Bug 1734197 - SELinux denial "denied { send_msg } for scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus" prevents timedatex.service from starting in current Rawhide
Summary: SELinux denial "denied { send_msg } for scontext=system_u:system_r:timedate...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 31
Hardware: x86_64
OS: Linux
high
urgent
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Ben Levenson
URL:
Whiteboard: openqa
Depends On:
Blocks: BetaBlocker, F31BetaBlocker
TreeView+ depends on / blocked
 
Reported: 2019-07-29 23:32 UTC by Adam Williamson
Modified: 2019-08-16 21:11 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-16 21:11:48 UTC


Attachments (Terms of Use)

Description Adam Williamson 2019-07-29 23:32:07 UTC
In current Fedora Rawhide (Fedora-Rawhide-20190729.n.0), it seems an SELinux denial prevents timedatex.service from starting on a freshly-installed Workstation system:

Jul 29 16:01:55 localhost-live audit[837]: USER_AVC pid=837 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=0
Jul 29 16:01:55 localhost-live timedatex[1370]: Failed to create org.freedesktop.systemd1 proxy: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Sender is not authorized to send message
Jul 29 16:01:55 localhost-live systemd[1]: timedatex.service: Main process exited, code=exited, status=1/FAILURE
Jul 29 16:01:55 localhost-live systemd[1]: timedatex.service: Failed with result 'exit-code'.

This happens to be a major issue because gnome-initial-setup then crashes because timedatex isn't running. I'm filing that as a separate bug, but will propose both as release blockers per "A system installed with a release-blocking desktop must boot to a log in screen where it is possible to log in to a working desktop using a user account created during installation or a 'first boot' utility" - these bugs means that Workstation live installs just boot to a broken state where g-i-s has crashed and you can't interact with the system at all.

Comment 1 Adam Williamson 2019-07-29 23:36:51 UTC
https://bugzilla.redhat.com/show_bug.cgi?id=1734198 is the g-i-s bug, for the record.

Comment 2 Adam Williamson 2019-07-29 23:41:04 UTC
Confirmed that setting SELinux to permissive and rebooting (which you can only do if you hack in a root password for the installed system after installing it...) results in g-i-s running OK.

Comment 3 Adam Williamson 2019-07-29 23:41:57 UTC
Full list of denials from that boot:

[root@localhost-live ~]# ausearch -m avc -ts recent
----
time->Mon Jul 29 16:40:22 2019
type=AVC msg=audit(1564443622.335:209): avc:  denied  { read } for  pid=1321 comm="timedatex" name="adjtime" dev="dm-0" ino=786923 scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:adjtime_t:s0 tclass=file permissive=1
----
time->Mon Jul 29 16:40:22 2019
type=AVC msg=audit(1564443622.335:210): avc:  denied  { open } for  pid=1321 comm="timedatex" path="/etc/adjtime" dev="dm-0" ino=786923 scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:adjtime_t:s0 tclass=file permissive=1
----
time->Mon Jul 29 16:40:22 2019
type=AVC msg=audit(1564443622.335:211): avc:  denied  { getattr } for  pid=1321 comm="timedatex" path="/etc/adjtime" dev="dm-0" ino=786923 scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:adjtime_t:s0 tclass=file permissive=1
----
time->Mon Jul 29 16:40:22 2019
type=AVC msg=audit(1564443622.352:212): avc:  denied  { read } for  pid=1321 comm="timedatex" name="rtc0" dev="devtmpfs" ino=1246 scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file permissive=1
----
time->Mon Jul 29 16:40:22 2019
type=AVC msg=audit(1564443622.352:213): avc:  denied  { open } for  pid=1321 comm="timedatex" path="/dev/rtc0" dev="devtmpfs" ino=1246 scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file permissive=1
----
time->Mon Jul 29 16:40:22 2019
type=AVC msg=audit(1564443622.352:214): avc:  denied  { ioctl } for  pid=1321 comm="timedatex" path="/dev/rtc0" dev="devtmpfs" ino=1246 ioctlcmd=0x7009 scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file permissive=1

Comment 4 nknazeko 2019-07-31 12:08:37 UTC
PR for Fedora: https://github.com/fedora-selinux/selinux-policy-contrib/pull/129

Comment 5 Lukas Vrabec 2019-07-31 15:35:58 UTC
PR merged.

Comment 6 Adam Williamson 2019-08-06 22:57:52 UTC
Should be MODIFIED since 3.14.4-27 I believe.

Comment 7 Adam Williamson 2019-08-08 15:58:51 UTC
Unfortunately this still seems to be broken in current Rawhide. Will recreate manually later, but from openQA audit.log I can see a bunch of AVCs:

var/log/audit/audit.log:type=USER_AVC msg=audit(1565259535.281:182): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:avahi_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
var/log/audit/audit.log:type=USER_AVC msg=audit(1565259541.326:194): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
var/log/audit/audit.log:type=USER_AVC msg=audit(1565259541.328:195): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:policykit_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
var/log/audit/audit.log:type=USER_AVC msg=audit(1565259541.329:196): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
var/log/audit/audit.log:type=USER_AVC msg=audit(1565259541.331:197): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
var/log/audit/audit.log:type=USER_AVC msg=audit(1565259541.332:198): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { acquire_svc } for  scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
var/log/audit/audit.log:type=USER_AVC msg=audit(1565259566.346:200): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
var/log/audit/audit.log:type=USER_AVC msg=audit(1565259566.346:201): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
var/log/audit/audit.log:type=USER_AVC msg=audit(1565259566.348:202): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
var/log/audit/audit.log:type=USER_AVC msg=audit(1565259566.357:203): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
var/log/audit/audit.log:type=USER_AVC msg=audit(1565259566.593:206): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
var/log/audit/audit.log:type=USER_AVC msg=audit(1565259566.615:208): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
var/log/audit/audit.log:type=USER_AVC msg=audit(1565259567.506:210): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"

Comment 8 Adam Williamson 2019-08-13 15:57:28 UTC
Ping? This is still happening and still breaking all Workstation tests. It is kind of a big problem. Thanks.

Comment 9 Lukas Vrabec 2019-08-13 16:39:09 UTC
commit c55a896148db8d2b16ef06149399a6c6b110d8b5 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Tue Aug 13 18:36:14 2019 +0200

    Update timedatex policy BZ(1734197)
    
    Added more allow rules for dbus communication with more services
    (policykit_t, init_t).


Creating also new build. Sorry for noise (again and again :) )

Comment 10 Ben Cotton 2019-08-13 16:47:30 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to '31'.

Comment 11 Adam Williamson 2019-08-16 21:11:48 UTC
This looks good in the recent Rawhide compose, see e.g. https://openqa.fedoraproject.org/tests/432379 - g-i-s runs. The matching f31 build is tagged stable, so even though we haven't had a Branched compose yet I think we can close this. Thanks.


Note You need to log in before you can comment on or make changes to this bug.