Hide Forgot
Description of problem: * the service is shipped but it is not confined Version-Release number of selected component (if applicable): selinux-policy-3.14.3-9.el8.noarch selinux-policy-targeted-3.14.3-9.el8.noarch timedatex-0.5-3.el8.x86_64 How reproducible: * always Steps to Reproduce: 1. get a RHEL-8.1 machine (targeted policy is active) # service timedatex status Redirecting to /bin/systemctl status timedatex.service ● timedatex.service - System clock and RTC settings service Loaded: loaded (/usr/lib/systemd/system/timedatex.service; enabled; vendor preset: enabled) Active: inactive (dead) # service timedatex start Redirecting to /bin/systemctl start timedatex.service # service timedatex status Redirecting to /bin/systemctl status timedatex.service ● timedatex.service - System clock and RTC settings service Loaded: loaded (/usr/lib/systemd/system/timedatex.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2019-07-16 03:34:42 EDT; 1s ago Main PID: 1702 (timedatex) Tasks: 4 (limit: 11518) Memory: 1.3M CGroup: /system.slice/timedatex.service └─1702 /usr/sbin/timedatex Jul 16 03:34:42 intentionally-removed systemd[1]: ... Jul 16 03:34:42 intentionally-removed systemd[1]: ... Hint: Some lines were ellipsized, use -l to show in full. # ps -efZ | grep time system_u:system_r:unconfined_service_t:s0 root 1702 1 0 03:34 ? 00:00:00 /usr/sbin/timedatex unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 1718 1241 0 03:34 pts/0 00:00:00 grep --color=auto time # Actual results: * the timedatex service is not confined Expected results: * the timedatex service is confined
PR for Fedora: https://github.com/fedora-selinux/selinux-policy-contrib/pull/124
Following SELinux denials were found on Fedora 31 machines during yesterday's testing session with interns: ---- type=USER_AVC msg=audit(09/18/2019 03:01:38.324:319) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=unset uid=root gid=root cmdline="/usr/sbin/timedatex" scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system permissive=0 exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(09/18/2019 03:01:38.828:321) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=unset uid=root gid=root path=/usr/lib/systemd/system/systemd-timesyncd.service cmdline="/usr/sbin/timedatex" scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:systemd_timedated_unit_file_t:s0 tclass=service permissive=0 exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(09/18/2019 03:01:38.829:322) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=unset uid=root gid=root path=/usr/lib/systemd/system/chronyd.service cmdline="/usr/sbin/timedatex" scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:chronyd_unit_file_t:s0 tclass=service permissive=0 exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ----
During the same session we prepared the following policy module, which solves the issue: # cat mypolicy.te policy_module(mypolicy, 1.0) require { type timedatex_t; type systemd_timedated_unit_file_t; class service status; } #============= timedatex_t ============== allow timedatex_t systemd_timedated_unit_file_t:service status; chronyd_systemctl(timedatex_t) init_status(timedatex_t) # No SELinux denials appear after loading this policy module.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1773