Bug 1766148 - Confined users get the timezone
Summary: Confined users get the timezone
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 30
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: nknazeko
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1767779
TreeView+ depends on / blocked
 
Reported: 2019-10-28 12:41 UTC by Lukas Vrabec
Modified: 2019-12-11 01:32 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.14.3-53.fc30
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-12-11 01:32:16 UTC
Type: Bug


Attachments (Terms of Use)

Description Lukas Vrabec 2019-10-28 12:41:56 UTC
Description of problem:
Confined users(in my case staff_u) cannot get timezone on system using command "timedatectl" 

Version-Release number of selected component (if applicable):
$ rpm -q selinux-policy
selinux-policy-3.14.3-51.fc30.noarch


How reproducible:
Always


Steps to Reproduce:
1.
$ id -Z 
staff_u:staff_r:staff_t:s0:c0.c1023

2.
$ timedatectl


Actual results:

$ timedatectl
Failed to query server: Access denied

Expected results:

$ timedatectl 
               Local time: Mon 2019-10-28 13:36:25 CET
           Universal time: Mon 2019-10-28 12:36:25 UTC
                 RTC time: Mon 2019-10-28 12:36:26
                Time zone: Europe/Prague (CET, +0100)
System clock synchronized: no
              NTP service: active
          RTC in local TZ: no



Additional info:

time->Mon Oct 28 13:37:59 2019
type=USER_AVC msg=audit(1572266279.536:2283): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 cmdline="/usr/sbin/timedatex" scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system permissive=0  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Mon Oct 28 13:37:59 2019
type=USER_AVC msg=audit(1572266279.538:2284): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/sbin/timedatex" scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:chronyd_unit_file_t:s0 tclass=service permissive=0  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Mon Oct 28 13:37:59 2019
type=USER_AVC msg=audit(1572266279.538:2285): pid=1219 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=staff_u:staff_r:staff_t:s0:c0.c1023 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
----
time->Mon Oct 28 13:37:59 2019
type=USER_AVC msg=audit(1572266279.541:2287): pid=1219 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=staff_u:staff_r:staff_t:s0:c0.c1023 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'

Comment 1 nknazeko 2019-11-01 17:23:02 UTC
PR for Fedora:
Added macro for timedatex to chat over dbus
https://github.com/fedora-selinux/selinux-policy-contrib/pull/160

Allow x_userdomain to dbus_chat with timedatex
https://github.com/fedora-selinux/selinux-policy/pull/291

Update timedatex SELinux policy to to sychronizate time with GNOME
https://github.com/fedora-selinux/selinux-policy-contrib/pull/138

Comment 2 Lukas Vrabec 2019-11-04 14:51:28 UTC
PRs merged.

commit 02d05118d9915dc9b3f7564b9de92de72f44a9d3 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Nikola Knazekova <nknazeko@redhat.com>
Date:   Fri Nov 1 17:07:29 2019 +0100

    Added macro for timedatex to chat over dbus.
    
    Send and receive messages from timedatex over dbus.
    
    Fixed Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1766148

commit 56ac3f0ca28d656d7fc1e22f4f71782de978a75d (HEAD -> rawhide, origin/rawhide)
Author: Nikola Knazekova <nknazeko@redhat.com>
Date:   Fri Nov 1 17:03:01 2019 +0100

    Allow x_userdomain to dbus_chat with timedatex.
    
    Allow users in x_userdomain to send and receive messages from timedatex over dbus.
    
    Attribute x_userdomain: staff_t, sysadm_t, user_t

Comment 3 Fedora Update System 2019-12-04 07:50:36 UTC
FEDORA-2019-e9d8868185 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-e9d8868185

Comment 4 Fedora Update System 2019-12-05 02:00:57 UTC
selinux-policy-3.14.3-53.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-e9d8868185

Comment 5 Fedora Update System 2019-12-06 19:20:53 UTC
FEDORA-2019-e9d8868185 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-e9d8868185

Comment 6 Fedora Update System 2019-12-07 02:18:00 UTC
container-selinux-2.123.0-2.fc30, selinux-policy-3.14.3-53.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-e9d8868185

Comment 7 Fedora Update System 2019-12-11 01:32:16 UTC
container-selinux-2.123.0-2.fc30, selinux-policy-3.14.3-53.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.