Bug 1766148

Summary: Confined users get the timezone
Product: [Fedora] Fedora Reporter: Lukas Vrabec <lvrabec>
Component: selinux-policyAssignee: Nikola Knazekova <nknazeko>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 30CC: dwalsh, lvrabec, mgrepl, plautrba, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-53.fc30 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-12-11 01:32:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1767779    

Description Lukas Vrabec 2019-10-28 12:41:56 UTC 
Description of problem:
Confined users(in my case staff_u) cannot get timezone on system using command "timedatectl" 

Version-Release number of selected component (if applicable):
$ rpm -q selinux-policy
selinux-policy-3.14.3-51.fc30.noarch


How reproducible:
Always


Steps to Reproduce:
1.
$ id -Z 
staff_u:staff_r:staff_t:s0:c0.c1023

2.
$ timedatectl


Actual results:

$ timedatectl
Failed to query server: Access denied

Expected results:

$ timedatectl 
               Local time: Mon 2019-10-28 13:36:25 CET
           Universal time: Mon 2019-10-28 12:36:25 UTC
                 RTC time: Mon 2019-10-28 12:36:26
                Time zone: Europe/Prague (CET, +0100)
System clock synchronized: no
              NTP service: active
          RTC in local TZ: no



Additional info:

time->Mon Oct 28 13:37:59 2019
type=USER_AVC msg=audit(1572266279.536:2283): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 cmdline="/usr/sbin/timedatex" scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system permissive=0  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Mon Oct 28 13:37:59 2019
type=USER_AVC msg=audit(1572266279.538:2284): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/sbin/timedatex" scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:chronyd_unit_file_t:s0 tclass=service permissive=0  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Mon Oct 28 13:37:59 2019
type=USER_AVC msg=audit(1572266279.538:2285): pid=1219 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=staff_u:staff_r:staff_t:s0:c0.c1023 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
----
time->Mon Oct 28 13:37:59 2019
type=USER_AVC msg=audit(1572266279.541:2287): pid=1219 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=staff_u:staff_r:staff_t:s0:c0.c1023 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
Comment 1 Nikola Knazekova 2019-11-01 17:23:02 UTC 
PR for Fedora:
Added macro for timedatex to chat over dbus
https://github.com/fedora-selinux/selinux-policy-contrib/pull/160

Allow x_userdomain to dbus_chat with timedatex
https://github.com/fedora-selinux/selinux-policy/pull/291

Update timedatex SELinux policy to to sychronizate time with GNOME
https://github.com/fedora-selinux/selinux-policy-contrib/pull/138
Comment 2 Lukas Vrabec 2019-11-04 14:51:28 UTC 
PRs merged.

commit 02d05118d9915dc9b3f7564b9de92de72f44a9d3 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Nikola Knazekova <nknazeko>
Date:   Fri Nov 1 17:07:29 2019 +0100

    Added macro for timedatex to chat over dbus.
    
    Send and receive messages from timedatex over dbus.
    
    Fixed Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1766148

commit 56ac3f0ca28d656d7fc1e22f4f71782de978a75d (HEAD -> rawhide, origin/rawhide)
Author: Nikola Knazekova <nknazeko>
Date:   Fri Nov 1 17:03:01 2019 +0100

    Allow x_userdomain to dbus_chat with timedatex.
    
    Allow users in x_userdomain to send and receive messages from timedatex over dbus.
    
    Attribute x_userdomain: staff_t, sysadm_t, user_t
Comment 3 Fedora Update System 2019-12-04 07:50:36 UTC 
FEDORA-2019-e9d8868185 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-e9d8868185
Comment 4 Fedora Update System 2019-12-05 02:00:57 UTC 
selinux-policy-3.14.3-53.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-e9d8868185
Comment 5 Fedora Update System 2019-12-06 19:20:53 UTC 
FEDORA-2019-e9d8868185 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-e9d8868185
Comment 6 Fedora Update System 2019-12-07 02:18:00 UTC 
container-selinux-2.123.0-2.fc30, selinux-policy-3.14.3-53.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-e9d8868185
Comment 7 Fedora Update System 2019-12-11 01:32:16 UTC 
container-selinux-2.123.0-2.fc30, selinux-policy-3.14.3-53.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.