In current Fedora Rawhide (Fedora-Rawhide-20190729.n.0), it seems an SELinux denial prevents timedatex.service from starting on a freshly-installed Workstation system: Jul 29 16:01:55 localhost-live audit[837]: USER_AVC pid=837 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=0 Jul 29 16:01:55 localhost-live timedatex[1370]: Failed to create org.freedesktop.systemd1 proxy: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Sender is not authorized to send message Jul 29 16:01:55 localhost-live systemd[1]: timedatex.service: Main process exited, code=exited, status=1/FAILURE Jul 29 16:01:55 localhost-live systemd[1]: timedatex.service: Failed with result 'exit-code'. This happens to be a major issue because gnome-initial-setup then crashes because timedatex isn't running. I'm filing that as a separate bug, but will propose both as release blockers per "A system installed with a release-blocking desktop must boot to a log in screen where it is possible to log in to a working desktop using a user account created during installation or a 'first boot' utility" - these bugs means that Workstation live installs just boot to a broken state where g-i-s has crashed and you can't interact with the system at all.
https://bugzilla.redhat.com/show_bug.cgi?id=1734198 is the g-i-s bug, for the record.
Confirmed that setting SELinux to permissive and rebooting (which you can only do if you hack in a root password for the installed system after installing it...) results in g-i-s running OK.
Full list of denials from that boot: [root@localhost-live ~]# ausearch -m avc -ts recent ---- time->Mon Jul 29 16:40:22 2019 type=AVC msg=audit(1564443622.335:209): avc: denied { read } for pid=1321 comm="timedatex" name="adjtime" dev="dm-0" ino=786923 scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:adjtime_t:s0 tclass=file permissive=1 ---- time->Mon Jul 29 16:40:22 2019 type=AVC msg=audit(1564443622.335:210): avc: denied { open } for pid=1321 comm="timedatex" path="/etc/adjtime" dev="dm-0" ino=786923 scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:adjtime_t:s0 tclass=file permissive=1 ---- time->Mon Jul 29 16:40:22 2019 type=AVC msg=audit(1564443622.335:211): avc: denied { getattr } for pid=1321 comm="timedatex" path="/etc/adjtime" dev="dm-0" ino=786923 scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:adjtime_t:s0 tclass=file permissive=1 ---- time->Mon Jul 29 16:40:22 2019 type=AVC msg=audit(1564443622.352:212): avc: denied { read } for pid=1321 comm="timedatex" name="rtc0" dev="devtmpfs" ino=1246 scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file permissive=1 ---- time->Mon Jul 29 16:40:22 2019 type=AVC msg=audit(1564443622.352:213): avc: denied { open } for pid=1321 comm="timedatex" path="/dev/rtc0" dev="devtmpfs" ino=1246 scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file permissive=1 ---- time->Mon Jul 29 16:40:22 2019 type=AVC msg=audit(1564443622.352:214): avc: denied { ioctl } for pid=1321 comm="timedatex" path="/dev/rtc0" dev="devtmpfs" ino=1246 ioctlcmd=0x7009 scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file permissive=1
PR for Fedora: https://github.com/fedora-selinux/selinux-policy-contrib/pull/129
PR merged.
Should be MODIFIED since 3.14.4-27 I believe.
Unfortunately this still seems to be broken in current Rawhide. Will recreate manually later, but from openQA audit.log I can see a bunch of AVCs: var/log/audit/audit.log:type=USER_AVC msg=audit(1565259535.281:182): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:avahi_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" var/log/audit/audit.log:type=USER_AVC msg=audit(1565259541.326:194): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" var/log/audit/audit.log:type=USER_AVC msg=audit(1565259541.328:195): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:policykit_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" var/log/audit/audit.log:type=USER_AVC msg=audit(1565259541.329:196): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" var/log/audit/audit.log:type=USER_AVC msg=audit(1565259541.331:197): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" var/log/audit/audit.log:type=USER_AVC msg=audit(1565259541.332:198): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { acquire_svc } for scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" var/log/audit/audit.log:type=USER_AVC msg=audit(1565259566.346:200): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" var/log/audit/audit.log:type=USER_AVC msg=audit(1565259566.346:201): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" var/log/audit/audit.log:type=USER_AVC msg=audit(1565259566.348:202): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" var/log/audit/audit.log:type=USER_AVC msg=audit(1565259566.357:203): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" var/log/audit/audit.log:type=USER_AVC msg=audit(1565259566.593:206): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" var/log/audit/audit.log:type=USER_AVC msg=audit(1565259566.615:208): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" var/log/audit/audit.log:type=USER_AVC msg=audit(1565259567.506:210): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
Ping? This is still happening and still breaking all Workstation tests. It is kind of a big problem. Thanks.
commit c55a896148db8d2b16ef06149399a6c6b110d8b5 (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Lukas Vrabec <lvrabec> Date: Tue Aug 13 18:36:14 2019 +0200 Update timedatex policy BZ(1734197) Added more allow rules for dbus communication with more services (policykit_t, init_t). Creating also new build. Sorry for noise (again and again :) )
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle. Changing version to '31'.
This looks good in the recent Rawhide compose, see e.g. https://openqa.fedoraproject.org/tests/432379 - g-i-s runs. The matching f31 build is tagged stable, so even though we haven't had a Branched compose yet I think we can close this. Thanks.
Fedora 32 - still an issue. Perhaps caused by something else (hard to tell): audit[1346]: USER_AVC pid=1346 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=s> exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?' audit[1346]: USER_AVC pid=1346 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=s> exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?' audit[1346]: USER_AVC pid=1346 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=s> exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?' audit[1346]: USER_AVC pid=1346 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=s> exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?' audit[1346]: USER_AVC pid=1346 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=s> exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?' audit[1346]: USER_AVC pid=1346 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=s> exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?' audit[1346]: USER_AVC pid=1346 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=s> exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?' audit[1346]: USER_AVC pid=1346 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=s> exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?' audit[1346]: USER_AVC pid=1346 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=s> exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?' $ rpm -qa selinux-policy\* selinux-policy-targeted-3.14.5-43.fc32.noarch selinux-policy-3.14.5-43.fc32.noarch selinux-policy-minimum-3.14.5-43.fc32.noarch