Description of problem: SELinux is preventing /usr/lib/systemd/systemd-timesyncd from using the 'nnp_transition' accesses on a process. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-timesyncd should be allowed nnp_transition access on processes labeled systemd_timedated_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-timesyn' --raw | audit2allow -M my-systemdtimesyn # semodule -X 300 -i my-systemdtimesyn.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:system_r:systemd_timedated_t:s0 Target Objects /lib64/ld-linux-x86-64.so.2 [ process2 ] Source systemd-timesyn Source Path /usr/lib/systemd/systemd-timesyncd Port <Unknown> Host (removed) Source RPM Packages systemd-udev-239-6.git9f3aed1.fc29.x86_64 Target RPM Packages glibc-2.28-17.fc29.x86_64 Policy RPM selinux-policy-3.14.2-42.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.18.17-300.fc29.x86_64 #1 SMP Mon Nov 5 17:56:16 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-11-13 09:22:34 GMT Last Seen 2018-11-13 09:22:34 GMT Local ID 9522dcc6-c4be-49fe-b735-10fb9ee75efc Raw Audit Messages type=AVC msg=audit(1542100954.972:103): avc: denied { nnp_transition } for pid=1796 comm="(imesyncd)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:systemd_timedated_t:s0 tclass=process2 permissive=0 type=SYSCALL msg=audit(1542100954.972:103): arch=x86_64 syscall=execve success=yes exit=0 a0=55de3d7d6b10 a1=55de3da303e0 a2=55de3da11760 a3=55de3dab67a0 items=2 ppid=1 pid=1796 auid=4294967295 uid=965 gid=965 euid=965 suid=965 fsuid=965 egid=965 sgid=965 fsgid=965 tty=(none) ses=4294967295 comm=systemd-timesyn exe=/usr/lib/systemd/systemd-timesyncd subj=system_u:system_r:init_t:s0 key=(null) type=CWD msg=audit(1542100954.972:103): cwd=/ type=PATH msg=audit(1542100954.972:103): item=0 name=/usr/lib/systemd/systemd-timesyncd inode=2987347 dev=00:2b mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:systemd_timedated_exec_t:s0 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1542100954.972:103): item=1 name=/lib64/ld-linux-x86-64.so.2 inode=3107007 dev=00:2b mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 Hash: systemd-timesyn,init_t,systemd_timedated_t,process2,nnp_transition Version-Release number of selected component: selinux-policy-3.14.2-42.fc29.noarch Additional info: component: selinux-policy reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.17-300.fc29.x86_64 type: libreport
---- type=PROCTITLE msg=audit(11/13/2018 11:35:17.933:763) : proctitle=/usr/lib/systemd/systemd-timesyncd type=PATH msg=audit(11/13/2018 11:35:17.933:763) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=25299751 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=PATH msg=audit(11/13/2018 11:35:17.933:763) : item=0 name=/usr/lib/systemd/systemd-timesyncd inode=17046520 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_timedated_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(11/13/2018 11:35:17.933:763) : cwd=/ type=EXECVE msg=audit(11/13/2018 11:35:17.933:763) : argc=1 a0=/usr/lib/systemd/systemd-timesyncd type=SYSCALL msg=audit(11/13/2018 11:35:17.933:763) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x56112d7ed0c0 a1=0x56112d7da850 a2=0x56112d94e910 a3=0x56112d771e10 items=2 ppid=1 pid=1796 auid=unset uid=systemd-timesync gid=systemd-timesync euid=systemd-timesync suid=systemd-timesync fsuid=systemd-timesync egid=systemd-timesync sgid=systemd-timesync fsgid=systemd-timesync tty=(none) ses=unset comm=systemd-timesyn exe=/usr/lib/systemd/systemd-timesyncd subj=system_u:system_r:init_t:s0 key=(null) type=SELINUX_ERR msg=audit(11/13/2018 11:35:17.933:763) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:systemd_timedated_t:s0 type=AVC msg=audit(11/13/2018 11:35:17.933:763) : avc: denied { nnp_transition } for pid=1796 comm=(imesyncd) scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:systemd_timedated_t:s0 tclass=process2 permissive=0 ----
Confirmed, we see that in our Cockpit tests as well. E. g. https://fedorapeople.org/groups/cockpit/logs/pull-10569-20181115-113838-33ff7e65-verify-fedora-29/log.html#139
Description of problem: start systemd-timesyncd wait for time sync Version-Release number of selected component: selinux-policy-3.14.2-42.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.19.4-300.fc29.x86_64 type: libreport
Additional: search and getattr /var/lib/systemd/ read symlinks
Created attachment 1509797 [details] te file from ausearch
Description of problem: occurs on boot, with systemd-timesyncd enabled Version-Release number of selected component: selinux-policy-3.14.2-42.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.19.5-300.fc29.x86_64 type: libreport
Description of problem: 1. Add user to jackuser group. 2. Logout 3. Login 4. Reboot to GUI 5. Login via SDDM 6. Look at plasma panel 7. SELinux Troubleshooter is shown. Version-Release number of selected component: selinux-policy-3.14.2-42.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.19.5-300.fc29.x86_64 type: libreport
Easiest is to configure systemd-networkd systemd-resolved and systemd-timesyncd and then add nnp_transition as allowed via module. Set systemd_timedated_t as permissive and then reboot and then run the script: # cat tst.sh set -x systemctl restart systemd-timesyncd sleep 1 timedatectl show timedatectl set-local-rtc true sleep 1 timedatectl set-local-rtc false sleep 1 timedatectl show-timesync timedatectl timesync-status timedatectl status timedatectl list-timezones | wc -l timedatectl set-ntp false sleep 1 timedatectl set-time "$(date +"%F %T")" sleep 1 timedatectl set-ntp true sleep 1 timedatectl As far as I can see it uses following files: drwxr-xr-x. 6 root root system_u:object_r:init_var_lib_t:s0 4096 6.12. 21:58 /var/lib/systemd drwxr-xr-x. 2 systemd-timesync systemd-timesync system_u:object_r:init_var_lib_t:s0 4096 6.12. 21:58 /var/lib/systemd/timesync -rw-r--r--. 1 systemd-timesync systemd-timesync system_u:object_r:init_var_lib_t:s0 0 6.12. 22:19 /var/lib/systemd/timesync/clock drwxr-xr-x. 2 systemd-timesync systemd-timesync system_u:object_r:init_var_run_t:s0 60 6.12. 22:15 /run/systemd/timesync -rw-r--r--. 1 systemd-timesync systemd-timesync system_u:object_r:init_var_run_t:s0 0 6.12. 22:19 /run/systemd/timesync/synchronized drwxr-xr-x. 2 root root system_u:object_r:system_dbusd_var_run_t:s0 60 6.12. 22:15 /run/dbus srw-rw-rw-. 1 root root system_u:object_r:system_dbusd_var_run_t:s0 0 6.12. 22:15 /run/dbus/system_bus_socket drwxr-xr-x. 2 systemd-network systemd-network system_u:object_r:systemd_networkd_var_run_t:s0 120 6.12. 22:15 /run/systemd/netif/links -rw-r--r--. 1 systemd-network systemd-network system_u:object_r:systemd_networkd_var_run_t:s0 58 6.12. 22:15 /run/systemd/netif/state At least F29 is not currently sync with upstream selinux: selinux-policy-3.14.2-42.fc29.noarch as there is systemd_timedated_t updates there but I think not as fully as one would expect. #1646202
commit 440aa9b19a0c679e383c91d9559b502410945636 (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Wed Dec 12 14:39:05 2018 +0100 Update systemd_domain_template to allow every system execute system services with system security features BZ(1649257)
selinux-policy-3.14.2-46.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61
selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61
selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.