Description of problem: After updating to selinux-policy-3.14.2-42.fc29.noarch I get these problems See also https://bugzilla.redhat.com/show_bug.cgi?id=1640801 systemd-timesyncd is confirmed to run with the new context. system_u:system_r:systemd_timedated_t:s0 systemd+ 549 /usr/lib/systemd/systemd-timesyncd SELinux is preventing /usr/lib/systemd/systemd-timesyncd from 'read' accesses on the directory /run/dbus. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-timesyncd should be allowed read access on the dbus directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-timesyn' --raw | audit2allow -M my-systemdtimesyn # semodule -X 300 -i my-systemdtimesyn.pp Additional Information: Source Context system_u:system_r:systemd_timedated_t:s0 Target Context system_u:object_r:system_dbusd_var_run_t:s0 Target Objects /run/dbus [ dir ] Source systemd-timesyn Source Path /usr/lib/systemd/systemd-timesyncd Port <Unknown> Host (removed) Source RPM Packages systemd-udev-239-6.git9f3aed1.fc29.x86_64 Target RPM Packages dbus-daemon-1.12.10-1.fc29.x86_64 Policy RPM selinux-policy-3.14.2-42.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 4.18.16-300.fc29.x86_64 #1 SMP Sat Oct 20 23:24:08 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-11-05 11:54:49 CET Last Seen 2018-11-05 11:54:49 CET Local ID 6fc6b291-e6a5-4ddd-94f9-91b751919e63 Raw Audit Messages type=AVC msg=audit(1541415289.647:89): avc: denied { read } for pid=549 comm="systemd-timesyn" name="dbus" dev="tmpfs" ino=19274 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir permissive=1 type=SYSCALL msg=audit(1541415289.647:89): arch=x86_64 syscall=inotify_add_watch success=yes exit=ESRCH a0=c a1=55f1b3617670 a2=2000d84 a3=55f1b3617340 items=1 ppid=1 pid=549 auid=4294967295 uid=471 gid=446 euid=471 suid=471 fsuid=471 egid=446 sgid=446 fsgid=446 tty=(none) ses=4294967295 comm=systemd-timesyn exe=/usr/lib/systemd/systemd-timesyncd subj=system_u:system_r:systemd_timedated_t:s0 key=(null) type=CWD msg=audit(1541415289.647:89): cwd=/ type=PATH msg=audit(1541415289.647:89): item=0 name=/run/dbus inode=19274 dev=00:16 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:system_dbusd_var_run_t:s0 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 Hash: systemd-timesyn,systemd_timedated_t,system_dbusd_var_run_t,dir,read Version-Release number of selected component: selinux-policy-3.14.2-42.fc29.noarch Additional info: component: selinux-policy reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Created attachment 1501801 [details] All avc reports related to this issue.
commit 1e340794f40830e16753caafb53c8f5349dd7276 (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Tue Nov 6 16:14:15 2018 +0100 Update systemd_timedated_t domain to allow create own pid files/access init_var_lib_t files and read dbus files BZ(1646202)
Created attachment 1512465 [details] Update systemd_timesyncd_t: te systemd-239-6.git9f3aed1.fc29.x86_64 selinux-policy-3.14.2-42.fc29.noarch Compatible policy.
Created attachment 1512466 [details] Update systemd_timesyncd_t: if
Created attachment 1512467 [details] Update systemd_timesyncd_t: fc Last part of my policy. My test is to reboot and then run script: # cat tst.sh set -x systemctl restart systemd-timesyncd sleep 1 timedatectl show timedatectl set-local-rtc true sleep 1 timedatectl set-local-rtc false sleep 1 timedatectl show-timesync timedatectl timesync-status timedatectl status timedatectl list-timezones | wc -l timedatectl set-ntp false sleep 1 timedatectl set-time "$(date +"%F %T")" sleep 1 timedatectl set-ntp true sleep 1 timedatectl
Created attachment 1512468 [details] Update systemd_timesyncd_t: te Update te
As far as I can see, https://github.com/fedora-selinux/selinux-policy.git commits 1e340794f40830e16753caafb53c8f5349dd7276 and 830a3be4ac5205c7901034586d0d507a3d704fea do not go far enough to catch all the situations. I'm not sure my idea is totally correct though. What is a correct way to handle all the Protect entries at systemd-timesyncd.service? They force init_t to mount those directories into /run/systemd/unit-root and to handle this symlink there: lrwxrwxrwx. 1 root root 27 Oct 12 14:11 /var/lib/systemd/timesync -> ../private/systemd/timesync I guess manage_sock_files_pattern(systemd_timedated_t, systemd_timedated_var_run_t, systemd_timedated_var_run_t) might be extra as there is no socket. But I did not check systemd sources thoroughly. I'll remove it. Please note also I have set systemd_timesyncd_t as permissive in my module. If you add module without reboot you need to relabel /var/lib and /run/systemd. Both /var/run and /var/lib are used to store state, no pids.
Created attachment 1512484 [details] Update systemd_timesyncd_t: te removed manage_sock_files_pattern
selinux-policy-3.14.2-44.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0eac5b1bd7
(In reply to Markus Linnala from comment #7) > As far as I can see, https://github.com/fedora-selinux/selinux-policy.git > commits 1e340794f40830e16753caafb53c8f5349dd7276 and > 830a3be4ac5205c7901034586d0d507a3d704fea do not go far enough to catch all > the situations. > > > I'm not sure my idea is totally correct though. > > What is a correct way to handle all the Protect entries at > systemd-timesyncd.service? They force init_t to mount those directories into > /run/systemd/unit-root and to handle this symlink there: > > lrwxrwxrwx. 1 root root 27 Oct 12 14:11 /var/lib/systemd/timesync -> > ../private/systemd/timesync > systemd-timesyncd no longer creates /var/lib/systemd/timesync as a symbolic link, but if the symbolic link already exists it will not be changed. So /var/lib/systemd/timesync can by a symbolic link or a directory depending on the history of the system.
I tried: selinux-policy-3.14.2-44.fc29.noarch And used test script from: https://bugzilla.redhat.com/show_bug.cgi?id=1646202#c5 I had following relevant files: drwxr-xr-x. 2 systemd-network systemd-network system_u:object_r:systemd_networkd_var_run_t:s0 100 Dec 9 18:18 /run/systemd/netif/links drwxr-xr-x. 1 systemd-timesync systemd-timesync system_u:object_r:init_var_lib_t:s0 10 Oct 12 14:14 /var/lib/private/systemd/timesync drwxr-xr-x. 1 root root system_u:object_r:init_var_lib_t:s0 92 Nov 9 19:29 /var/lib/systemd lrwxrwxrwx. 1 root root system_u:object_r:init_var_lib_t:s0 27 Oct 12 14:11 /var/lib/systemd/timesync -> ../private/systemd/timesync -rw-r--r--. 1 systemd-timesync systemd-timesync system_u:object_r:init_var_run_t:s0 0 Dec 9 20:42 /var/run/systemd/timesync/synchronized And I had following relevant audit entries: # audit(1544372308.926:92): # scontext="system_u:system_r:init_t:s0" tcontext="system_u:system_r:systemd_timedated_t:s0" # class="process2" perms="nnp_transition" # comm="(imesyncd)" exe="" path="" # message="type=AVC msg=audit(1544372308.926:92): avc: denied { nnp_transition # } for pid=789 comm="(imesyncd)" scontext=system_u:system_r:init_t:s0 # tcontext=system_u:system_r:systemd_timedated_t:s0 tclass=process2 # permissive=0" # audit(1544377364.835:852): # scontext="system_u:system_r:systemd_timedated_t:s0" tcontext="system_u:object_r:init_var_lib_t:s0" # class="dir" perms="getattr" # comm="systemd-timesyn" exe="" path="" # message="type=AVC msg=audit(1544377364.835:852): avc: denied { getattr } for # pid=13145 comm="systemd-timesyn" path="/var/lib/systemd" dev="sdc3" # ino=143564 scontext=system_u:system_r:systemd_timedated_t:s0 # tcontext=system_u:object_r:init_var_lib_t:s0 tclass=dir permissive=1" # audit(1544377797.664:1258): # scontext="system_u:system_r:systemd_timedated_t:s0" tcontext="system_u:object_r:init_var_lib_t:s0" # class="dir" perms="search" # comm="systemd-timesyn" exe="" path="" # message="type=AVC msg=audit(1544377797.664:1258): avc: denied { search } for # pid=13242 comm="systemd-timesyn" name="systemd" dev="sdc3" ino=143564 # scontext=system_u:system_r:systemd_timedated_t:s0 # tcontext=system_u:object_r:init_var_lib_t:s0 tclass=dir permissive=1" # audit(1544377364.835:850): # scontext="system_u:system_r:systemd_timedated_t:s0" tcontext="system_u:object_r:init_var_lib_t:s0" # class="lnk_file" perms="read" # comm="systemd-timesyn" exe="" path="" # message="type=AVC msg=audit(1544377364.835:850): avc: denied { read } for # pid=13145 comm="systemd-timesyn" name="timesync" dev="sdc3" ino=19660884 # scontext=system_u:system_r:systemd_timedated_t:s0 # tcontext=system_u:object_r:init_var_lib_t:s0 tclass=lnk_file permissive=1" # audit(1544377364.835:851): # scontext="system_u:system_r:systemd_timedated_t:s0" tcontext="system_u:object_r:init_var_lib_t:s0" # class="lnk_file" perms="getattr" # comm="systemd-timesyn" exe="" path="" # message="type=AVC msg=audit(1544377364.835:851): avc: denied { getattr } for # pid=13145 comm="systemd-timesyn" path="/var/lib/systemd/timesync" dev="sdc3" # ino=19660884 scontext=system_u:system_r:systemd_timedated_t:s0 # tcontext=system_u:object_r:init_var_lib_t:s0 tclass=lnk_file permissive=1" # audit(1544377364.836:853): # scontext="system_u:system_r:systemd_timedated_t:s0" tcontext="system_u:object_r:systemd_networkd_var_run_t:s0" # class="dir" perms="read" # comm="systemd-timesyn" exe="" path="" # message="type=AVC msg=audit(1544377364.836:853): avc: denied { read } for # pid=13145 comm="systemd-timesyn" name="links" dev="tmpfs" ino=12116 # scontext=system_u:system_r:systemd_timedated_t:s0 # tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=dir # permissive=1" # audit(1544380942.649:1890): # scontext="system_u:system_r:systemd_timedated_t:s0" tcontext="system_u:object_r:init_var_run_t:s0" # class="file" perms="write" # comm="systemd-timesyn" exe="" path="" # message="type=AVC msg=audit(1544380942.649:1890): avc: denied { write } for # pid=27408 comm="systemd-timesyn" name="synchronized" dev="tmpfs" ino=801847 # scontext=system_u:system_r:systemd_timedated_t:s0 # tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1" allow systemd_timedated_t init_var_run_t:file write; I needed to have following additional entries to run my test script and some normal run time without extra audit denied entries. synchronized file was touched much later than test script so I guess there is at least one additional action. require { type init_t; type init_var_lib_t; type systemd_networkd_var_run_t; type systemd_timedated_t; class dir { getattr search }; class lnk_file { getattr read }; class process2 nnp_transition; class file write; } #============= init_t ============== init_nnp_daemon_domain(systemd_timedated_t) #============= systemd_timedated_t ============== # dir: /var/lib/systemd allow systemd_timedated_t init_var_lib_t:dir { getattr search }; # symlink: /var/lib/systemd/timesync -> ../private/systemd/timesync allow systemd_timedated_t init_var_lib_t:lnk_file { getattr read }; # /run/systemd/netif/links allow systemd_timedated_t systemd_networkd_var_run_t:dir read; # /run/systemd/timesync/synchronized allow systemd_timedated_t init_var_run_t:file write;
And add this to require part: type init_var_run_t;
A Fedora update associated with this bug has been pushed to the stable repository.
As the issue is not fully resolved by version 3.14.2-44 it is a bit premature to close it.
Villy, What is the problematic SELinux denial now? Could you attach it? Thanks, Lukas.
(In reply to Lukas Vrabec from comment #16) > Villy, > > What is the problematic SELinux denial now? Could you attach it? > > Thanks, > Lukas. type=AVC msg=audit(1546959521.998:257): avc: denied { getattr } for pid=1581 comm="systemd-timesyn" path="/var/lib/systemd/timesync" dev="sda2" ino=266949 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1546959521.998:258): avc: denied { write } for pid=1581 comm="systemd-timesyn" name="timesync" dev="sda2" ino=266949 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1546959521.998:259): avc: denied { add_name } for pid=1581 comm="systemd-timesyn" name="clock" scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1546959521.998:260): avc: denied { create } for pid=1581 comm="systemd-timesyn" name="clock" scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1546959521.999:261): avc: denied { write open } for pid=1581 comm="systemd-timesyn" path="/var/lib/systemd/timesync/clock" dev="sda2" ino=270753 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1546959521.999:262): avc: denied { setattr } for pid=1581 comm="systemd-timesyn" name="clock" dev="sda2" ino=270753 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1546959522.000:263): avc: denied { read } for pid=1581 comm="systemd-timesyn" name="links" dev="tmpfs" ino=12926 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1546959970.688:269): avc: denied { write } for pid=1581 comm="systemd-timesyn" name="clock" dev="sda2" ino=270753 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=file permissive=1 12926 system_u:object_r:systemd_networkd_var_run_t:s0 /run/systemd/netif/links 266949 system_u:object_r:init_var_lib_t:s0 /var/lib/systemd/timesync 270753 system_u:object_r:init_var_lib_t:s0 /var/lib/systemd/timesync/clock Notice: /var/lib/systemd/timesync may be a symbolic link to ../private/systemd/timesync
Villy, This looks like labeling issue, could you please run: # restorecon -Rv / and then try to reproduce it again? THanks, Lukas.
(In reply to Lukas Vrabec from comment #18) > Villy, > > This looks like labeling issue, could you please run: > > # restorecon -Rv / > > and then try to reproduce it again? > > THanks, > Lukas. restorecon did not relabel anything except Relabeled /usr/sbin/e2mmpstatus from system_u:object_r:fsadm_exec_t:s0 to system_u:object_r:bin_t:s0 which is a different issue. Don't you have any way to test it yourself? All that is needed is "systemctl start systemd-timesyncd".
commit 1e340794f40830e16753caafb53c8f5349dd7276 Author: Lukas Vrabec <lvrabec> Date: Tue Nov 6 16:14:15 2018 +0100 Update systemd_timedated_t domain to allow create own pid files/access init_var_lib_t files and read dbus files BZ(1646202)
selinux-policy-3.14.2-46.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61
selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61
(In reply to Fedora Update System from comment #22) > selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 testing > repository. If problems still persist, please make note of it in this bug > report. > See https://fedoraproject.org/wiki/QA:Updates_Testing for > instructions on how to install test updates. > You can provide feedback for this update here: > https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61 After updating I don't see any SELinux issues anymore related to timesyncd.
selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.