Description of problem: On F20 timedatectl set-ntp generates an AVC although it seems to work: [root@localhost ~]# timedatectl | grep enabled NTP enabled: yes [root@localhost ~]# timedatectl set-ntp false Failed to issue method call: Access denied [root@localhost ~]# timedatectl | grep enabled NTP enabled: no [root@localhost ~]# timedatectl set-ntp false [root@localhost ~]# timedatectl set-ntp true Failed to issue method call: Access denied [root@localhost ~]# timedatectl | grep enabled NTP enabled: yes [root@localhost ~]# timedatectl set-ntp true [root@localhost ~]# timedatectl set-ntp true [root@localhost ~]# timedatectl set-ntp true [root@localhost ~]# timedatectl | grep enabled NTP enabled: yes [root@localhost ~]# timedatectl set-ntp false Failed to issue method call: Access denied [root@localhost ~]# timedatectl | grep enabled NTP enabled: no [root@localhost ~]# tail -2 /var/log/audit/audit.log type=USER_AVC msg=audit(1380646726.130:479): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { enable } for auid=-1 uid=-1 gid=-1 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1380646734.745:480): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { disable } for auid=-1 uid=-1 gid=-1 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Version-Release number of selected component (if applicable): systemd-207-4.fc20
In policy we have allow systemd_timedated_t ntpd_unit_file_t : file { ioctl read getattr lock open } ; But we do not have the enable/disable of the unit file. Which seems to be what this command is doing. systemd seems to be interpreting this as being on itself. And not blocking it on denial. could the SELinux patch be asking the wrong question?
> Flags: needinfo?(lpoetter) This is still an issue with F20 + latest updates.
I added commit e46bcfe2e347bdb3a45836b512bf8ef3db9ac4f6 to fix this issue on Rawhide.
When I run `timedatectl set-ntp on` for the first time, I got: type=USER_AVC msg=audit(1398762518.095:853): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { enable } for auid=-1 uid=-1 gid=-1 path="system" scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Oddly the second time, I got no error. I' using selinux-policy-targeted-3.12.1-158.fc20.noarch.
The problem here is we still have "enable" on tcontext=system_u:system_r:init_t:s0 tclass=system if systemctl-timestamp tries to enable ntpd service.
(In reply to Miroslav Grepl from comment #7) > The problem here is we still have "enable" on > > tcontext=system_u:system_r:init_t:s0 tclass=system > > if systemctl-timestamp tries to enable ntpd service. Is this incorrect? What should it be instead?
I see this on Fedora 21 as well: selinux-policy-targeted-3.13.1-105.6.fc21.noarch systemd-216-20.fc21.x86_64 # timedatectl Local time: Thu 2015-03-19 21:55:18 EET Universal time: Thu 2015-03-19 19:55:18 UTC RTC time: Fri 2020-01-24 07:29:31 Time zone: Europe/Helsinki (EET, +0200) NTP enabled: yes NTP synchronized: yes RTC in local TZ: no DST active: no Last DST change: DST ended at Sun 2014-10-26 03:59:59 EEST Sun 2014-10-26 03:00:00 EET Next DST change: DST begins (the clock jumps one hour forward) at Sun 2015-03-29 02:59:59 EET Sun 2015-03-29 04:00:00 EEST # timedatectl set-ntp false Failed to set ntp: Access denied Mär 19 21:55:41 localhost.localdomain kernel: audit: type=1107 audit(1426794941.740:5): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { disable } for auid=n/a uid=0 gid=0 cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
This module fixes the problem: # cat timedatedlocal.te module timedatedlocal 1.0; require { type systemd_timedated_t; type init_t; class system disable; } #============= systemd_timedated_t ============== allow systemd_timedated_t init_t:system disable;
In case this helps, enabling ntp doesn't fail, just disabling: [root@localhost ~]# timedatectl set-ntp true [root@localhost ~]# timedatectl set-ntp false Failed to set ntp: Access denied
This breaks Cockpit.
OK, so I fixed one part of the puzzle: timedated would flip the internal state before doing the actual operation. This is why the second operation would seem to succeed: when timedatectl was called the second time, timedated would think that it is already in the requested state and would do nothing [1]. [1] http://cgit.freedesktop.org/systemd/systemd/commit/?id=192b98b8fe Nevertheless, why the operation is refused by SELinux is unclear to me. Under F22 timedatectl only works with timesyncd, and both enable and disable fail. systemd[1]: SELinux access check scon=system_u:system_r:systemd_timedated_t:s0 tcon=system_u:system_r:init_t:s0 tclass=system perm=disable path=(null) cmdline=/usr/lib/systemd/systemd-timedated: -13 systemd[1]: SELinux access check scon=system_u:system_r:systemd_timedated_t:s0 tcon=system_u:object_r:systemd_unit_file_t:s0 tclass=service perm=enable path=/usr/lib/systemd/system/systemd-timesyncd.service cmdline=/usr/lib/systemd/systemd-timedated: -13 The checks are asymmetrical, tcon=system_u:system_r:init_t:s0 vs tcon=system_u:object_r:systemd_unit_file_t:s0. I think I understand comment #c7 now.
The check is symmetrical now: http://cgit.freedesktop.org/systemd/systemd/commit/?id=81b8439902 http://cgit.freedesktop.org/systemd/systemd/commit/?id=df823e23f0 and SELinux denies everything uniformly: mar 21 19:06:14 fedora22 audit[1]: <audit-1107> pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { stop } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/systemd-timesyncd.service" cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service mar 21 19:24:05 fedora22 audit[1]: <audit-1107> pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/systemd-timesyncd.service" cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service mar 21 19:32:25 fedora22 audit[1]: <audit-1107> pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { disable } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/systemd-timesyncd.service" cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service mar 21 18:54:10 fedora22 audit[1]: <audit-1107> pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { enable } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/systemd-timesyncd.service" cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service Those changes are not yet in Fedora. Can the policy be updated to allow those operations?
I hit this problem on Fedora 22 during the Cockpit test day: https://fedoraproject.org/wiki/Test_Day:2015-03-24_Cockpit This prevents cockpit from setting the time both manually and via NTP.
The patches to fix error handling and make the SELinux check symmetric are now in https://admin.fedoraproject.org/updates/systemd-216-23.fc21 . It would be nice to sort out the SELinux policy to match.
commit e351f50b4f30cff1fc5770a19163937c46444455 Author: Miroslav Grepl <mgrepl> Date: Tue Apr 7 12:23:52 2015 +0200 Add labeling for systemd-time*.service unit files and allow systemd-timedated to access these unit files. added to the policy.
(In reply to Miroslav Grepl from comment #17) Thanks!
This message is a reminder that Fedora 21 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 21. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '21'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 21 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 21 changed to end-of-life (EOL) status on 2015-12-01. Fedora 21 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.