Description of problem: SELinux is preventing /usr/lib/systemd/systemd-timesyncd from 'read' accesses on the file unix. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-timesyncd should be allowed read access on the unix file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-timesyn' --raw | audit2allow -M my-systemdtimesyn # semodule -X 300 -i my-systemdtimesyn.pp Additional Information: Source Context system_u:system_r:systemd_timedated_t:s0 Target Context system_u:object_r:proc_net_t:s0 Target Objects unix [ file ] Source systemd-timesyn Source Path /usr/lib/systemd/systemd-timesyncd Port <Unknown> Host (removed) Source RPM Packages systemd-udev-239-12.git8bca462.fc29.x86_64 Target RPM Packages Policy RPM selinux-policy-3.14.2-51.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.0.3-200.fc29.x86_64 #1 SMP Tue Mar 19 15:07:58 UTC 2019 x86_64 x86_64 Alert Count 1 First Seen 2019-03-30 00:33:32 GMT Last Seen 2019-03-30 00:33:32 GMT Local ID ff24c6d6-283f-4fad-8a31-9a58e6451e5b Raw Audit Messages type=AVC msg=audit(1553906012.185:27710): avc: denied { read } for pid=1252 comm="systemd-timesyn" name="unix" dev="proc" ino=4026532072 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1553906012.185:27710): arch=x86_64 syscall=access success=no exit=EACCES a0=7ffd4fedd000 a1=4 a2=8 a3=31 items=1 ppid=1 pid=1252 auid=4294967295 uid=965 gid=965 euid=965 suid=965 fsuid=965 egid=965 sgid=965 fsgid=965 tty=(none) ses=4294967295 comm=systemd-timesyn exe=/usr/lib/systemd/systemd-timesyncd subj=system_u:system_r:systemd_timedated_t:s0 key=(null) Hash: systemd-timesyn,systemd_timedated_t,proc_net_t,file,read Version-Release number of selected component: selinux-policy-3.14.2-51.fc29.noarch Additional info: component: selinux-policy reporter: libreport-2.10.0 hashmarkername: setroubleshoot kernel: 5.0.3-200.fc29.x86_64 type: libreport
Thank you for reporting the issue. Can you specify the reproducing steps? At which point the AVC denial appears? Is there any other ntp daemon (ntpd, chrony) running? Please enable full path auditing, make the domain permissive and restart the service: auditctl -w /etc/shadow -p w -k shadow-write semanage permissive -a systemd_timedated_t systemctl restart systemd-timesyncd Then collect the audit logs again. You can change the settings back: auditctl -W /etc/shadow -p w -k shadow-write semanage permissive -d systemd_timedated_t
I have enabled the full path auditing. It happens at random times. It appears that `chrony` was running but when i restarted systemd-timesyncd i think it stopped it. [root@argon ~]# ps aux |grep chrony chrony 1148 0.0 0.0 80612 3312 ? S May08 0:00 /usr/sbin/chronyd root 18324 0.0 0.0 215748 832 pts/3 S+ 10:37 0:00 grep --color=auto chron [root@argon ~]# systemctl restart systemd-timesyncd [root@argon ~]# ps aux |grep chron root 16920 0.0 0.0 215748 836 pts/3 S+ 10:39 0:00 grep --color=auto chron
Created a PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/264
commit a67c849e33c8ccd31537d7b33f80d76a4945b587 (HEAD -> rawhide, origin/rawhide) Author: Zdenek Pytela <zpytela> Date: Mon May 20 15:26:45 2019 +0200 Allow systemd-timesyncd to read network state BZ(1694272)
FEDORA-2019-04b9c67922 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-04b9c67922
selinux-policy-3.14.2-60.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-04b9c67922
selinux-policy-3.14.2-60.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.