Bug 1694272 - SELinux is preventing /usr/lib/systemd/systemd-timesyncd from 'read' accesses on the file unix.
Summary: SELinux is preventing /usr/lib/systemd/systemd-timesyncd from 'read' accesses...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 29
Hardware: x86_64
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:b0a4f7c1e48766d94ad1f9fe071...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-30 00:35 UTC by Tim Hughes
Modified: 2020-04-29 11:51 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.14.2-60.fc29
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-17 23:33:13 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Tim Hughes 2019-03-30 00:35:16 UTC 
Description of problem:
SELinux is preventing /usr/lib/systemd/systemd-timesyncd from 'read' accesses on the file unix.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd-timesyncd should be allowed read access on the unix file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-timesyn' --raw | audit2allow -M my-systemdtimesyn
# semodule -X 300 -i my-systemdtimesyn.pp

Additional Information:
Source Context                system_u:system_r:systemd_timedated_t:s0
Target Context                system_u:object_r:proc_net_t:s0
Target Objects                unix [ file ]
Source                        systemd-timesyn
Source Path                   /usr/lib/systemd/systemd-timesyncd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           systemd-udev-239-12.git8bca462.fc29.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.2-51.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.0.3-200.fc29.x86_64 #1 SMP Tue
                              Mar 19 15:07:58 UTC 2019 x86_64 x86_64
Alert Count                   1
First Seen                    2019-03-30 00:33:32 GMT
Last Seen                     2019-03-30 00:33:32 GMT
Local ID                      ff24c6d6-283f-4fad-8a31-9a58e6451e5b

Raw Audit Messages
type=AVC msg=audit(1553906012.185:27710): avc:  denied  { read } for  pid=1252 comm="systemd-timesyn" name="unix" dev="proc" ino=4026532072 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1553906012.185:27710): arch=x86_64 syscall=access success=no exit=EACCES a0=7ffd4fedd000 a1=4 a2=8 a3=31 items=1 ppid=1 pid=1252 auid=4294967295 uid=965 gid=965 euid=965 suid=965 fsuid=965 egid=965 sgid=965 fsgid=965 tty=(none) ses=4294967295 comm=systemd-timesyn exe=/usr/lib/systemd/systemd-timesyncd subj=system_u:system_r:systemd_timedated_t:s0 key=(null)

Hash: systemd-timesyn,systemd_timedated_t,proc_net_t,file,read

Version-Release number of selected component:
selinux-policy-3.14.2-51.fc29.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         5.0.3-200.fc29.x86_64
type:           libreport
Comment 1 Zdenek Pytela 2019-04-01 08:41:30 UTC 
Thank you for reporting the issue.

Can you specify the reproducing steps? At which point the AVC denial appears? Is there any other ntp daemon (ntpd, chrony) running?

Please enable full path auditing, make the domain permissive and restart the service:

auditctl -w /etc/shadow -p w -k shadow-write
semanage permissive -a systemd_timedated_t
systemctl restart systemd-timesyncd

Then collect the audit logs again. You can change the settings back:

auditctl -W /etc/shadow -p w -k shadow-write
semanage permissive -d systemd_timedated_t
Comment 2 Tim Hughes 2019-05-09 09:47:49 UTC 
I have enabled the full path auditing. It happens at random times.


It appears that `chrony` was running but when i restarted systemd-timesyncd i think it stopped it.
[root@argon ~]# ps aux |grep chrony
chrony    1148  0.0  0.0  80612  3312 ?        S    May08   0:00 /usr/sbin/chronyd
root     18324  0.0  0.0 215748   832 pts/3    S+   10:37   0:00 grep --color=auto chron

[root@argon ~]# systemctl restart systemd-timesyncd
[root@argon ~]# ps aux |grep chron
root     16920  0.0  0.0 215748   836 pts/3    S+   10:39   0:00 grep --color=auto chron
Comment 5 Zdenek Pytela 2019-05-20 13:29:57 UTC 
Created a PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/264
Comment 6 Lukas Vrabec 2019-05-20 13:40:28 UTC 
commit a67c849e33c8ccd31537d7b33f80d76a4945b587 (HEAD -> rawhide, origin/rawhide)
Author: Zdenek Pytela <zpytela>
Date:   Mon May 20 15:26:45 2019 +0200

    Allow systemd-timesyncd to read network state BZ(1694272)
Comment 7 Fedora Update System 2019-05-31 08:47:39 UTC 
FEDORA-2019-04b9c67922 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-04b9c67922
Comment 8 Fedora Update System 2019-06-01 18:54:47 UTC 
selinux-policy-3.14.2-60.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-04b9c67922
Comment 9 Fedora Update System 2019-06-17 23:33:13 UTC 
selinux-policy-3.14.2-60.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.