Bug 1646202 - SELinux is preventing /usr/lib/systemd/systemd-timesyncd from 'read' accesses on the directory /run/dbus.
Summary: SELinux is preventing /usr/lib/systemd/systemd-timesyncd from 'read' accesses...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 29
Hardware: x86_64
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:da89a74f8c2790b2ad43d298de0...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-05 11:17 UTC by Villy Kruse
Modified: 2019-01-17 02:16 UTC (History)
10 users (show)

Fixed In Version: selinux-policy-3.14.2-46.fc29
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-01-14 09:47:31 UTC


Attachments (Terms of Use)
All avc reports related to this issue. (4.19 KB, text/plain)
2018-11-05 11:20 UTC, Villy Kruse
no flags Details
Update systemd_timesyncd_t: te (2.13 KB, text/plain)
2018-12-07 12:19 UTC, Markus Linnala
no flags Details
Update systemd_timesyncd_t: if (3.25 KB, text/plain)
2018-12-07 12:20 UTC, Markus Linnala
no flags Details
Update systemd_timesyncd_t: fc (318 bytes, text/plain)
2018-12-07 12:27 UTC, Markus Linnala
no flags Details
Update systemd_timesyncd_t: te (2.22 KB, text/plain)
2018-12-07 12:28 UTC, Markus Linnala
no flags Details
Update systemd_timesyncd_t: te (2.11 KB, text/plain)
2018-12-07 12:48 UTC, Markus Linnala
no flags Details

Description Villy Kruse 2018-11-05 11:17:50 UTC
Description of problem:
After updating to selinux-policy-3.14.2-42.fc29.noarch I get these problems

See also https://bugzilla.redhat.com/show_bug.cgi?id=1640801

systemd-timesyncd is confirmed to run with the new context.

system_u:system_r:systemd_timedated_t:s0 systemd+ 549 /usr/lib/systemd/systemd-timesyncd
SELinux is preventing /usr/lib/systemd/systemd-timesyncd from 'read' accesses on the directory /run/dbus.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd-timesyncd should be allowed read access on the dbus directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-timesyn' --raw | audit2allow -M my-systemdtimesyn
# semodule -X 300 -i my-systemdtimesyn.pp

Additional Information:
Source Context                system_u:system_r:systemd_timedated_t:s0
Target Context                system_u:object_r:system_dbusd_var_run_t:s0
Target Objects                /run/dbus [ dir ]
Source                        systemd-timesyn
Source Path                   /usr/lib/systemd/systemd-timesyncd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           systemd-udev-239-6.git9f3aed1.fc29.x86_64
Target RPM Packages           dbus-daemon-1.12.10-1.fc29.x86_64
Policy RPM                    selinux-policy-3.14.2-42.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 4.18.16-300.fc29.x86_64 #1 SMP Sat
                              Oct 20 23:24:08 UTC 2018 x86_64 x86_64
Alert Count                   1
First Seen                    2018-11-05 11:54:49 CET
Last Seen                     2018-11-05 11:54:49 CET
Local ID                      6fc6b291-e6a5-4ddd-94f9-91b751919e63

Raw Audit Messages
type=AVC msg=audit(1541415289.647:89): avc:  denied  { read } for  pid=549 comm="systemd-timesyn" name="dbus" dev="tmpfs" ino=19274 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir permissive=1


type=SYSCALL msg=audit(1541415289.647:89): arch=x86_64 syscall=inotify_add_watch success=yes exit=ESRCH a0=c a1=55f1b3617670 a2=2000d84 a3=55f1b3617340 items=1 ppid=1 pid=549 auid=4294967295 uid=471 gid=446 euid=471 suid=471 fsuid=471 egid=446 sgid=446 fsgid=446 tty=(none) ses=4294967295 comm=systemd-timesyn exe=/usr/lib/systemd/systemd-timesyncd subj=system_u:system_r:systemd_timedated_t:s0 key=(null)

type=CWD msg=audit(1541415289.647:89): cwd=/

type=PATH msg=audit(1541415289.647:89): item=0 name=/run/dbus inode=19274 dev=00:16 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:system_dbusd_var_run_t:s0 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

Hash: systemd-timesyn,systemd_timedated_t,system_dbusd_var_run_t,dir,read

Version-Release number of selected component:
selinux-policy-3.14.2-42.fc29.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.6
hashmarkername: setroubleshoot
kernel:         4.18.16-300.fc29.x86_64
type:           libreport

Comment 1 Villy Kruse 2018-11-05 11:20:14 UTC
Created attachment 1501801 [details]
All avc reports related to this issue.

Comment 2 Lukas Vrabec 2018-11-06 15:14:37 UTC
commit 1e340794f40830e16753caafb53c8f5349dd7276 (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Tue Nov 6 16:14:15 2018 +0100

    Update systemd_timedated_t domain to allow create own pid files/access init_var_lib_t files and read dbus files BZ(1646202)

Comment 3 Markus Linnala 2018-12-07 12:19:51 UTC
Created attachment 1512465 [details]
Update systemd_timesyncd_t: te

systemd-239-6.git9f3aed1.fc29.x86_64
selinux-policy-3.14.2-42.fc29.noarch

Compatible policy.

Comment 4 Markus Linnala 2018-12-07 12:20:18 UTC
Created attachment 1512466 [details]
Update systemd_timesyncd_t: if

Comment 5 Markus Linnala 2018-12-07 12:27:56 UTC
Created attachment 1512467 [details]
Update systemd_timesyncd_t: fc

Last part of my policy. My test is to reboot and then run script:

# cat tst.sh 
set -x
systemctl restart systemd-timesyncd
sleep 1
timedatectl show
timedatectl set-local-rtc true
sleep 1
timedatectl set-local-rtc false
sleep 1
timedatectl show-timesync
timedatectl timesync-status
timedatectl status
timedatectl list-timezones | wc -l
timedatectl set-ntp false
sleep 1
timedatectl set-time "$(date +"%F %T")"
sleep 1
timedatectl set-ntp true
sleep 1
timedatectl

Comment 6 Markus Linnala 2018-12-07 12:28:32 UTC
Created attachment 1512468 [details]
Update systemd_timesyncd_t: te

Update te

Comment 7 Markus Linnala 2018-12-07 12:48:01 UTC
As far as I can see, https://github.com/fedora-selinux/selinux-policy.git commits 1e340794f40830e16753caafb53c8f5349dd7276 and 830a3be4ac5205c7901034586d0d507a3d704fea do not go far enough to catch all the situations.


I'm not sure my idea is totally correct though.

What is a correct way to handle all the Protect entries at systemd-timesyncd.service? They force init_t to mount those directories into /run/systemd/unit-root and to handle this symlink there:

lrwxrwxrwx. 1 root root 27 Oct 12 14:11 /var/lib/systemd/timesync -> ../private/systemd/timesync

I guess manage_sock_files_pattern(systemd_timedated_t, systemd_timedated_var_run_t, systemd_timedated_var_run_t)
 might be extra as there is no socket. But I did not check systemd sources thoroughly. I'll remove it.


Please note also I have set systemd_timesyncd_t as permissive in my module.

If you add module without reboot you need to relabel /var/lib and /run/systemd.

Both /var/run and /var/lib are used to store state, no pids.

Comment 8 Markus Linnala 2018-12-07 12:48:41 UTC
Created attachment 1512484 [details]
Update systemd_timesyncd_t: te

removed manage_sock_files_pattern

Comment 9 Fedora Update System 2018-12-07 15:36:09 UTC
selinux-policy-3.14.2-44.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0eac5b1bd7

Comment 10 Villy Kruse 2018-12-08 11:00:27 UTC
(In reply to Markus Linnala from comment #7)
> As far as I can see, https://github.com/fedora-selinux/selinux-policy.git
> commits 1e340794f40830e16753caafb53c8f5349dd7276 and
> 830a3be4ac5205c7901034586d0d507a3d704fea do not go far enough to catch all
> the situations.
> 
> 
> I'm not sure my idea is totally correct though.
> 
> What is a correct way to handle all the Protect entries at
> systemd-timesyncd.service? They force init_t to mount those directories into
> /run/systemd/unit-root and to handle this symlink there:
> 
> lrwxrwxrwx. 1 root root 27 Oct 12 14:11 /var/lib/systemd/timesync ->
> ../private/systemd/timesync
> 


systemd-timesyncd no longer creates /var/lib/systemd/timesync as a symbolic link, but if the symbolic link already exists it will not be changed.

So /var/lib/systemd/timesync can by a symbolic link or a directory depending on the history of the system.

Comment 11 Markus Linnala 2018-12-09 18:50:24 UTC
I tried: selinux-policy-3.14.2-44.fc29.noarch

And used test script from: https://bugzilla.redhat.com/show_bug.cgi?id=1646202#c5

I had following relevant files:

drwxr-xr-x. 2 systemd-network systemd-network system_u:object_r:systemd_networkd_var_run_t:s0 100 Dec  9 18:18 /run/systemd/netif/links
drwxr-xr-x. 1 systemd-timesync systemd-timesync system_u:object_r:init_var_lib_t:s0 10 Oct 12 14:14 /var/lib/private/systemd/timesync
drwxr-xr-x. 1 root             root             system_u:object_r:init_var_lib_t:s0 92 Nov  9 19:29 /var/lib/systemd
lrwxrwxrwx. 1 root             root             system_u:object_r:init_var_lib_t:s0 27 Oct 12 14:11 /var/lib/systemd/timesync -> ../private/systemd/timesync
-rw-r--r--. 1 systemd-timesync systemd-timesync system_u:object_r:init_var_run_t:s0 0 Dec  9 20:42 /var/run/systemd/timesync/synchronized


And I had following relevant audit entries:

# audit(1544372308.926:92):
#  scontext="system_u:system_r:init_t:s0" tcontext="system_u:system_r:systemd_timedated_t:s0"
#  class="process2" perms="nnp_transition"
#  comm="(imesyncd)" exe="" path=""
#  message="type=AVC msg=audit(1544372308.926:92): avc:  denied  { nnp_transition
#   } for  pid=789 comm="(imesyncd)" scontext=system_u:system_r:init_t:s0
#   tcontext=system_u:system_r:systemd_timedated_t:s0 tclass=process2
#   permissive=0"

# audit(1544377364.835:852):
#  scontext="system_u:system_r:systemd_timedated_t:s0" tcontext="system_u:object_r:init_var_lib_t:s0"
#  class="dir" perms="getattr"
#  comm="systemd-timesyn" exe="" path=""
#  message="type=AVC msg=audit(1544377364.835:852): avc:  denied  { getattr } for
#   pid=13145 comm="systemd-timesyn" path="/var/lib/systemd" dev="sdc3"
#   ino=143564 scontext=system_u:system_r:systemd_timedated_t:s0
#   tcontext=system_u:object_r:init_var_lib_t:s0 tclass=dir permissive=1"

# audit(1544377797.664:1258):
#  scontext="system_u:system_r:systemd_timedated_t:s0" tcontext="system_u:object_r:init_var_lib_t:s0"
#  class="dir" perms="search"
#  comm="systemd-timesyn" exe="" path=""
#  message="type=AVC msg=audit(1544377797.664:1258): avc:  denied  { search } for
#   pid=13242 comm="systemd-timesyn" name="systemd" dev="sdc3" ino=143564
#   scontext=system_u:system_r:systemd_timedated_t:s0
#   tcontext=system_u:object_r:init_var_lib_t:s0 tclass=dir permissive=1"

# audit(1544377364.835:850):
#  scontext="system_u:system_r:systemd_timedated_t:s0" tcontext="system_u:object_r:init_var_lib_t:s0"
#  class="lnk_file" perms="read"
#  comm="systemd-timesyn" exe="" path=""
#  message="type=AVC msg=audit(1544377364.835:850): avc:  denied  { read } for
#   pid=13145 comm="systemd-timesyn" name="timesync" dev="sdc3" ino=19660884
#   scontext=system_u:system_r:systemd_timedated_t:s0
#   tcontext=system_u:object_r:init_var_lib_t:s0 tclass=lnk_file permissive=1"

# audit(1544377364.835:851):
#  scontext="system_u:system_r:systemd_timedated_t:s0" tcontext="system_u:object_r:init_var_lib_t:s0"
#  class="lnk_file" perms="getattr"
#  comm="systemd-timesyn" exe="" path=""
#  message="type=AVC msg=audit(1544377364.835:851): avc:  denied  { getattr } for
#   pid=13145 comm="systemd-timesyn" path="/var/lib/systemd/timesync" dev="sdc3"
#   ino=19660884 scontext=system_u:system_r:systemd_timedated_t:s0
#   tcontext=system_u:object_r:init_var_lib_t:s0 tclass=lnk_file permissive=1"

# audit(1544377364.836:853):
#  scontext="system_u:system_r:systemd_timedated_t:s0" tcontext="system_u:object_r:systemd_networkd_var_run_t:s0"
#  class="dir" perms="read"
#  comm="systemd-timesyn" exe="" path=""
#  message="type=AVC msg=audit(1544377364.836:853): avc:  denied  { read } for
#   pid=13145 comm="systemd-timesyn" name="links" dev="tmpfs" ino=12116
#   scontext=system_u:system_r:systemd_timedated_t:s0
#   tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=dir
#   permissive=1"

# audit(1544380942.649:1890):
#  scontext="system_u:system_r:systemd_timedated_t:s0" tcontext="system_u:object_r:init_var_run_t:s0"
#  class="file" perms="write"
#  comm="systemd-timesyn" exe="" path=""
#  message="type=AVC msg=audit(1544380942.649:1890): avc:  denied  { write } for
#   pid=27408 comm="systemd-timesyn" name="synchronized" dev="tmpfs" ino=801847
#   scontext=system_u:system_r:systemd_timedated_t:s0
#   tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1"
allow systemd_timedated_t init_var_run_t:file write;


I needed to have following additional entries to run my test script and some normal run time without extra audit denied entries. synchronized file was touched much later than test script so I guess there is at least one additional action.

require {
        type init_t;
        type init_var_lib_t;
        type systemd_networkd_var_run_t;
        type systemd_timedated_t;
        class dir { getattr search };
        class lnk_file { getattr read };
        class process2 nnp_transition;
	class file write;
}

#============= init_t ==============
init_nnp_daemon_domain(systemd_timedated_t)

#============= systemd_timedated_t ==============
# dir: /var/lib/systemd
allow systemd_timedated_t init_var_lib_t:dir { getattr search };

# symlink: /var/lib/systemd/timesync -> ../private/systemd/timesync
allow systemd_timedated_t init_var_lib_t:lnk_file { getattr read };

# /run/systemd/netif/links
allow systemd_timedated_t systemd_networkd_var_run_t:dir read;

# /run/systemd/timesync/synchronized
allow systemd_timedated_t init_var_run_t:file write;

Comment 12 Markus Linnala 2018-12-09 19:31:55 UTC
And add this to require part: 
	type init_var_run_t;

Comment 13 Randy Barlow 2018-12-11 17:04:09 UTC
A Fedora update associated with this bug has been pushed to the stable repository.

Comment 14 Randy Barlow 2018-12-14 20:41:19 UTC
A Fedora update associated with this bug has been pushed to the stable repository.

Comment 15 Villy Kruse 2018-12-15 08:47:13 UTC
As the issue is not fully resolved by version 3.14.2-44 it is a bit premature to close it.

Comment 16 Lukas Vrabec 2019-01-08 13:03:33 UTC
Villy, 

What is the problematic SELinux denial now? Could you attach it? 

Thanks,
Lukas.

Comment 17 Villy Kruse 2019-01-08 15:11:46 UTC
(In reply to Lukas Vrabec from comment #16)
> Villy, 
> 
> What is the problematic SELinux denial now? Could you attach it? 
> 
> Thanks,
> Lukas.



type=AVC msg=audit(1546959521.998:257): avc:  denied  { getattr } for  pid=1581 comm="systemd-timesyn" path="/var/lib/systemd/timesync" dev="sda2" ino=266949 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1546959521.998:258): avc:  denied  { write } for  pid=1581 comm="systemd-timesyn" name="timesync" dev="sda2" ino=266949 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1546959521.998:259): avc:  denied  { add_name } for  pid=1581 comm="systemd-timesyn" name="clock" scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1546959521.998:260): avc:  denied  { create } for  pid=1581 comm="systemd-timesyn" name="clock" scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1546959521.999:261): avc:  denied  { write open } for  pid=1581 comm="systemd-timesyn" path="/var/lib/systemd/timesync/clock" dev="sda2" ino=270753 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1546959521.999:262): avc:  denied  { setattr } for  pid=1581 comm="systemd-timesyn" name="clock" dev="sda2" ino=270753 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1546959522.000:263): avc:  denied  { read } for  pid=1581 comm="systemd-timesyn" name="links" dev="tmpfs" ino=12926 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1546959970.688:269): avc:  denied  { write } for  pid=1581 comm="systemd-timesyn" name="clock" dev="sda2" ino=270753 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=file permissive=1


12926 system_u:object_r:systemd_networkd_var_run_t:s0 /run/systemd/netif/links
266949 system_u:object_r:init_var_lib_t:s0 /var/lib/systemd/timesync
270753 system_u:object_r:init_var_lib_t:s0 /var/lib/systemd/timesync/clock

Notice: /var/lib/systemd/timesync may be a symbolic link to ../private/systemd/timesync

Comment 18 Lukas Vrabec 2019-01-09 12:35:57 UTC
Villy, 

This looks like labeling issue, could you please run:

# restorecon -Rv / 

and then try to reproduce it again? 

THanks,
Lukas.

Comment 19 Villy Kruse 2019-01-09 14:35:00 UTC
(In reply to Lukas Vrabec from comment #18)
> Villy, 
> 
> This looks like labeling issue, could you please run:
> 
> # restorecon -Rv / 
> 
> and then try to reproduce it again? 
> 
> THanks,
> Lukas.

restorecon did not relabel anything except
 Relabeled /usr/sbin/e2mmpstatus from system_u:object_r:fsadm_exec_t:s0 to system_u:object_r:bin_t:s0

which is a different issue.

Don't you have any way to test it yourself?  All that is needed is "systemctl start systemd-timesyncd".

Comment 20 Lukas Vrabec 2019-01-10 17:30:43 UTC
commit 1e340794f40830e16753caafb53c8f5349dd7276
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Tue Nov 6 16:14:15 2018 +0100

    Update systemd_timedated_t domain to allow create own pid files/access init_var_lib_t files and read dbus files BZ(1646202)

Comment 21 Fedora Update System 2019-01-13 15:44:28 UTC
selinux-policy-3.14.2-46.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61

Comment 22 Fedora Update System 2019-01-14 03:02:47 UTC
selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61

Comment 23 Villy Kruse 2019-01-14 09:47:31 UTC
(In reply to Fedora Update System from comment #22)
> selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 testing
> repository. If problems still persist, please make note of it in this bug
> report.
> See https://fedoraproject.org/wiki/QA:Updates_Testing for
> instructions on how to install test updates.
> You can provide feedback for this update here:
> https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61



After updating I don't see any SELinux issues anymore related to timesyncd.

Comment 24 Fedora Update System 2019-01-17 02:16:13 UTC
selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.