1549580 – SELinux prevents systemd-timesyncd from starting

Bug 1549580 - SELinux prevents systemd-timesyncd from starting

Summary: SELinux prevents systemd-timesyncd from starting

Keywords:
Status:	CLOSED DUPLICATE of bug 1559281
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	systemd
Sub Component:
Version:	28
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	systemd-maint
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-02-27 12:58 UTC by Milos Malik
Modified:	2018-03-22 08:03 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2018-03-22 08:03:42 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Milos Malik 2018-02-27 12:58:08 UTC

Description of problem:

Version-Release number of selected component (if applicable):
kernel-4.16.0-0.rc2.git0.1.fc28.x86_64
kernel-core-4.16.0-0.rc2.git0.1.fc28.x86_64
kernel-modules-4.16.0-0.rc2.git0.1.fc28.x86_64
selinux-policy-3.14.1-8.fc28.noarch
selinux-policy-targeted-3.14.1-8.fc28.noarch
systemd-237-1.git78bd769.fc28.x86_64
systemd-libs-237-1.git78bd769.fc28.x86_64
systemd-pam-237-1.git78bd769.fc28.x86_64
systemd-udev-237-1.git78bd769.fc28.x86_64

How reproducible:
* always

Steps to Reproduce:
# service systemd-timesyncd status
Redirecting to /bin/systemctl status systemd-timesyncd.service
● systemd-timesyncd.service - Network Time Synchronization
   Loaded: loaded (/usr/lib/systemd/system/systemd-timesyncd.service; disabled;>
   Active: inactive (dead)
     Docs: man:systemd-timesyncd.service(8)
# service systemd-timesyncd start
Redirecting to /bin/systemctl start systemd-timesyncd.service
Job for systemd-timesyncd.service failed because the control process exited with error code.
See "systemctl status systemd-timesyncd.service" and "journalctl -xe" for details.
#

Actual results (enforcing mode):
----
type=AVC msg=audit(02/27/2018 07:54:21.316:343) : avc:  denied  { create } for  pid=1628 comm=(imesyncd) name=.pwd.lock scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0 
----
type=AVC msg=audit(02/27/2018 07:54:21.316:344) : avc:  denied  { write } for  pid=1628 comm=(imesyncd) name=.pwd.lock dev="vda1" ino=138720 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0 
----

Expected results:
* no SELinux denials

Comment 1 Milos Malik 2018-02-27 13:01:24 UTC

The systemd-timesyncd service does not start in permissive mode either. SELinux is not the only cause.

Comment 2 Lukas Vrabec 2018-02-27 13:14:16 UTC

Do you see more denials in permissive?

Comment 3 Milos Malik 2018-02-27 14:33:27 UTC

No. Here is the only SELinux denial that appeared in permissive mode:
----
type=AVC msg=audit(02/27/2018 07:58:33.456:367) : avc:  denied  { write } for  pid=1673 comm=(imesyncd) name=.pwd.lock dev="vda1" ino=138720 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 
----

Comment 4 Lukas Vrabec 2018-03-10 16:35:12 UTC

Hi, 

Any idea, what is happening here? 

Thanks,
Lukas.

Comment 5 Martin Pitt 2018-03-22 08:03:42 UTC

I just filed basically the same bug 1559281 against selinux-policy. AFAICS systemd does not ship its own SE policy, thus marking this as duplicate.

The startup failure without SELinux is bug 1559286.

*** This bug has been marked as a duplicate of bug 1559281 ***

Note You need to log in before you can comment on or make changes to this bug.