Description of problem: I have been running systemd-timesyncd in f28 without any SELinux issues, and this issue started after upgrading to f29. SELinux is preventing /usr/lib/systemd/systemd-timesyncd from 'read' accesses on the sock_file /run/dbus/system_bus_socket. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-timesyncd should be allowed read access on the system_bus_socket sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-timesyn' --raw | audit2allow -M my-systemdtimesyn # semodule -X 300 -i my-systemdtimesyn.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:system_dbusd_var_run_t:s0 Target Objects /run/dbus/system_bus_socket [ sock_file ] Source systemd-timesyn Source Path /usr/lib/systemd/systemd-timesyncd Port <Unknown> Host (removed) Source RPM Packages systemd-udev-239-3.fc29.x86_64 Target RPM Packages Policy RPM selinux-policy-3.14.2-36.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 4.18.14-200.fc28.x86_64 #1 SMP Mon Oct 15 13:16:27 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-10-18 21:19:27 CEST Last Seen 2018-10-18 21:19:27 CEST Local ID f7c2c178-0e4a-47db-98c1-35cfcabb9565 Raw Audit Messages type=AVC msg=audit(1539890367.630:85): avc: denied { read } for pid=544 comm="systemd-timesyn" name="system_bus_socket" dev="tmpfs" ino=19951 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1 type=SYSCALL msg=audit(1539890367.630:85): arch=x86_64 syscall=inotify_add_watch success=yes exit=EINTR a0=c a1=555d696b22f0 a2=2000d84 a3=7562642f6e75722f items=1 ppid=1 pid=544 auid=4294967295 uid=471 gid=446 euid=471 suid=471 fsuid=471 egid=446 sgid=446 fsgid=446 tty=(none) ses=4294967295 comm=systemd-timesyn exe=/usr/lib/systemd/systemd-timesyncd subj=system_u:system_r:init_t:s0 key=(null) type=CWD msg=audit(1539890367.630:85): cwd=/ type=PATH msg=audit(1539890367.630:85): item=0 name=/run/dbus/system_bus_socket inode=19951 dev=00:16 mode=0140666 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:system_dbusd_var_run_t:s0 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 Hash: systemd-timesyn,init_t,system_dbusd_var_run_t,sock_file,read Version-Release number of selected component: selinux-policy-3.14.2-36.fc29.noarch Additional info: component: selinux-policy reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.14-200.fc28.x86_64 type: libreport
commit dcfc27ecc5b32e5c1686a2d8e69fcb803839fa9a (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Sun Nov 4 13:42:16 2018 +0100 Label systemd-timesyncd binary as systemd_timedated_exec_t to make it run in systemd_timedated_t domain BZ(1640801)
selinux-policy-3.14.2-42.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-3129f981d3
selinux-policy-3.14.2-42.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-3129f981d3
selinux-policy-3.14.2-42.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.