Description of problem: Fedora 28's systemd now ships a bunch of services with DynamicUser=yes (see http://0pointer.net/blog/dynamic-users-with-systemd.html). This is currently broken with SELinux. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.14.1-14.fc28.noarch selinux-policy-3.14.1-14.fc28.noarch systemd-238-4.fc28.x86_64 How reproducible: Always Steps to Reproduce: 1. systemctl start systemd-timesyncd Actual results: service fails: aded (/usr/lib/systemd/system/systemd-timesyncd.service; disabled; vendor preset: disabled) Drop-In: /etc/systemd/system/systemd-timesyncd.service.d └─override.conf Active: failed (Result: exit-code) since Thu 2018-03-22 03:51:01 EDT; 9s ago Docs: man:systemd-timesyncd.service(8) Process: 1465 ExecStart=/usr/lib/systemd/systemd-timesyncd (code=exited, status=217/USER) Main PID: 1465 (code=exited, status=217/USER) Journal shows the SELinux violation: AVC avc: denied { create } for pid=1465 comm="(imesyncd)" name=".pwd.lock" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0 Expected results: Service starts successfully
*** Bug 1549580 has been marked as a duplicate of this bug. ***
In case you wonder, the "override.conf" dropin just sets `Restart=no` to get a sensible status output (otherwise it just repeatedly fails and runs into the restart limit).
Michal, Any help here?
(In reply to Lukas Vrabec from comment #3) > Any help here? No idea off the top of my head. DynamicUsers feature could have triggered a lot of SELinux tripwires :) Relevant excerpt of audit log would be helpful.
@Michal: I already put the relevant SELinux message into the description. If that's not it, I put the full "journalctl -f" output here that happens during "systemctl start systemd-timesyncd". (However, this is trivial to reproduce and I don't believe it happens just for my VM). Starting Network Time Synchronization... AVC avc: denied { write } for pid=1546 comm="(imesyncd)" name=".pwd.lock" dev="dm-0" ino=4220163 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0 audit: type=1400 audit(1522139836.528:288): avc: denied { write } for pid=1546 comm="(imesyncd)" name=".pwd.lock" dev="dm-0" ino=4220163 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0 systemd-timesyncd.service: Failed to update dynamic user credentials: Permission denied systemd-timesyncd.service: Failed at step USER spawning /usr/lib/systemd/systemd-timesyncd: Permission denied systemd-timesyncd.service: Main process exited, code=exited, status=217/USER systemd-timesyncd.service: Failed with result 'exit-code'. SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f335837a02c a2=a0141 a3=180 items=0 ppid=1 pid=1546 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(imesyncd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null) Failed to start Network Time Synchronization. audit: type=1300 audit(1522139836.528:288): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f335837a02c a2=a0141 a3=180 items=0 ppid=1 pid=1546 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(imesyncd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null) systemd-timesyncd.service: Consumed 0 CPU time systemd-timesyncd.service: Service has no hold-off time, scheduling restart. systemd-timesyncd.service: Scheduled restart job, restart counter is at 1. Stopped Network Time Synchronization. systemd-timesyncd.service: Consumed 0 CPU time Starting Network Time Synchronization... systemd-timesyncd.service: Failed to update dynamic user credentials: Permission denied systemd-timesyncd.service: Failed at step USER spawning /usr/lib/systemd/systemd-timesyncd: Permission denied systemd-timesyncd.service: Main process exited, code=exited, status=217/USER systemd-timesyncd.service: Failed with result 'exit-code'. PROCTITLE proctitle="(imesyncd)" Failed to start Network Time Synchronization. systemd-timesyncd.service: Consumed 0 CPU time audit: type=1327 audit(1522139836.528:288): proctitle="(imesyncd)" systemd-timesyncd.service: Service has no hold-off time, scheduling restart. systemd-timesyncd.service: Scheduled restart job, restart counter is at 2. Stopped Network Time Synchronization. systemd-timesyncd.service: Consumed 0 CPU time SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' audit: type=1130 audit(1522139836.542:289): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' systemd-timesyncd.service: Failed to update dynamic user credentials: Permission denied systemd-timesyncd.service: Failed at step USER spawning /usr/lib/systemd/systemd-timesyncd: Permission denied Starting Network Time Synchronization... systemd-timesyncd.service: Main process exited, code=exited, status=217/USER systemd-timesyncd.service: Failed with result 'exit-code'. Failed to start Network Time Synchronization. systemd-timesyncd.service: Consumed 0 CPU time systemd-timesyncd.service: Service has no hold-off time, scheduling restart. systemd-timesyncd.service: Scheduled restart job, restart counter is at 3. Stopped Network Time Synchronization. systemd-timesyncd.service: Consumed 0 CPU time SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' audit: type=1130 audit(1522139836.546:290): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Starting Network Time Synchronization... systemd-timesyncd.service: Failed to update dynamic user credentials: Permission denied systemd-timesyncd.service: Failed at step USER spawning /usr/lib/systemd/systemd-timesyncd: Permission denied systemd-timesyncd.service: Main process exited, code=exited, status=217/USER systemd-timesyncd.service: Failed with result 'exit-code'. Failed to start Network Time Synchronization. systemd-timesyncd.service: Consumed 0 CPU time systemd-timesyncd.service: Service has no hold-off time, scheduling restart. systemd-timesyncd.service: Scheduled restart job, restart counter is at 4. Stopped Network Time Synchronization. systemd-timesyncd.service: Consumed 0 CPU time SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' audit: type=1131 audit(1522139836.546:291): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Starting Network Time Synchronization... systemd-timesyncd.service: Failed to update dynamic user credentials: Permission denied systemd-timesyncd.service: Failed at step USER spawning /usr/lib/systemd/systemd-timesyncd: Permission denied systemd-timesyncd.service: Main process exited, code=exited, status=217/USER systemd-timesyncd.service: Failed with result 'exit-code'. Failed to start Network Time Synchronization. systemd-timesyncd.service: Consumed 0 CPU time systemd-timesyncd.service: Service has no hold-off time, scheduling restart. systemd-timesyncd.service: Scheduled restart job, restart counter is at 5. Stopped Network Time Synchronization. systemd-timesyncd.service: Consumed 0 CPU time systemd-timesyncd.service: Start request repeated too quickly. systemd-timesyncd.service: Failed with result 'exit-code'. Failed to start Network Time Synchronization. AVC avc: denied { write } for pid=1549 comm="(imesyncd)" name=".pwd.lock" dev="dm-0" ino=4220163 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0 audit: type=1400 audit(1522139836.554:292): avc: denied { write } for pid=1549 comm="(imesyncd)" name=".pwd.lock" dev="dm-0" ino=4220163 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0 audit: type=1300 audit(1522139836.554:292): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f335837a02c a2=a0141 a3=180 items=0 ppid=1 pid=1549 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(imesyncd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null) SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f335837a02c a2=a0141 a3=180 items=0 ppid=1 pid=1549 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(imesyncd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null) audit: type=1327 audit(1522139836.554:292): proctitle="(imesyncd)" PROCTITLE proctitle="(imesyncd)" audit: type=1130 audit(1522139836.558:293): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' AVC avc: denied { write } for pid=1552 comm="(imesyncd)" name=".pwd.lock" dev="dm-0" ino=4220163 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0 SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f335837a02c a2=a0141 a3=180 items=0 ppid=1 pid=1552 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(imesyncd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null) PROCTITLE proctitle="(imesyncd)" SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' AVC avc: denied { write } for pid=1555 comm="(imesyncd)" name=".pwd.lock" dev="dm-0" ino=4220163 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0 SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f335837a02c a2=a0141 a3=180 items=0 ppid=1 pid=1555 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(imesyncd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null) PROCTITLE proctitle="(imesyncd)" SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' AVC avc: denied { write } for pid=1558 comm="(imesyncd)" name=".pwd.lock" dev="dm-0" ino=4220163 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0 SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f335837a02c a2=a0141 a3=180 items=0 ppid=1 pid=1558 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(imesyncd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null) PROCTITLE proctitle="(imesyncd)" SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
I hit a similar bug with dnscrypt-proxy 2 (not yet packaged): # The service file: [Unit] Description=DNSCrypt-proxy client Documentation=https://github.com/jedisct1/dnscrypt-proxy/wiki Requires=dnscrypt-proxy.socket After=network.target Before=nss-lookup.target Wants=nss-lookup.target [Service] NonBlocking=true ExecStart=/usr/bin/dnscrypt-proxy --config /etc/dnscrypt-proxy/dnscrypt-proxy.toml ProtectHome=yes ProtectControlGroups=yes ProtectKernelModules=yes # Run dnscrypt-proxy as unprivileged user with # temporary assigned UID/GID. See man:systemd.exec # for more info. Requires systemd 232+. DynamicUser=yes CacheDirectory=dnscrypt-proxy LogsDirectory=dnscrypt-proxy RuntimeDirectory=dnscrypt-proxy [Install] Also=dnscrypt-proxy.socket WantedBy=multi-user.target # Initial SELinux errors: Raw Audit Messages type=AVC msg=audit(1525551759.43:5971): avc: denied { create } for pid=31320 comm="(pt-proxy)" name=".pwd.lock" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0 Hash: (pt-proxy),init_t,passwd_file_t,file,create Raw Audit Messages type=AVC msg=audit(1525551776.108:6001): avc: denied { write } for pid=31381 comm="(pt-proxy)" name=".pwd.lock" dev="sda7" ino=661 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0 Hash: (pt-proxy),init_t,passwd_file_t,file,write # Rules added for all errors to be cleared: module my-ptproxy 1.0; require { type var_t; type passwd_file_t; type init_t; type var_log_t; class file { create write }; class dir { create setattr }; class lnk_file { create getattr read }; } #============= init_t ============== allow init_t passwd_file_t:file { create write }; allow init_t var_log_t:dir { create setattr }; allow init_t var_log_t:lnk_file { create getattr read }; allow init_t var_t:dir { create setattr }; allow init_t var_t:lnk_file create;
With the chmod 700 /var/lib/private workaround from bug 1559286, I started systemd-timesyncd and received the following denials (needed to include dontaudit denials to get all the needed rules): ---- time->Wed May 16 14:56:16 2018 type=AVC msg=audit(1526507776.511:146): avc: denied { write } for pid=958 comm="(imesyncd)" name=".pwd.lock" dev="dm-0" ino=262465 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 ---- time->Wed May 16 14:56:16 2018 type=AVC msg=audit(1526507776.516:147): avc: denied { create } for pid=958 comm="(imesyncd)" name="timesync" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=1 ---- time->Wed May 16 14:56:16 2018 type=AVC msg=audit(1526507776.516:148): avc: denied { setattr } for pid=958 comm="(imesyncd)" name="timesync" dev="dm-0" ino=654128 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=1 ---- time->Wed May 16 15:03:39 2018 type=AVC msg=audit(1526508219.517:151): avc: denied { create } for pid=1036 comm="(imesyncd)" name=".pwd.lock" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 ---- time->Wed May 16 15:03:39 2018 type=AVC msg=audit(1526508219.520:152): avc: denied { setattr } for pid=1036 comm="(imesyncd)" name="timesync" dev="dm-0" ino=654128 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=1 ---- time->Wed May 16 15:33:45 2018 type=AVC msg=audit(1526510025.739:170): avc: denied { mounton } for pid=870 comm="(imesyncd)" path="/run/systemd/unit-root/dev" dev="dm-0" ino=130817 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 ... which are fixed with the following rules: #============= init_t ============== allow init_t passwd_file_t:file { create write }; allow init_t var_lib_t:dir { create setattr }; #!!!! This avc has a dontaudit rule in the current policy allow init_t unlabeled_t:dir mounton; Enabling the above in the current policy allowed systemd-timesyncd to start correctly.
I also noticed that once timesyncd is running, I get the following output from restorecon -rnv / Would relabel /var/lib/private/systemd/timesync/clock from system_u:object_r:init_var_lib_t:s0 to system_u:object_r:var_lib_t:s0 Not sure which is correct... but clearly either timesyncd or the policy has the wrong label.
Any chance this could be fixed soon? I'd like to push an update for dnscrypt-proxy but it is not usable without this bug being fixed.
Yes, I'll create SELinux boolean for that. Give me few days. THanks Lukas.
I made a very simple test to see if both bugs are resolved https://gitlab.com/BrunoVernay/dynustat Is there a way to help on this one? Also note that for DynamicUser to work, your boolean should be set by default
*** Bug 1594478 has been marked as a duplicate of this bug. ***
*** Bug 1595370 has been marked as a duplicate of this bug. ***
*** Bug 1572200 has been marked as a duplicate of this bug. ***
*** Bug 1599066 has been marked as a duplicate of this bug. ***
Based on this discussion[1], moving this ticket to systemd component. [1] https://github.com/systemd/systemd/issues/9583
This also affects resolved now: audit: type=1400 audit(1534253081.174:78): avc: denied { create } for pid=647 comm="(resolved)" name=".pwd.lock" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0
We haven't seen this any more in current Fedora 28 and 29 in three weeks, so apparently this got fixed in the SELinux policy (or or maybe systemd).
Fedora 28 systemd 238 selinux-policy 3.14.1-42.fc28 Problem is still persist.
I still see this with selinux-policy-3.14.1-47.fc28.noarch