Bug 1965720
Summary: | SELinux is preventing systemd-timesyncd from watch access on the directory /run/dbus | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Anthony Messina <amessina> |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 34 | CC: | berend.de.schouwer, dan, dwalsh, grepl.miroslav, jan.vesely, jappleii, lvrabec, mmalik, omosnace, redhat, vmojzis, zbyszek, zpytela |
Target Milestone: | --- | Keywords: | Triaged |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-34.12-1.fc34 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-06-30 03:15:57 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Anthony Messina
2021-05-28 23:15:47 UTC
Same here: $ journalctl -b -p warning [...] Jun 07 00:16:26 systemd-timesyncd[1086]: Failed to connect to bus: Permission denied Jun 07 00:16:26 systemd-timesyncd[1086]: Could not connect to bus: Permission denied Jun 07 00:16:26 systemd[1]: systemd-timesyncd.service: Failed with result 'exit-code'. Jun 07 00:16:26 systemd[1]: Failed to start Network Time Synchronization. $ journalctl -b | grep denied | grep -m3 systemd-timesyn Jun 07 00:16:26 audit[1086]: AVC avc: denied { watch } for pid=1086 comm="systemd-timesyn" path="/run/dbus" dev="tmpfs" ino=46 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir permissive=0 Jun 07 00:16:26 systemd-timesyncd[1086]: Failed to connect to bus: Permission denied Jun 07 00:16:26 systemd-timesyncd[1086]: Could not connect to bus: Permission denied (Note: the bootlog has many more AVC denied warnings[0], but that's material for another bug report, I guess) === After the system has booted, restarting systemd-timesyncd.service works just fine. Now, /run/dbus looks like this: $ ls -ldZ /run/dbus{,/*} drwxr-xr-x. 2 root root system_u:object_r:system_dbusd_var_run_t:s0 60 Jun 7 00:16 /run/dbus srw-rw-rw-. 1 root root system_u:object_r:system_dbusd_var_run_t:s0 0 Jun 7 00:16 /run/dbus/system_bus_socket [0] https://clbin.com/30ROH *** Bug 1967971 has been marked as a duplicate of this bug. *** Please attach the full log, and also the output from 'systemctl status dbus'.
> Jun 07 00:16:26 audit[1086]: AVC avc: denied { watch } for pid=1086 comm="systemd-timesyn" path="/run/dbus" dev="tmpfs" ino=46 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir permissive=0
Normally systemd-timesyncd (or any dbus client) would do connect() to "/run/dbus/system_bus_socket".
If it's trying to open a watch on the directory, this means that the socket was not present
and it's trying to establish a watch to monitor when the socket is opened by the dbus broker.
*** Bug 1960468 has been marked as a duplicate of this bug. *** I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/780 FEDORA-2021-3df7370a94 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-3df7370a94 FEDORA-2021-3df7370a94 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-3df7370a94` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-3df7370a94 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-3df7370a94 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report. *** Bug 1970359 has been marked as a duplicate of this bug. *** *** Bug 1970359 has been marked as a duplicate of this bug. *** |