Description of problem: enabling Automatic Date and Time and Automatic Time Zone in GNOME Settings caused this SELinux warning SELinux is preventing (imesyncd) from 'write' accesses on the file /etc/.pwd.lock. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that (imesyncd) should be allowed write access on the .pwd.lock file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '(imesyncd)' --raw | audit2allow -M my-imesyncd # semodule -X 300 -i my-imesyncd.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:passwd_file_t:s0 Target Objects /etc/.pwd.lock [ file ] Source (imesyncd) Source Path (imesyncd) Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.1-21.fc28.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.16.3-301.fc28.x86_64 #1 SMP Mon Apr 23 21:59:58 UTC 2018 x86_64 x86_64 Alert Count 5 First Seen 2018-04-26 14:06:46 CEST Last Seen 2018-04-26 14:06:46 CEST Local ID f1304e6f-1122-4089-8169-42ab1d24c778 Raw Audit Messages type=AVC msg=audit(1524744406.887:323): avc: denied { write } for pid=3559 comm="(imesyncd)" name=".pwd.lock" dev="sda2" ino=391303 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0 Hash: (imesyncd),init_t,passwd_file_t,file,write Version-Release number of selected component: selinux-policy-3.14.1-21.fc28.noarch Additional info: component: selinux-policy reporter: libreport-2.9.4 hashmarkername: setroubleshoot kernel: 4.16.3-301.fc28.x86_64 type: libreport
Hi, Do you facing any functional issues or you just saw this AVC? Thanks, Lukas.
I am not the original reporter, but I see the same problem. After this issue, systemd-timesyncd.service fail to start. I think that this is a duplicate of Bug 1559281
Description of problem: timesyncd fails to start and when trying to manually start it I get an error Version-Release number of selected component: selinux-policy-3.14.1-21.fc28.noarch Additional info: reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.16.5-300.fc28.x86_64 type: libreport
Description of problem: More post-F28-update trouble. Version-Release number of selected component: selinux-policy-3.14.1-24.fc28.noarch Additional info: reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.16.5-300.fc28.x86_64 type: libreport
The issues comes from systemd-timesyncd.service, or any other service which creates a dynamic user id. As of now systemd-timesyncd.service is the only one in fedora systems. To check run systemctl start systemd-timesyncd.service
(In reply to Jiri Cerny from comment #2) > I am not the original reporter, but I see the same problem. > After this issue, systemd-timesyncd.service fail to start. > I think that this is a duplicate of Bug 1559281 It is almost a duplicate as permission for both read and create for the file /etc/.pwd.lock is needed. It needs to lock the password file while checking if a dynamic user to be created already exists.
*** This bug has been marked as a duplicate of bug 1559281 ***