Bug 1734197

Summary: SELinux denial "denied { send_msg } for scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus" prevents timedatex.service from starting in current Rawhide
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: selinux-policy-targetedAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: urgent Docs Contact:
Priority: high    
Version: 31CC: dwalsh, lvrabec, nknazeko, plarsen, robatino, wwaustin
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: openqa
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-16 21:11:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1644937    

Description Adam Williamson 2019-07-29 23:32:07 UTC 
In current Fedora Rawhide (Fedora-Rawhide-20190729.n.0), it seems an SELinux denial prevents timedatex.service from starting on a freshly-installed Workstation system:

Jul 29 16:01:55 localhost-live audit[837]: USER_AVC pid=837 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=0
Jul 29 16:01:55 localhost-live timedatex[1370]: Failed to create org.freedesktop.systemd1 proxy: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Sender is not authorized to send message
Jul 29 16:01:55 localhost-live systemd[1]: timedatex.service: Main process exited, code=exited, status=1/FAILURE
Jul 29 16:01:55 localhost-live systemd[1]: timedatex.service: Failed with result 'exit-code'.

This happens to be a major issue because gnome-initial-setup then crashes because timedatex isn't running. I'm filing that as a separate bug, but will propose both as release blockers per "A system installed with a release-blocking desktop must boot to a log in screen where it is possible to log in to a working desktop using a user account created during installation or a 'first boot' utility" - these bugs means that Workstation live installs just boot to a broken state where g-i-s has crashed and you can't interact with the system at all.
Comment 1 Adam Williamson 2019-07-29 23:36:51 UTC 
https://bugzilla.redhat.com/show_bug.cgi?id=1734198 is the g-i-s bug, for the record.
Comment 2 Adam Williamson 2019-07-29 23:41:04 UTC 
Confirmed that setting SELinux to permissive and rebooting (which you can only do if you hack in a root password for the installed system after installing it...) results in g-i-s running OK.
Comment 3 Adam Williamson 2019-07-29 23:41:57 UTC 
Full list of denials from that boot:

[root@localhost-live ~]# ausearch -m avc -ts recent
----
time->Mon Jul 29 16:40:22 2019
type=AVC msg=audit(1564443622.335:209): avc:  denied  { read } for  pid=1321 comm="timedatex" name="adjtime" dev="dm-0" ino=786923 scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:adjtime_t:s0 tclass=file permissive=1
----
time->Mon Jul 29 16:40:22 2019
type=AVC msg=audit(1564443622.335:210): avc:  denied  { open } for  pid=1321 comm="timedatex" path="/etc/adjtime" dev="dm-0" ino=786923 scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:adjtime_t:s0 tclass=file permissive=1
----
time->Mon Jul 29 16:40:22 2019
type=AVC msg=audit(1564443622.335:211): avc:  denied  { getattr } for  pid=1321 comm="timedatex" path="/etc/adjtime" dev="dm-0" ino=786923 scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:adjtime_t:s0 tclass=file permissive=1
----
time->Mon Jul 29 16:40:22 2019
type=AVC msg=audit(1564443622.352:212): avc:  denied  { read } for  pid=1321 comm="timedatex" name="rtc0" dev="devtmpfs" ino=1246 scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file permissive=1
----
time->Mon Jul 29 16:40:22 2019
type=AVC msg=audit(1564443622.352:213): avc:  denied  { open } for  pid=1321 comm="timedatex" path="/dev/rtc0" dev="devtmpfs" ino=1246 scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file permissive=1
----
time->Mon Jul 29 16:40:22 2019
type=AVC msg=audit(1564443622.352:214): avc:  denied  { ioctl } for  pid=1321 comm="timedatex" path="/dev/rtc0" dev="devtmpfs" ino=1246 ioctlcmd=0x7009 scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file permissive=1
Comment 4 Nikola Knazekova 2019-07-31 12:08:37 UTC 
PR for Fedora: https://github.com/fedora-selinux/selinux-policy-contrib/pull/129
Comment 5 Lukas Vrabec 2019-07-31 15:35:58 UTC 
PR merged.
Comment 6 Adam Williamson 2019-08-06 22:57:52 UTC 
Should be MODIFIED since 3.14.4-27 I believe.
Comment 7 Adam Williamson 2019-08-08 15:58:51 UTC 
Unfortunately this still seems to be broken in current Rawhide. Will recreate manually later, but from openQA audit.log I can see a bunch of AVCs:

var/log/audit/audit.log:type=USER_AVC msg=audit(1565259535.281:182): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:avahi_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
var/log/audit/audit.log:type=USER_AVC msg=audit(1565259541.326:194): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
var/log/audit/audit.log:type=USER_AVC msg=audit(1565259541.328:195): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:policykit_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
var/log/audit/audit.log:type=USER_AVC msg=audit(1565259541.329:196): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
var/log/audit/audit.log:type=USER_AVC msg=audit(1565259541.331:197): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
var/log/audit/audit.log:type=USER_AVC msg=audit(1565259541.332:198): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { acquire_svc } for  scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
var/log/audit/audit.log:type=USER_AVC msg=audit(1565259566.346:200): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
var/log/audit/audit.log:type=USER_AVC msg=audit(1565259566.346:201): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
var/log/audit/audit.log:type=USER_AVC msg=audit(1565259566.348:202): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
var/log/audit/audit.log:type=USER_AVC msg=audit(1565259566.357:203): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
var/log/audit/audit.log:type=USER_AVC msg=audit(1565259566.593:206): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
var/log/audit/audit.log:type=USER_AVC msg=audit(1565259566.615:208): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
var/log/audit/audit.log:type=USER_AVC msg=audit(1565259567.506:210): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
Comment 8 Adam Williamson 2019-08-13 15:57:28 UTC 
Ping? This is still happening and still breaking all Workstation tests. It is kind of a big problem. Thanks.
Comment 9 Lukas Vrabec 2019-08-13 16:39:09 UTC 
commit c55a896148db8d2b16ef06149399a6c6b110d8b5 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Lukas Vrabec <lvrabec>
Date:   Tue Aug 13 18:36:14 2019 +0200

    Update timedatex policy BZ(1734197)
    
    Added more allow rules for dbus communication with more services
    (policykit_t, init_t).


Creating also new build. Sorry for noise (again and again :) )
Comment 10 Ben Cotton 2019-08-13 16:47:30 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to '31'.
Comment 11 Adam Williamson 2019-08-16 21:11:48 UTC 
This looks good in the recent Rawhide compose, see e.g. https://openqa.fedoraproject.org/tests/432379 - g-i-s runs. The matching f31 build is tagged stable, so even though we haven't had a Branched compose yet I think we can close this. Thanks.
Comment 12 Peter Larsen 2020-10-02 14:06:14 UTC 
Fedora 32 - still an issue. Perhaps caused by something else (hard to tell):
audit[1346]: USER_AVC pid=1346 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=s>
              exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
audit[1346]: USER_AVC pid=1346 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=s>
              exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
audit[1346]: USER_AVC pid=1346 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=s>
              exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
audit[1346]: USER_AVC pid=1346 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=s>
              exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
audit[1346]: USER_AVC pid=1346 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=s>
              exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
audit[1346]: USER_AVC pid=1346 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=s>
              exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
audit[1346]: USER_AVC pid=1346 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=s>
              exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
audit[1346]: USER_AVC pid=1346 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=s>
              exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
audit[1346]: USER_AVC pid=1346 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=s>
              exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'

$ rpm -qa selinux-policy\*
selinux-policy-targeted-3.14.5-43.fc32.noarch
selinux-policy-3.14.5-43.fc32.noarch
selinux-policy-minimum-3.14.5-43.fc32.noarch