x86_64
systemd-udev-237-1.git78bd769.fc28.x86_64

How reproducible:
* always

Steps to Reproduce:
# service systemd-timesyncd status
Redirecting to /bin/systemctl status systemd-timesyncd.service
● systemd-timesyncd.service - Network Time Synchronization
   Loaded: loaded (/usr/lib/systemd/system/systemd-timesyncd.service; disabled;>
   Active: inactive (dead)
     Docs: man:systemd-timesyncd.service(8)
# service systemd-timesyncd start
Redirecting to /bin/systemctl start systemd-timesyncd.service
Job for systemd-timesyncd.service failed because the control process exited with error code.
See "systemctl status systemd-timesyncd.service" and "journalctl -xe" for details.
#

Actual results (enforcing mode):
----
type=AVC msg=audit(02/27/2018 07:54:21.316:343) : avc:  denied  { create } for  pid=1628 comm=(imesyncd) name=.pwd.lock scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0 
----
type=AVC msg=audit(02/27/2018 07:54:21.316:344) : avc:  denied  { write } for  pid=1628 comm=(imesyncd) name=.pwd.lock dev="vda1" ino=138720 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0 
----

Expected results:
* no SELinux denials
Comment 1 Milos Malik 2018-02-27 13:01:24 UTC 
The systemd-timesyncd service does not start in permissive mode either. SELinux is not the only cause.
Comment 2 Lukas Vrabec 2018-02-27 13:14:16 UTC 
Do you see more denials in permissive?
Comment 3 Milos Malik 2018-02-27 14:33:27 UTC 
No. Here is the only SELinux denial that appeared in permissive mode:
----
type=AVC msg=audit(02/27/2018 07:58:33.456:367) : avc:  denied  { write } for  pid=1673 comm=(imesyncd) name=.pwd.lock dev="vda1" ino=138720 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 
----
Comment 4 Lukas Vrabec 2018-03-10 16:35:12 UTC 
Hi, 

Any idea, what is happening here? 

Thanks,
Lukas.
Comment 5 Martin Pitt 2018-03-22 08:03:42 UTC 
I just filed basically the same bug 1559281 against selinux-policy. AFAICS systemd does not ship its own SE policy, thus marking this as duplicate.

The startup failure without SELinux is bug 1559286.

*** This bug has been marked as a duplicate of bug 1559281 ***