Bug 2175137

Summary: SELinux prevents the systemd-timesyncd process from watching the /run/systemd/ directory
Product: Red Hat Enterprise Linux 9 Reporter: firemdkfighter
Component: selinux-policyAssignee: Nikola Knazekova <nknazeko>
Status: VERIFIED --- QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: CentOS StreamCC: bstinson, dpulkowski, jwboyer, k0ste, lvrabec, mmalik, nknazeko, travier, zpytela
Target Milestone: rcKeywords: AutoVerified, Triaged, ZStream
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-38.1.12-1.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 2232637 (view as bug list) Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2232637    

Description firemdkfighter 2023-03-03 10:24:31 UTC 
systemd-timesyncd fails to start on boot after fresh install CentOS 9-Stream
systemd[1]: Starting systemd-timesyncd.service...
systemd-timesyncd[1138]: Failed to connect to bus: Permission denied
systemd-timesyncd[1138]: Could not connect to bus: Permission denied
systemd[1]: systemd-timesyncd.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: systemd-timesyncd.service: Failed with result 'exit-code'.
systemd[1]: Failed to start systemd-timesyncd.service.
audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
systemd[1]: systemd-timesyncd.service: Scheduled restart job, restart counter is at 5.
systemd[1]: Stopped systemd-timesyncd.service.
audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
systemd[1]: systemd-timesyncd.service: Start request repeated too quickly.
systemd[1]: systemd-timesyncd.service: Failed with result 'exit-code'.
systemd[1]: Failed to start systemd-timesyncd.service.

Please backport fix from https://bugzilla.redhat.com/show_bug.cgi?id=1949315
Comment 1 Milos Malik 2023-03-03 10:50:35 UTC 
Caught in enforcing mode:
----
type=PROCTITLE msg=audit(03/03/2023 05:48:53.794:365) : proctitle=/usr/lib/systemd/systemd-timesyncd 
type=PATH msg=audit(03/03/2023 05:48:53.794:365) : item=0 name=/run/systemd/ inode=2 dev=00:19 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(03/03/2023 05:48:53.794:365) : cwd=/ 
type=SYSCALL msg=audit(03/03/2023 05:48:53.794:365) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0xa a1=0x562e0f710062 a2=0x40000100 a3=0x7ffcc0736d5c items=1 ppid=1 pid=4563 auid=unset uid=systemd-timesync gid=systemd-timesync euid=systemd-timesync suid=systemd-timesync fsuid=systemd-timesync egid=systemd-timesync sgid=systemd-timesync fsgid=systemd-timesync tty=(none) ses=unset comm=systemd-timesyn exe=/usr/lib/systemd/systemd-timesyncd subj=system_u:system_r:systemd_timedated_t:s0 key=(null) 
type=AVC msg=audit(03/03/2023 05:48:53.794:365) : avc:  denied  { watch } for  pid=4563 comm=systemd-timesyn path=/run/systemd dev="tmpfs" ino=2 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0
----

# rpm -qa systemd\* selinux\* | sort
selinux-policy-38.1.8-1.el9.noarch
selinux-policy-targeted-38.1.8-1.el9.noarch
systemd-252-8.el9.x86_64
systemd-libs-252-8.el9.x86_64
systemd-pam-252-8.el9.x86_64
systemd-rpm-macros-252-8.el9.noarch
systemd-timesyncd-250.3-1.el9.x86_64
systemd-udev-252-8.el9.x86_64
#
Comment 2 Milos Malik 2023-03-03 10:52:25 UTC 
Caught in permissive mode:
----
type=PROCTITLE msg=audit(03/03/2023 05:50:49.621:374) : proctitle=/usr/lib/systemd/systemd-timesyncd 
type=PATH msg=audit(03/03/2023 05:50:49.621:374) : item=0 name=/run/systemd/ inode=2 dev=00:19 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(03/03/2023 05:50:49.621:374) : cwd=/ 
type=SYSCALL msg=audit(03/03/2023 05:50:49.621:374) : arch=x86_64 syscall=inotify_add_watch success=yes exit=1 a0=0xa a1=0x560c1d99d062 a2=0x40000100 a3=0x7ffe2e0ee3bc items=1 ppid=1 pid=4596 auid=unset uid=systemd-timesync gid=systemd-timesync euid=systemd-timesync suid=systemd-timesync fsuid=systemd-timesync egid=systemd-timesync sgid=systemd-timesync fsgid=systemd-timesync tty=(none) ses=unset comm=systemd-timesyn exe=/usr/lib/systemd/systemd-timesyncd subj=system_u:system_r:systemd_timedated_t:s0 key=(null) 
type=AVC msg=audit(03/03/2023 05:50:49.621:374) : avc:  denied  { watch } for  pid=4596 comm=systemd-timesyn path=/run/systemd dev="tmpfs" ino=2 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=1 
----

# matchpathcon /run/systemd/
/run/systemd	system_u:object_r:init_var_run_t:s0
#

The systemd-timesyncd package comes from EPEL.
Comment 3 Zdenek Pytela 2023-03-03 11:16:40 UTC 
The reported problem have been resolved with policy rebase, i. e. using selinux-policy-38.1.1-1 or newer.

This problem:
type=AVC msg=audit(03/03/2023 05:50:49.621:374) : avc:  denied  { watch } for  pid=4596 comm=systemd-timesyn path=/run/systemd dev="tmpfs" ino=2 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=1 

is a different one, resolved only in Fedora.
Comment 5 firemdkfighter 2023-03-06 03:01:42 UTC 
Installed Packages
selinux-policy.noarch 38.1.8-1.el9 @anaconda
Available Packages
selinux-policy.noarch 38.1.3-1.el9 baseos   
selinux-policy.noarch 38.1.4-1.el9 baseos   
selinux-policy.noarch 38.1.5-1.el9 baseos   
selinux-policy.noarch 38.1.6-1.el9 baseos   
selinux-policy.noarch 38.1.8-1.el9 baseos
Comment 19 Timothée Ravier 2023-06-26 14:19:37 UTC 
*** Bug 2217509 has been marked as a duplicate of this bug. ***
Comment 20 Timothée Ravier 2023-06-26 14:21:10 UTC 
For https://issues.redhat.com/browse/OCPBUGS-14237, we need this fix backported to RHEL 9.2. Thanks!