Bug 1965720 - SELinux is preventing systemd-timesyncd from watch access on the directory /run/dbus
Summary: SELinux is preventing systemd-timesyncd from watch access on the directory /r...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 34
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1960468 1967971 1970359 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-05-28 23:15 UTC by Anthony Messina
Modified: 2021-12-16 19:38 UTC (History)
13 users (show)

Fixed In Version: selinux-policy-34.12-1.fc34
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-06-30 03:15:57 UTC
Type: Bug


Attachments (Terms of Use)

Description Anthony Messina 2021-05-28 23:15:47 UTC
AVC avc:  denied  { watch } for  pid=691 comm="systemd-timesyn" path="/run/dbus" dev="tmpfs" ino=42 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir permissive=0

Comment 1 Christian Kujau 2021-06-06 22:35:36 UTC
Same here:

$ journalctl -b -p warning
[...]
Jun 07 00:16:26 systemd-timesyncd[1086]: Failed to connect to bus: Permission denied
Jun 07 00:16:26 systemd-timesyncd[1086]: Could not connect to bus: Permission denied
Jun 07 00:16:26 systemd[1]: systemd-timesyncd.service: Failed with result 'exit-code'.
Jun 07 00:16:26 systemd[1]: Failed to start Network Time Synchronization.

$ journalctl -b | grep denied | grep -m3 systemd-timesyn
Jun 07 00:16:26 audit[1086]: AVC avc:  denied  { watch } for  pid=1086 comm="systemd-timesyn" path="/run/dbus" dev="tmpfs" ino=46 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir permissive=0
Jun 07 00:16:26 systemd-timesyncd[1086]: Failed to connect to bus: Permission denied
Jun 07 00:16:26 systemd-timesyncd[1086]: Could not connect to bus: Permission denied


(Note: the bootlog has many more AVC denied warnings[0], but that's material for another bug report, I guess)


=== After the system has booted, restarting systemd-timesyncd.service works just fine. Now, /run/dbus looks like this:

$ ls -ldZ /run/dbus{,/*}
drwxr-xr-x. 2 root root system_u:object_r:system_dbusd_var_run_t:s0 60 Jun  7 00:16 /run/dbus
srw-rw-rw-. 1 root root system_u:object_r:system_dbusd_var_run_t:s0  0 Jun  7 00:16 /run/dbus/system_bus_socket




[0] https://clbin.com/30ROH

Comment 2 Zbigniew Jędrzejewski-Szmek 2021-06-07 06:55:40 UTC
*** Bug 1967971 has been marked as a duplicate of this bug. ***

Comment 3 Zbigniew Jędrzejewski-Szmek 2021-06-07 07:02:48 UTC
Please attach the full log, and also the output from 'systemctl status dbus'.

> Jun 07 00:16:26 audit[1086]: AVC avc:  denied  { watch } for  pid=1086 comm="systemd-timesyn" path="/run/dbus" dev="tmpfs" ino=46 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir permissive=0

Normally systemd-timesyncd (or any dbus client) would do connect() to "/run/dbus/system_bus_socket".
If it's trying to open a watch on the directory, this means that the socket was not present
and it's trying to establish a watch to monitor when the socket is opened by the dbus broker.

Comment 4 Zdenek Pytela 2021-06-15 14:46:08 UTC
*** Bug 1960468 has been marked as a duplicate of this bug. ***

Comment 5 Zdenek Pytela 2021-06-15 14:56:01 UTC
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/780

Comment 6 Fedora Update System 2021-06-24 15:28:21 UTC
FEDORA-2021-3df7370a94 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-3df7370a94

Comment 7 Fedora Update System 2021-06-24 16:55:56 UTC
FEDORA-2021-3df7370a94 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-3df7370a94`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-3df7370a94

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 8 Fedora Update System 2021-06-30 03:15:57 UTC
FEDORA-2021-3df7370a94 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 9 Zdenek Pytela 2021-12-13 16:35:20 UTC
*** Bug 1970359 has been marked as a duplicate of this bug. ***

Comment 10 Zdenek Pytela 2021-12-16 19:38:36 UTC
*** Bug 1970359 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.