Bug 1965720
| Summary: | SELinux is preventing systemd-timesyncd from watch access on the directory /run/dbus | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Anthony Messina <amessina> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 34 | CC: | berend.de.schouwer, dan, dwalsh, grepl.miroslav, jan.vesely, jappleii, lvrabec, mmalik, omosnace, redhat, vmojzis, zbyszek, zpytela |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-34.12-1.fc34 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-06-30 03:15:57 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Same here:
$ journalctl -b -p warning
[...]
Jun 07 00:16:26 systemd-timesyncd[1086]: Failed to connect to bus: Permission denied
Jun 07 00:16:26 systemd-timesyncd[1086]: Could not connect to bus: Permission denied
Jun 07 00:16:26 systemd[1]: systemd-timesyncd.service: Failed with result 'exit-code'.
Jun 07 00:16:26 systemd[1]: Failed to start Network Time Synchronization.
$ journalctl -b | grep denied | grep -m3 systemd-timesyn
Jun 07 00:16:26 audit[1086]: AVC avc: denied { watch } for pid=1086 comm="systemd-timesyn" path="/run/dbus" dev="tmpfs" ino=46 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir permissive=0
Jun 07 00:16:26 systemd-timesyncd[1086]: Failed to connect to bus: Permission denied
Jun 07 00:16:26 systemd-timesyncd[1086]: Could not connect to bus: Permission denied
(Note: the bootlog has many more AVC denied warnings[0], but that's material for another bug report, I guess)
=== After the system has booted, restarting systemd-timesyncd.service works just fine. Now, /run/dbus looks like this:
$ ls -ldZ /run/dbus{,/*}
drwxr-xr-x. 2 root root system_u:object_r:system_dbusd_var_run_t:s0 60 Jun 7 00:16 /run/dbus
srw-rw-rw-. 1 root root system_u:object_r:system_dbusd_var_run_t:s0 0 Jun 7 00:16 /run/dbus/system_bus_socket
[0] https://clbin.com/30ROH
*** Bug 1967971 has been marked as a duplicate of this bug. *** Please attach the full log, and also the output from 'systemctl status dbus'.
> Jun 07 00:16:26 audit[1086]: AVC avc: denied { watch } for pid=1086 comm="systemd-timesyn" path="/run/dbus" dev="tmpfs" ino=46 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir permissive=0
Normally systemd-timesyncd (or any dbus client) would do connect() to "/run/dbus/system_bus_socket".
If it's trying to open a watch on the directory, this means that the socket was not present
and it's trying to establish a watch to monitor when the socket is opened by the dbus broker.
*** Bug 1960468 has been marked as a duplicate of this bug. *** I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/780 FEDORA-2021-3df7370a94 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-3df7370a94 FEDORA-2021-3df7370a94 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-3df7370a94` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-3df7370a94 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-3df7370a94 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report. *** Bug 1970359 has been marked as a duplicate of this bug. *** *** Bug 1970359 has been marked as a duplicate of this bug. *** |
AVC avc: denied { watch } for pid=691 comm="systemd-timesyn" path="/run/dbus" dev="tmpfs" ino=42 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir permissive=0