Bug 1750036
| Summary: | Problem with time syncronization | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Alessio <alciregi> | ||||||
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||||
| Status: | CLOSED WORKSFORME | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | 31 | CC: | alciregi, awilliam, dwalsh, gmarr, lvrabec, mgrepl, plautrba, robatino, zbyszek, zpytela | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | AcceptedBlocker | ||||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2019-09-28 02:19:15 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 1644939 | ||||||||
| Attachments: |
|
||||||||
Hi Alessio, Could you please reproduce it and attach output of: # ausearch -m AVC, USER_AVC -ts boot Thanks, Lukas. Created attachment 1613108 [details]
ausearch
See attacched output.
Thanks.
Proposed as a Blocker for 31-final by Fedora user alciregi using the blocker tracking app because: System services All system services present after installation with one of the release-blocking package sets must start properly, unless they require hardware which is not present. so, to be clear, the timedatex service is showing as starting successfully and running, but it isn't really fully *working*? (In reply to Adam Williamson from comment #4) > so, to be clear, the timedatex service is showing as starting successfully [alessio@f31 ~]$ getenforce Enforcing [alessio@f31 ~]$ systemctl status timedatex --no-pager -l ● timedatex.service - System clock and RTC settings service Loaded: loaded (/usr/lib/systemd/system/timedatex.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2019-09-12 22:47:38 CEST; 22s ago Main PID: 1196 (timedatex) Tasks: 3 Memory: 1.0M CPU: 19ms CGroup: /system.slice/timedatex.service └─1196 /usr/sbin/timedatex Sep 12 22:47:38 f31 systemd[1]: Starting System clock and RTC settings service... Sep 12 22:47:38 f31 timedatex[1196]: systemd method LoadUnit failed: SELinux policy denies access. Sep 12 22:47:38 f31 systemd[1]: Started System clock and RTC settings service. Sep 12 22:47:38 f31 timedatex[1196]: systemd method LoadUnit failed: SELinux policy denies access. [alessio@f31 ~]$ systemctl status dbus-org.freedesktop.timedate1.service --no-pager -l ● timedatex.service - System clock and RTC settings service Loaded: loaded (/usr/lib/systemd/system/timedatex.service; enabled; vendor preset: enabled) Active: inactive (dead) Sep 12 22:47:38 f31 systemd[1]: Starting System clock and RTC settings service... Sep 12 22:47:38 f31 timedatex[1196]: systemd method LoadUnit failed: SELinux policy denies access. Sep 12 22:47:38 f31 systemd[1]: Started System clock and RTC settings service. Sep 12 22:47:38 f31 timedatex[1196]: systemd method LoadUnit failed: SELinux policy denies access. Sep 12 22:48:08 f31 systemd[1]: timedatex.service: Succeeded. [alessio@f31 ~]$ systemctl status chronyd -l --no-pager ● chronyd.service - NTP client/server Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2019-09-12 22:40:28 CEST; 8min ago Docs: man:chronyd(8) man:chrony.conf(5) Process: 753 ExecStart=/usr/sbin/chronyd $OPTIONS (code=exited, status=0/SUCCESS) Process: 770 ExecStartPost=/usr/libexec/chrony-helper update-daemon (code=exited, status=0/SUCCESS) Main PID: 761 (chronyd) Tasks: 1 Memory: 1.9M CPU: 20ms CGroup: /system.slice/chronyd.service └─761 /usr/sbin/chronyd Sep 12 22:40:28 f31 systemd[1]: Starting NTP client/server... Sep 12 22:40:28 f31 chronyd[761]: chronyd version 3.5 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +SECHASH +IPV6 +DEBUG) Sep 12 22:40:28 f31 chronyd[761]: Frequency 23.492 +/- 0.664 ppm read from /var/lib/chrony/drift Sep 12 22:40:28 f31 chronyd[761]: Using right/UTC timezone to obtain leap second data Sep 12 22:40:28 f31 systemd[1]: Started NTP client/server. Sep 12 22:40:40 f31 chronyd[761]: Selected source 192.168.1.2 Sep 12 22:40:40 f31 chronyd[761]: System clock TAI offset set to 37 seconds [alessio@f31 ~]$ systemctl status systemd-timesyncd -l --no-pager ● systemd-timesyncd.service - Network Time Synchronization Loaded: loaded (/usr/lib/systemd/system/systemd-timesyncd.service; disabled; vendor preset: disabled) Active: inactive (dead) Docs: man:systemd-timesyncd.service(8) [alessio@f31 ~]$ systemctl --failed 0 loaded units listed. [alessio@f31 ~]$ timedatectl ... System clock synchronized: yes NTP service: n/a ... Booting with enforcing=0
[alessio@f31 ~]$ getenforce
Permissive
[alessio@f31 ~]$ systemctl status timedatex --no-pager -l
● timedatex.service - System clock and RTC settings service
Loaded: loaded (/usr/lib/systemd/system/timedatex.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2019-09-12 22:54:52 CEST; 25s ago
Main PID: 1151 (timedatex)
Tasks: 3
Memory: 1.1M
CPU: 8ms
CGroup: /system.slice/timedatex.service
└─1151 /usr/sbin/timedatex
Sep 12 22:54:51 f31 systemd[1]: Starting System clock and RTC settings service...
Sep 12 22:54:52 f31 systemd[1]: Started System clock and RTC settings service.
[alessio@f31 ~]$ systemctl status dbus-org.freedesktop.timedate1.service --no-pager -l
● timedatex.service - System clock and RTC settings service
Loaded: loaded (/usr/lib/systemd/system/timedatex.service; enabled; vendor preset: enabled)
Active: inactive (dead)
Sep 12 22:54:51 f31 systemd[1]: Starting System clock and RTC settings service...
Sep 12 22:54:52 f31 systemd[1]: Started System clock and RTC settings service.
Sep 12 22:55:22 f31 systemd[1]: timedatex.service: Succeeded.
[alessio@f31 ~]$ systemctl status chronyd -l --no-pager
● chronyd.service - NTP client/server
Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2019-09-12 22:53:15 CEST; 2min 53s ago
Docs: man:chronyd(8)
man:chrony.conf(5)
Process: 753 ExecStart=/usr/sbin/chronyd $OPTIONS (code=exited, status=0/SUCCESS)
Process: 771 ExecStartPost=/usr/libexec/chrony-helper update-daemon (code=exited, status=0/SUCCESS)
Main PID: 761 (chronyd)
Tasks: 1
Memory: 1.9M
CPU: 20ms
CGroup: /system.slice/chronyd.service
└─761 /usr/sbin/chronyd
Sep 12 22:53:14 f31 systemd[1]: Starting NTP client/server...
Sep 12 22:53:14 f31 chronyd[761]: chronyd version 3.5 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +SECHASH +IPV6 +DEBUG)
Sep 12 22:53:15 f31 chronyd[761]: Frequency 23.380 +/- 0.207 ppm read from /var/lib/chrony/drift
Sep 12 22:53:15 f31 chronyd[761]: Using right/UTC timezone to obtain leap second data
Sep 12 22:53:15 f31 systemd[1]: Started NTP client/server.
Sep 12 22:53:27 f31 chronyd[761]: Selected source 192.168.1.2
Sep 12 22:53:27 f31 chronyd[761]: System clock TAI offset set to 37 seconds
[alessio@f31 ~]$ systemctl status systemd-timesyncd -l --no-pager
● systemd-timesyncd.service - Network Time Synchronization
Loaded: loaded (/usr/lib/systemd/system/systemd-timesyncd.service; disabled; vendor preset: disabled)
Active: inactive (dead)
Docs: man:systemd-timesyncd.service(8)
[alessio@f31 ~]$ systemctl --failed
0 loaded units listed.
[alessio@f31 ~]$ timedatectl
...
System clock synchronized: yes
NTP service: active
...
And in this case Automatic Date & Time in gnome-control-center is visible.
Right, so no service shows as 'failed', but timedatex isn't really *working*. Thanks for the clarification. Discussed during the 2019-09-16 blocker review meeting: [0] The decision to classify this bug as an "AcceptedBlocker" was made as it violates the following criteria: default panel functionality (as this affects time configuration), system services (as the service does not really start 'properly'), and domain-related criteria (as lack of time synchronization will often break domain authentication) [0] https://meetbot.fedoraproject.org/fedora-blocker-review/2019-09-16/f31-blocker-review.2019-09-16-16.02.txt So... timedatex is fully obsolete in F31, see #1735584, and the same functionality is provided by systemd again. I should have added Obsoletes/Provides: timedatex in systemd, but I forgot to do that. If people think it can be done so late, I'd be happy to do the switch in the next systemd build. I think it'd be good to check that everything works as expected in GNOME if timedatex is entirely missing, first. even if systemd provides everything timedatex did, if GNOME is specifically expecting timedatex to be present we may still have problems. commit 37ef1961203fdfe99780ab25c0ca288a0d3d3a84 (HEAD -> rawhide, origin/rawhide)
Author: Patrik Koncity <koncpa>
Date: Wed Sep 18 09:44:19 2019 +0200
Add new macro systemd_timedated_status to systemd.if to get timedated service status
commit 70a866deb3f10881a6b7bc57f20344f01b78c707 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Patrik Koncity <koncpa>
Date: Tue Sep 17 10:31:47 2019 +0200
Update timedatex SELinux policy to to sychronizate time with GNOME and add new macro chronyd_service_status to chronyd.if
Allow timedatex_t domain to get the status information from systemd
Allow timedatex_t domain to get status information from chronyd service
Allow timedatex_t domain to get status information from timedated service
Add new macro chronyd_service_status to chronyd.if to get chronyd service status
Well, systemd does now obsolete timedatex in F31, at least with this update: https://bodhi.fedoraproject.org/updates/FEDORA-2019-3d6348341f . So we should re-check after that update goes stable and see how things are working then. So that update is stable and timedatex is dropped from comps and retired. Alessio, can you test with an install from a recent F31 compose - e.g. https://kojipkgs.fedoraproject.org/compose/branched/Fedora-31-20190926.n.0/ - and see if this is all working so far as you're concerned? The timedatex service will be gone, but the key question is whether the functional stuff in GNOME works as expected. (In reply to Adam Williamson from comment #13) > So that update is stable and timedatex is dropped from comps and retired. > Alessio, can you test with an install from a recent F31 compose - e.g. > https://kojipkgs.fedoraproject.org/compose/branched/Fedora-31-20190926.n.0/ > - and see if this is all working so far as you're concerned? The timedatex > service will be gone, but the key question is whether the functional stuff > in GNOME works as expected. Ok. I installed Fedora-31-20190926.n.0 (using live image) on my laptop just today. timedatex is not in place timedatectl status reports that: System clock synchronized: yes NTP service: active systemctl status chronyd reports that chronyd is Active: active (running) The slider allowing to enable or disable "Automatic Date & Time" in GNOME setting is in place and it works. So I think that we are fine. Thanks. OK, let's just close this then. |
Created attachment 1612692 [details] journalctl Fedora-Workstation-Live-x86_64-31-20190907.n.0.iso NTP configured during installation. Description of problem: timedatectl command reports: NTP service: n/a In GNOME settings Date & Time, there is no Automatic Date & Time spoke. journalctl reports some avc denied related to dbus-broker and timedatex service Version-Release number of selected component (if applicable): Expected results: timedatectl should report NTP service: active The spoke in GNOME settings should be there. Additional info: Setting selinux to disabled, and restarting timedatex, timedatectl reports NTP service as active, and GNOME settings works as expected.