Bug 2217509

Summary: systemd-timesyncd fails to start with a SELinux denial
Product: Red Hat Enterprise Linux 9 Reporter: Timothée Ravier <travier>
Component: selinux-policyAssignee: Nikola Knazekova <nknazeko>
Status: CLOSED DUPLICATE QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.2CC: dollierp, dustymabe, dwalsh, extras-qa, jorti, lioh, lvrabec, mmalik, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 2151806 Environment:
Last Closed: 2023-06-26 14:19:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2151806    
Bug Blocks:    

Description Timothée Ravier 2023-06-26 13:30:29 UTC 
+++ This bug was initially created as a clone of Bug #2151806 +++

Description of problem:
After upgrading to Fedora CoreOS 37, systemd-timesyncd fails to start with a SELinux denial.

Version-Release number of selected component (if applicable):
selinux-policy-37.12-2.fc37.noarch
systemd-udev-251.7-611.fc37.aarch64
Fedora CoreOS 37.20221106.3.0

How reproducible:
Always

Steps to Reproduce:
1. systemctl start systemd-timesyncd

Actual results:

Dec 08 06:43:24 systemd[1]: Starting systemd-timesyncd.service - Network Time Synchronization...
Dec 08 06:43:24 audit[7055]: AVC avc:  denied  { watch } for  pid=7055 comm="systemd-timesyn" path="/run/systemd" dev="tmpfs" ino=2 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0
Dec 08 06:43:24 systemd-timesyncd[7055]: Failed to allocate manager: Permission denied
Dec 08 06:43:24 systemd[1]: systemd-timesyncd.service: Main process exited, code=exited, status=1/FAILURE
Dec 08 06:43:24 systemd[1]: systemd-timesyncd.service: Failed with result 'exit-code'.

Expected results:
Service started

Additional info:

--- Additional comment from Zdenek Pytela on 2022-12-08 11:16:25 UTC ---

Juan,

I am unable to reproduce the problem. Do you know what are the triggering conditions?

$ rpm -q systemd selinux-policy
systemd-251.8-586.fc37.x86_64
selinux-policy-37.15-1.fc37.noarch

--- Additional comment from Juan Orti on 2022-12-08 14:15:11 UTC ---

Hi Zdenek,

The bug description is from a Raspberry Pi 4 running FCOS 37.20221106.3.0 in the stable stream.

I've tested it again in a x86_64 VM using the next stream and the issue is reproducible just by starting systemd-timesyncd.

Packages:
selinux-policy-37.14-1.fc37.noarch
systemd-251.8-586.fc37.x86_64

~~~
# rpm-ostree status
State: idle
AutomaticUpdatesDriver: Zincati
  DriverState: active; periodically polling for updates (last checked Thu 2022-12-08 13:59:43 UTC)
Deployments:
● fedora:fedora/x86_64/coreos/next
                  Version: 37.20221127.1.0 (2022-11-28T10:24:58Z)
               BaseCommit: e051d49946dd7685ed1fa52c924506fc997958fd002ab39f9b131d0c45b72bb0
             GPGSignature: Valid signature by ACB5EE4E831C74BB7C168D27F55AD3FB5323552A
          LayeredPackages: borgbackup borgmatic podman-compose qemu-guest-agent vim
~~~


~~~
# journalctl -b --no-hostname
Dec 08 13:57:56 systemd[1]: Starting systemd-timesyncd.service - Network Time Synchronization...
Dec 08 13:57:56 audit[830]: AVC avc:  denied  { watch } for  pid=830 comm="systemd-timesyn" path="/run/systemd" dev="tmpfs" ino=2 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0
Dec 08 13:57:56 audit[830]: SYSCALL arch=c000003e syscall=254 success=no exit=-13 a0=a a1=7f2dfa0b83de a2=40000100 a3=7ffe22e9338c items=0 ppid=1 pid=830 auid=4294967295 uid=993 gid=991 euid=993 suid=993 fsuid=993 egid=991 sgid=991 fsgid=991 tty=(none) ses=4294967295 comm="systemd-timesyn" exe="/usr/lib/systemd/systemd-timesyncd" subj=system_u:system_r:systemd_timedated_t:s0 key=(null)
Dec 08 13:57:56 audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-timesyncd"
Dec 08 13:57:56 systemd-timesyncd[830]: Failed to allocate manager: Permission denied
Dec 08 13:57:56 systemd[1]: systemd-timesyncd.service: Main process exited, code=exited, status=1/FAILURE
Dec 08 13:57:56 systemd[1]: systemd-timesyncd.service: Failed with result 'exit-code'.
Dec 08 13:57:56 systemd[1]: Failed to start systemd-timesyncd.service - Network Time Synchronization.
Dec 08 13:57:56 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Dec 08 13:57:56 systemd[1]: systemd-timesyncd.service: Scheduled restart job, restart counter is at 1.
Dec 08 13:57:56 systemd[1]: Stopped systemd-timesyncd.service - Network Time Synchronization.
~~~

~~~
# ls -laZ /run/systemd
total 0
drwxr-xr-x. 24 root            root            system_u:object_r:init_var_run_t:s0                    600 Dec  8 14:07 .
drwxr-xr-x. 42 root            root            system_u:object_r:var_run_t:s0                        1140 Dec  8 14:07 ..
drwxr-xr-x.  2 root            root            system_u:object_r:systemd_passwd_var_run_t:s0           40 Dec  8 13:57 ask-password
drwx------.  2 root            root            unconfined_u:object_r:systemd_passwd_var_run_t:s0       60 Dec  8 13:59 ask-password-block
srw-------.  1 root            root            system_u:object_r:init_var_run_t:s0                      0 Dec  8 13:57 coredump
drwxr-xr-x.  2 root            root            system_u:object_r:init_var_run_t:s0                     40 Dec  8 14:04 dynamic-uid
drwxr-xr-x.  8 root            root            system_u:object_r:systemd_unit_file_t:s0               220 Dec  8 13:57 generator
drwxr-xr-x.  2 root            root            system_u:object_r:init_var_run_t:s0                     60 Dec  8 13:57 home
drwxr-xr-x.  3 root            root            system_u:object_r:init_var_run_t:s0                    160 Dec  8 13:57 inaccessible
drwxr-xr-x.  2 root            root            system_u:object_r:init_var_run_t:s0                     40 Dec  8 13:57 incoming
drwxr-xr-x.  2 root            root            system_u:object_r:systemd_logind_inhibit_var_run_t:s0   80 Dec  8 13:57 inhibit
srw-rw-rw-.  1 root            root            system_u:object_r:init_var_run_t:s0                      0 Dec  8 13:57 io.system.ManagedOOM
drwxr-xr-x.  3 root            root            system_u:object_r:syslogd_var_run_t:s0                 180 Dec  8 13:57 journal
drwxr-xr-x.  2 root            root            system_u:object_r:systemd_machined_var_run_t:s0         40 Dec  8 13:57 machines
drwxr-xr-x.  2 root            root            system_u:object_r:net_conf_t:s0                         40 Dec  8 13:57 network
srwxrwxrwx.  1 root            root            system_u:object_r:init_var_run_t:s0                      0 Dec  8 13:57 notify
srwx------.  1 root            root            system_u:object_r:init_var_run_t:s0                      0 Dec  8 13:57 private
drw-------. 13 root            root            system_u:object_r:init_var_run_t:s0                    260 Dec  8 14:07 propagate
drwxr-xr-x.  3 systemd-resolve systemd-resolve system_u:object_r:systemd_resolved_var_run_t:s0        120 Dec  8 14:07 resolve
drwxr-xr-x.  2 root            root            system_u:object_r:systemd_logind_var_run_t:s0           60 Dec  8 13:57 seats
drwxr-xr-x.  2 root            root            system_u:object_r:systemd_logind_sessions_t:s0          80 Dec  8 13:59 sessions
-rw-r--r--.  1 root            root            system_u:object_r:init_var_run_t:s0                      0 Dec  8 13:57 show-status
drwxr-xr-x.  2 root            root            system_u:object_r:systemd_logind_var_run_t:s0           40 Dec  8 13:57 shutdown
drwxr-xr-x.  2 root            root            system_u:object_r:systemd_unit_file_t:s0                40 Dec  8 13:57 system
-r--r--r--.  1 root            root            system_u:object_r:init_var_run_t:s0                      0 Dec  8 13:57 systemd-units-load
drwxr-xr-x.  2 root            root            system_u:object_r:systemd_unit_file_t:s0               100 Dec  8 13:59 transient
drwx------.  2 root            root            system_u:object_r:init_var_run_t:s0                     40 Dec  8 13:57 unit-root
drwxr-xr-x.  2 root            root            system_u:object_r:systemd_unit_file_t:s0              1320 Dec  8 14:07 units
drwxr-xr-x.  2 root            root            system_u:object_r:systemd_userdbd_runtime_t:s0         140 Dec  8 13:57 userdb
drwxr-xr-x.  2 root            root            system_u:object_r:systemd_logind_var_run_t:s0           80 Dec  8 13:59 users
~~~

--- Additional comment from Zdenek Pytela on 2022-12-08 19:07:57 UTC ---

Thank you, so this probably reproduces only on an ostree system.

--- Additional comment from Dusty Mabe on 2022-12-08 20:09:49 UTC ---

Opened an FCOS issue tracker issue for this too: https://github.com/coreos/fedora-coreos-tracker/issues/1359

--- Additional comment from Dusty Mabe on 2022-12-08 20:11:01 UTC ---

(In reply to Zdenek Pytela from comment #3)
> Thank you, so this probably reproduces only on an ostree system.

Hey Zdenek. This appears to be true, but do you know why it's specific to only ostree systems? I'm not sure how the PR fix here is special only for OSTree.

--- Additional comment from Zdenek Pytela on 2022-12-12 14:30:10 UTC ---

I am not aware of any manageable way of having separate policy for ostree, so this will be added to selinux-policy in the next build.

--- Additional comment from Dusty Mabe on 2022-12-12 16:51:14 UTC ---

Right. I'm just trying to understand why I can reproduce this on an OSTree system, but not on a non-OSTree system.

I'm happy with the fix, just trying to uderstand the problem space a bit better.

--- Additional comment from Denis Ollier on 2022-12-13 09:34:36 UTC ---

I'm facing the exact same issue on my Fedora 37 box (not FCOS).

--- Additional comment from Fedora Update System on 2022-12-21 10:01:31 UTC ---

FEDORA-2022-fc84e3e4d5 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-fc84e3e4d5

--- Additional comment from Fedora Update System on 2022-12-22 01:40:57 UTC ---

FEDORA-2022-fc84e3e4d5 has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-fc84e3e4d5`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-fc84e3e4d5

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

--- Additional comment from Fedora Update System on 2022-12-27 01:12:52 UTC ---

FEDORA-2022-fc84e3e4d5 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.

--- Additional comment from Lioh Moeller on 2023-02-13 09:10:00 UTC ---

This issue is also present on EL9.
Comment 1 Timothée Ravier 2023-06-26 13:31:44 UTC 
For https://issues.redhat.com/browse/OCPBUGS-14237, we need https://github.com/fedora-selinux/selinux-policy/pull/1502 backported to RHEL 9.2. Thanks!
Comment 2 Milos Malik 2023-06-26 13:38:32 UTC 
I believe this BZ is a duplicate of BZ#2175137.
Comment 3 Timothée Ravier 2023-06-26 14:19:37 UTC 
https://gitlab.cee.redhat.com/SELinux/selinux-policy/-/merge_requests/842 matches https://github.com/fedora-selinux/selinux-policy/pull/1502.

Closing.

*** This bug has been marked as a duplicate of bug 2175137 ***