Description of problem: SELinux is preventing timedatex from 'write' accesses on the directory /etc. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow timedatex to have write access on the etc directory Then you need to change the label on /etc Do # semanage fcontext -a -t FILE_TYPE '/etc' where FILE_TYPE is one of the following: mnt_t. Then execute: restorecon -v '/etc' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that timedatex should be allowed write access on the etc directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'timedatex' --raw | audit2allow -M my-timedatex # semodule -X 300 -i my-timedatex.pp Additional Information: Source Context system_u:system_r:timedatex_t:s0 Target Context system_u:object_r:etc_t:s0 Target Objects /etc [ dir ] Source timedatex Source Path timedatex Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages filesystem-3.12-2.fc31.x86_64 Policy RPM selinux-policy-3.14.4-31.fc31.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.3.0-0.rc6.git0.1.fc31.x86_64 #1 SMP Mon Aug 26 13:01:25 UTC 2019 x86_64 x86_64 Alert Count 2 First Seen 2019-09-17 13:00:05 EDT Last Seen 2019-09-18 09:09:40 EDT Local ID 4d29bb9b-f204-42c4-bb07-7eea1bfb02ba Raw Audit Messages type=AVC msg=audit(1568812180.438:355): avc: denied { write } for pid=5284 comm="timedatex" name="etc" dev="dm-1" ino=201326689 scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 Hash: timedatex,timedatex_t,etc_t,dir,write Version-Release number of selected component: selinux-policy-3.14.4-31.fc31.noarch Additional info: component: selinux-policy reporter: libreport-2.10.1 hashmarkername: setroubleshoot kernel: 5.3.0-0.rc6.git0.1.fc31.x86_64 type: libreport
Hi Stephen, Please create file local.te #vim local.te or #nano local.te where you copy this: policy_module(local, 1.0) require { type timedatex_t; class netlink_audit_socket { create nlmsg_relay }; class capability sys_time; } #============= timedatex_t ============== allow timedatex_t self:capability sys_time; allow timedatex_t self:netlink_audit_socket { create nlmsg_relay }; corenet_tcp_connect_time_port(timedatex_t) clock_exec(timedatex_t) clock_rw_adjtime(timedatex_t) clock_domtrans(timedatex_t) dev_rw_realtime_clock(timedatex_t) miscfiles_manage_localization(timedatex_t) miscfiles_relabel_localization(timedatex_t) selinux_set_enforce_mode(timedatex_t) selinux_validate_context(timedatex_t) seutil_read_file_contexts(timedatex_t) seutil_search_default_contexts(timedatex_t) unconfined_dbus_chat(timedatex_t) then you must compile this file, please use in dir where you have local.te #make -f /usr/share/selinux/devel/Makefile local.pp and finally load module to kernel, please use #sudo semodule -i local.pp it should work now for you. Or you have any others AVC's with timedatex_t? Thanks, Patrik
I have quite a few, I just only reported the one because I was distracted: type=USER_AVC msg=audit(1569255381.558:281): pid=1331 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Peer member=Ping dest=org.freedesktop.Avahi spid=1963 tpid=1329 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:avahi_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1569255402.034:312): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 cmdline="/usr/sbin/timedatex" scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system permissive=0 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1569255402.055:313): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/sbin/timedatex" scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:chronyd_unit_file_t:s0 tclass=service permissive=0 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1569255402.056:314): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/ntpd.service" cmdline="/usr/sbin/timedatex" scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:ntpd_unit_file_t:s0 tclass=service permissive=0 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1569255402.057:315): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/systemd-timesyncd.service" cmdline="/usr/sbin/timedatex" scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:systemd_timedated_unit_file_t:s0 tclass=service permissive=0 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1569255402.060:317): pid=1331 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.274 spid=2766 tpid=2383 scontext=system_u:system_r:timedatex_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1569255428.229:326): pid=1331 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.274 spid=2766 tpid=2383 scontext=system_u:system_r:timedatex_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' This is a system that has been upgraded at Beta using `dnf system-upgrade` since at least Fedora 27.
Hi Stephen, Please ignore comment 1, I wrote some unnecessary things. Here it's right. Please create file mytimedatex.te where you copy this: $cat mytimedatex.te policy_module(mytimedatex, 1.0) require { type timedatex_t; class capability sys_time; } #============= timedatex_t ============== allow timedatex_t self:capability sys_time; corenet_tcp_connect_time_port(timedatex_t) clock_exec(timedatex_t) clock_rw_adjtime(timedatex_t) clock_domtrans(timedatex_t) dev_rw_realtime_clock(timedatex_t) miscfiles_manage_localization(timedatex_t) miscfiles_relabel_localization(timedatex_t) you have to install selinux-policy-devel if don't have it installed on your system then you compile this file, please use in dir where you have mytimedatex.te $make -f /usr/share/selinux/devel/Makefile mytimedatex.pp and finally load module to kernel, please use #semodule -i mytimedatex.pp it should work now for you. Or you have any others AVC's with timedatex_t? Thanks, Patrik
Some of these AVC's, which you sent before, are solved in the latest build for F31. Try update packages: # dnf install -y https://kojipkgs.fedoraproject.org//packages/selinux-policy/3.14.4/35.fc31/noarch/selinux-policy-targeted-3.14.4-35.fc31.noarch.rpm https://kojipkgs.fedoraproject.org//packages/selinux-policy/3.14.4/35.fc31/noarch/selinux-policy-devel-3.14.4-35.fc31.noarch.rpm https://kojipkgs.fedoraproject.org//packages/selinux-policy/3.14.4/35.fc31/noarch/selinux-policy-3.14.4-35.fc31.noarch.rpm
FEDORA-2019-7d65c50fd6 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-7d65c50fd6
selinux-policy-3.14.4-39.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-7d65c50fd6
selinux-policy-3.14.4-39.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.