Bug 1694272
Summary: | SELinux is preventing /usr/lib/systemd/systemd-timesyncd from 'read' accesses on the file unix. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Tim Hughes <thughes> |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 29 | CC: | dwalsh, lvrabec, plautrba, thughes, zpytela |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:b0a4f7c1e48766d94ad1f9fe071e771075f37d5c325791019d7307cd088cff7a;VARIANT_ID=workstation; | ||
Fixed In Version: | selinux-policy-3.14.2-60.fc29 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-17 23:33:13 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Tim Hughes
2019-03-30 00:35:16 UTC
Thank you for reporting the issue. Can you specify the reproducing steps? At which point the AVC denial appears? Is there any other ntp daemon (ntpd, chrony) running? Please enable full path auditing, make the domain permissive and restart the service: auditctl -w /etc/shadow -p w -k shadow-write semanage permissive -a systemd_timedated_t systemctl restart systemd-timesyncd Then collect the audit logs again. You can change the settings back: auditctl -W /etc/shadow -p w -k shadow-write semanage permissive -d systemd_timedated_t I have enabled the full path auditing. It happens at random times. It appears that `chrony` was running but when i restarted systemd-timesyncd i think it stopped it. [root@argon ~]# ps aux |grep chrony chrony 1148 0.0 0.0 80612 3312 ? S May08 0:00 /usr/sbin/chronyd root 18324 0.0 0.0 215748 832 pts/3 S+ 10:37 0:00 grep --color=auto chron [root@argon ~]# systemctl restart systemd-timesyncd [root@argon ~]# ps aux |grep chron root 16920 0.0 0.0 215748 836 pts/3 S+ 10:39 0:00 grep --color=auto chron Created a PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/264 commit a67c849e33c8ccd31537d7b33f80d76a4945b587 (HEAD -> rawhide, origin/rawhide) Author: Zdenek Pytela <zpytela> Date: Mon May 20 15:26:45 2019 +0200 Allow systemd-timesyncd to read network state BZ(1694272) FEDORA-2019-04b9c67922 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-04b9c67922 selinux-policy-3.14.2-60.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-04b9c67922 selinux-policy-3.14.2-60.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. |