Bug 1734197
Summary: | SELinux denial "denied { send_msg } for scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus" prevents timedatex.service from starting in current Rawhide | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Adam Williamson <awilliam> |
Component: | selinux-policy-targeted | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
Severity: | urgent | Docs Contact: | |
Priority: | high | ||
Version: | 31 | CC: | dwalsh, lvrabec, nknazeko, plarsen, robatino, wwaustin |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | openqa | ||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-08-16 21:11:48 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1644937 |
Description
Adam Williamson
2019-07-29 23:32:07 UTC
https://bugzilla.redhat.com/show_bug.cgi?id=1734198 is the g-i-s bug, for the record. Confirmed that setting SELinux to permissive and rebooting (which you can only do if you hack in a root password for the installed system after installing it...) results in g-i-s running OK. Full list of denials from that boot: [root@localhost-live ~]# ausearch -m avc -ts recent ---- time->Mon Jul 29 16:40:22 2019 type=AVC msg=audit(1564443622.335:209): avc: denied { read } for pid=1321 comm="timedatex" name="adjtime" dev="dm-0" ino=786923 scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:adjtime_t:s0 tclass=file permissive=1 ---- time->Mon Jul 29 16:40:22 2019 type=AVC msg=audit(1564443622.335:210): avc: denied { open } for pid=1321 comm="timedatex" path="/etc/adjtime" dev="dm-0" ino=786923 scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:adjtime_t:s0 tclass=file permissive=1 ---- time->Mon Jul 29 16:40:22 2019 type=AVC msg=audit(1564443622.335:211): avc: denied { getattr } for pid=1321 comm="timedatex" path="/etc/adjtime" dev="dm-0" ino=786923 scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:adjtime_t:s0 tclass=file permissive=1 ---- time->Mon Jul 29 16:40:22 2019 type=AVC msg=audit(1564443622.352:212): avc: denied { read } for pid=1321 comm="timedatex" name="rtc0" dev="devtmpfs" ino=1246 scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file permissive=1 ---- time->Mon Jul 29 16:40:22 2019 type=AVC msg=audit(1564443622.352:213): avc: denied { open } for pid=1321 comm="timedatex" path="/dev/rtc0" dev="devtmpfs" ino=1246 scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file permissive=1 ---- time->Mon Jul 29 16:40:22 2019 type=AVC msg=audit(1564443622.352:214): avc: denied { ioctl } for pid=1321 comm="timedatex" path="/dev/rtc0" dev="devtmpfs" ino=1246 ioctlcmd=0x7009 scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file permissive=1 PR merged. Should be MODIFIED since 3.14.4-27 I believe. Unfortunately this still seems to be broken in current Rawhide. Will recreate manually later, but from openQA audit.log I can see a bunch of AVCs: var/log/audit/audit.log:type=USER_AVC msg=audit(1565259535.281:182): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:avahi_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" var/log/audit/audit.log:type=USER_AVC msg=audit(1565259541.326:194): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" var/log/audit/audit.log:type=USER_AVC msg=audit(1565259541.328:195): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:policykit_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" var/log/audit/audit.log:type=USER_AVC msg=audit(1565259541.329:196): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" var/log/audit/audit.log:type=USER_AVC msg=audit(1565259541.331:197): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" var/log/audit/audit.log:type=USER_AVC msg=audit(1565259541.332:198): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { acquire_svc } for scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" var/log/audit/audit.log:type=USER_AVC msg=audit(1565259566.346:200): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" var/log/audit/audit.log:type=USER_AVC msg=audit(1565259566.346:201): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" var/log/audit/audit.log:type=USER_AVC msg=audit(1565259566.348:202): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" var/log/audit/audit.log:type=USER_AVC msg=audit(1565259566.357:203): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" var/log/audit/audit.log:type=USER_AVC msg=audit(1565259566.593:206): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" var/log/audit/audit.log:type=USER_AVC msg=audit(1565259566.615:208): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" var/log/audit/audit.log:type=USER_AVC msg=audit(1565259567.506:210): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" Ping? This is still happening and still breaking all Workstation tests. It is kind of a big problem. Thanks. commit c55a896148db8d2b16ef06149399a6c6b110d8b5 (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Lukas Vrabec <lvrabec> Date: Tue Aug 13 18:36:14 2019 +0200 Update timedatex policy BZ(1734197) Added more allow rules for dbus communication with more services (policykit_t, init_t). Creating also new build. Sorry for noise (again and again :) ) This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle. Changing version to '31'. This looks good in the recent Rawhide compose, see e.g. https://openqa.fedoraproject.org/tests/432379 - g-i-s runs. The matching f31 build is tagged stable, so even though we haven't had a Branched compose yet I think we can close this. Thanks. Fedora 32 - still an issue. Perhaps caused by something else (hard to tell): audit[1346]: USER_AVC pid=1346 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=s> exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?' audit[1346]: USER_AVC pid=1346 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=s> exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?' audit[1346]: USER_AVC pid=1346 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=s> exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?' audit[1346]: USER_AVC pid=1346 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=s> exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?' audit[1346]: USER_AVC pid=1346 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=s> exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?' audit[1346]: USER_AVC pid=1346 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=s> exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?' audit[1346]: USER_AVC pid=1346 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=s> exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?' audit[1346]: USER_AVC pid=1346 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=s> exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?' audit[1346]: USER_AVC pid=1346 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=s> exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?' $ rpm -qa selinux-policy\* selinux-policy-targeted-3.14.5-43.fc32.noarch selinux-policy-3.14.5-43.fc32.noarch selinux-policy-minimum-3.14.5-43.fc32.noarch |