Bug 1572200 - SELinux is preventing (imesyncd) from 'write' accesses on the file /etc/.pwd.lock.
Summary: SELinux is preventing (imesyncd) from 'write' accesses on the file /etc/.pwd....
Status: CLOSED DUPLICATE of bug 1559281
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 28
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:cbb430d4f6e1b65205a9b48afd3...
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-26 12:11 UTC by rockonthemoonfm
Modified: 2018-07-04 08:02 UTC (History)
10 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2018-07-04 08:02:03 UTC


Attachments (Terms of Use)

Description rockonthemoonfm 2018-04-26 12:11:03 UTC
Description of problem:
enabling Automatic Date and Time and Automatic Time Zone in GNOME Settings caused this SELinux warning
SELinux is preventing (imesyncd) from 'write' accesses on the file /etc/.pwd.lock.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that (imesyncd) should be allowed write access on the .pwd.lock file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c '(imesyncd)' --raw | audit2allow -M my-imesyncd
# semodule -X 300 -i my-imesyncd.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:passwd_file_t:s0
Target Objects                /etc/.pwd.lock [ file ]
Source                        (imesyncd)
Source Path                   (imesyncd)
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.1-21.fc28.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.16.3-301.fc28.x86_64 #1 SMP Mon
                              Apr 23 21:59:58 UTC 2018 x86_64 x86_64
Alert Count                   5
First Seen                    2018-04-26 14:06:46 CEST
Last Seen                     2018-04-26 14:06:46 CEST
Local ID                      f1304e6f-1122-4089-8169-42ab1d24c778

Raw Audit Messages
type=AVC msg=audit(1524744406.887:323): avc:  denied  { write } for  pid=3559 comm="(imesyncd)" name=".pwd.lock" dev="sda2" ino=391303 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0


Hash: (imesyncd),init_t,passwd_file_t,file,write

Version-Release number of selected component:
selinux-policy-3.14.1-21.fc28.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.4
hashmarkername: setroubleshoot
kernel:         4.16.3-301.fc28.x86_64
type:           libreport

Comment 1 Lukas Vrabec 2018-04-29 13:50:34 UTC
Hi, 

Do you facing any functional issues or you just saw this AVC? 

Thanks,
Lukas.

Comment 2 Jiri Cerny 2018-05-02 07:11:28 UTC
I am not the original reporter, but I see the same problem. 
After this issue, systemd-timesyncd.service fail to start.
I think that this is a duplicate of Bug 1559281

Comment 3 Brian Peletz 2018-05-02 11:34:24 UTC
Description of problem:
timesyncd fails to start and when trying to manually start it I get an error

Version-Release number of selected component:
selinux-policy-3.14.1-21.fc28.noarch

Additional info:
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.16.5-300.fc28.x86_64
type:           libreport

Comment 4 James Ettle 2018-05-05 10:45:47 UTC
Description of problem:
More post-F28-update trouble.

Version-Release number of selected component:
selinux-policy-3.14.1-24.fc28.noarch

Additional info:
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.16.5-300.fc28.x86_64
type:           libreport

Comment 5 Villy Kruse 2018-07-03 19:12:09 UTC
The issues comes from systemd-timesyncd.service, or any other service which creates a dynamic user id.  As of now systemd-timesyncd.service is the only one in fedora systems.  To check run

systemctl start systemd-timesyncd.service

Comment 6 Villy Kruse 2018-07-03 19:18:33 UTC
(In reply to Jiri Cerny from comment #2)
> I am not the original reporter, but I see the same problem. 
> After this issue, systemd-timesyncd.service fail to start.
> I think that this is a duplicate of Bug 1559281

It is almost a duplicate as permission for both read and create for the file /etc/.pwd.lock is needed.  It needs to lock the password file while checking if a  dynamic user to be created already exists.

Comment 7 Lukas Vrabec 2018-07-04 08:02:03 UTC

*** This bug has been marked as a duplicate of bug 1559281 ***


Note You need to log in before you can comment on or make changes to this bug.