Bug 811268

Summary: System Clock SELinux Problem
Product: [Fedora] Fedora Reporter: Onuralp SEZER <thunderbirdtr>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 16CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-14 02:01:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Onuralp SEZER 2012-04-10 15:08:59 UTC 
Description of problem:

SELinux problem on "Network Time" in "Date and Time Setting"


Version-Release number of selected component (if applicable):

selinux-policy-3.10.0-80.fc16.noarch
setroubleshoot-3.1.3-1.fc16.x86_64

How reproducible:


Steps to Reproduce:

(In Gnome Desktop)

1.Click Time
2.Select "Date And Time Setting"
3.Unlock and write "Root" password
4.Turnon the Network Time
5.Pop-up the SElinux Warning

I get the same error from KDE Desktop too.
  
Actual results:
If I try to set Network Time or turnoff , I  get this SELinux Message

Expected results:
I can change time or set network time and nothing comeup from SELinux

Additional info:


SELinux is preventing /sbin/chkconfig from getattr access on the file /bin/systemd.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that chkconfig should be allowed getattr access on the systemd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep chkconfig /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:gnomeclock_t:s0-s0:c0.c1023
Target Context                system_u:object_r:init_exec_t:s0
Target Objects                /bin/systemd [ file ]
Source                        chkconfig
Source Path                   /sbin/chkconfig
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           chkconfig-1.3.59-1.fc16.x86_64
Target RPM Packages           systemd-37-17.fc16.x86_64
Policy RPM                    selinux-policy-3.10.0-80.fc16.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 3.3.1-3.fc16.x86_64 #1
                              SMP Wed Apr 4 18:08:51 UTC 2012 x86_64 x86_64
Alert Count                   1
First Seen                    Tue 10 Apr 2012 02:28:47 PM EEST
Last Seen                     Tue 10 Apr 2012 02:28:47 PM EEST
Local ID                      f430d36c-2d43-422b-b4bb-6d43f2d76863

Raw Audit Messages
type=AVC msg=audit(1334057327.582:80): avc:  denied  { getattr } for  pid=2698 comm="chkconfig" path="/bin/systemd" dev="dm-1" ino=2106756 scontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1334057327.582:80): arch=x86_64 syscall=lstat success=no exit=EACCES a0=2153410 a1=7fff322d9780 a2=7fff322d9780 a3=1000 items=0 ppid=2681 pid=2698 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=chkconfig exe=/sbin/chkconfig subj=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 key=(null)

Hash: chkconfig,gnomeclock_t,init_exec_t,file,getattr

audit2allow

#============= gnomeclock_t ==============
allow gnomeclock_t init_exec_t:file getattr;

audit2allow -R

#============= gnomeclock_t ==============
allow gnomeclock_t init_exec_t:file getattr;
Comment 1 Daniel Walsh 2012-04-10 18:55:04 UTC 
Can you execute

# semanage permissive -a gnomeclock_t

And then try this again.

# ausearch -m avc -ts recent

Attach the output.
Comment 2 Onuralp SEZER 2012-04-10 19:05:01 UTC 
I did ; # semange permissive -a gnomeclock_t  and, 

"ausearch -m avc- ts recent " result ; 

----
time->Tue Apr 10 22:01:45 2012
type=SYSCALL msg=audit(1334084505.078:130): arch=c000003e syscall=6 success=yes exit=0 a0=84d410 a1=7fffe3f28570 a2=7fffe3f28570 a3=1000 items=0 ppid=9313 pid=9315 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chkconfig" exe="/sbin/chkconfig" subj=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1334084505.078:130): avc:  denied  { getattr } for  pid=9315 comm="chkconfig" path="/bin/systemd" dev="dm-1" ino=2106756 scontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_exec_t:s0 tclass=file
Comment 3 Daniel Walsh 2012-04-10 20:06:51 UTC 
Was network time turned on?  Can you turn it off using chkconfig and service command and then turn it on using gnomeclock.
Comment 4 Daniel Walsh 2012-04-10 20:09:45 UTC 
We have this dontaudited in F17.
Comment 5 Onuralp SEZER 2012-04-10 20:24:57 UTC 
How can I turn off via chkconfig and service ? And yes If Turn on , SELinux give me warning. Also I have another PC and it's installed KDE-Desktop it's give same SElinux problem If I trying to just change "clock" not network time. Anyway, How can I turnoff network-time via chkconfig or service ?
Comment 6 Daniel Walsh 2012-04-10 20:28:49 UTC 
I think it is 

# chkconfig ntp off
Comment 7 Onuralp SEZER 2012-04-10 20:38:11 UTC 
NTP yes I remember service name now. But the problem is Default F16 GnomeClock not using ; "ntp" or "ntpq" I searched on google for try all alternatives but If give this command ; 

root@localhost onuralp# chkconfig ntp off
error reading information on service ntp: No such file or directory

Also I tried "ntpq" but I get same result. 

I check from this link;

http://fedoraproject.org/wiki/Administration_Guide_Draft/NTP
Comment 8 Onuralp SEZER 2012-04-10 20:41:17 UTC 
Fedora 16 Document Part ;

http://docs.fedoraproject.org/en-US/Fedora/16/html/System_Administrators_Guide/ch-Configuring_the_Date_and_Time.html

We can only use "date" command for change date and time. 

http://docs.fedoraproject.org/en-US/Fedora/16/html/System_Administrators_Guide/sect-Configuring_the_Date_and_Time-Command_Line_Configuration-Time.html
Comment 9 Onuralp SEZER 2012-04-10 20:43:09 UTC 
Network Time Protocol explained here. But We have one problem Default F16 Live didn't have this command ( "ntpdate" ) I just tried this.

http://docs.fedoraproject.org/en-US/Fedora/16/html/System_Administrators_Guide/sect-Configuring_the_Date_and_Time-Command_Line_Configuration-Network_Time_Protocol.html
Comment 10 Miroslav Grepl 2012-06-22 14:30:26 UTC 
Is this still issue?
Comment 11 Fedora End Of Life 2013-02-14 02:02:02 UTC 
Fedora 16 changed to end-of-life (EOL) status on 2013-02-12. Fedora 16 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.