Bug 1970359 - systemd-timesyncd fails on boot
Summary: systemd-timesyncd fails on boot
Status: CLOSED DUPLICATE of bug 1965720
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 34
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2021-06-10 11:15 UTC by dan
Modified: 2021-12-16 19:38 UTC (History)
22 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2021-12-16 19:38:36 UTC
Type: Bug

Attachments (Terms of Use)
requsted systemd journal showing boot (506.81 KB, text/plain)
2021-06-17 17:44 UTC, dan
no flags Details

Description dan 2021-06-10 11:15:33 UTC
Description of problem:

systemd-timesyncd fails on boot.  After boot, with the network running, it can be manually started.

It is possibly failing because the systemd unit file has it loading before the network is online.

By making the following changes to the [Unit] stanza, it loads properly on boot.

Add network-online.target to After=
Remove sysinit.target from Before=

Comment 1 Zbigniew Jędrzejewski-Szmek 2021-06-17 07:33:52 UTC
Please also attach a log ('journactl -b -o short-monotonic --no-hostname').

Comment 2 dan 2021-06-17 17:43:10 UTC
As requested.  See journal.txt.

The final start is where after boot I manually start the process and then it succeeds.

Comment 3 dan 2021-06-17 17:44:11 UTC
Created attachment 1791880 [details]
requsted systemd journal showing boot

Comment 4 Zbigniew Jędrzejewski-Szmek 2021-06-21 16:24:31 UTC
This doesn't have anything to do with the network, but with the dbus connection.
Setting After=dbus.service should fix the issue.
(Setting After=network-online.target also works, by delaying the service. ExecStartPre=sleep 30 would probably also work…)

[   14.033417] audit[1030]: AVC avc:  denied  { watch } for  pid=1030 comm="systemd-timesyn" path="/run/dbus" dev="tmpfs" ino=38 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir permissive=0
[   14.033545] audit[1030]: SYSCALL arch=c000003e syscall=254 success=no exit=-13 a0=b a1=55b4db2e1e10 a2=2000d84 a3=55b4db2e1dc0 items=0 ppid=1 pid=1030 auid=4294967295 uid=999 gid=997 euid=999 suid=999 fsuid=999 egid=997 sgid=997 fsgid=997 tty=(none) ses=4294967295 comm="systemd-timesyn" exe="/usr/lib/systemd/systemd-timesyncd" subj=system_u:system_r:systemd_timedated_t:s0 key=(null)
[   14.033630] audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-timesyncd"
[   14.033715] systemd-timesyncd[1030]: Failed to connect to bus: Permission denied
[   14.034283] systemd-timesyncd[1030]: Could not connect to bus: Permission denied
[   14.036726] systemd[1]: systemd-timesyncd.service: Main process exited, code=exited, status=1/FAILURE
[   14.036975] systemd[1]: systemd-timesyncd.service: Failed with result 'exit-code'.
[   14.037439] systemd[1]: Failed to start Network Time Synchronization.

libsystemd supports waiting for the dbus connection socket to appear. If the socket
is not present when the connection attempt is made, libsystemd will create an inotify
watch for the socket. This should be allowed by the policy, so that the daemon can be
started independently of the bus broker.

Comment 5 Zbigniew Jędrzejewski-Szmek 2021-06-21 16:41:31 UTC
Please do the same policy adjustment for systemd-networkd. See https://bugzilla.redhat.com/show_bug.cgi?id=1948042.

Comment 6 Dominik 'Rathann' Mierzejewski 2021-07-10 23:34:21 UTC
FYI, here are the AVCs I saw:

Jul 11 00:52:28 audit[705]: AVC avc:  denied  { watch } for  pid=705 comm="systemd-network" path="/" dev="dm-1" ino=2 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0
Jul 11 01:23:13 audit[703]: AVC avc:  denied  { watch } for  pid=703 comm="systemd-network" path="/run" dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=0
Jul 11 01:27:32 audit[683]: AVC avc:  denied  { watch } for  pid=683 comm="systemd-network" path="/run/dbus" dev="tmpfs" ino=1133 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir permissive=0

And the relevant allow entries in CIL:

(allow systemd_networkd_t root_t (dir (watch)))
(allow systemd_networkd_t system_dbusd_var_run_t (dir (watch)))
(allow systemd_networkd_t var_run_t (dir (watch)))

Comment 7 Yanko Kaneti 2021-10-19 09:09:55 UTC
Upstream (systemd, libsystemd shared by most systemd daemons relying on dbus) refuses to work around not being able to watch the rootfs, so this needs addressing.

Or unsuspecting people like me are left without networking or timesyncing or resolving...

Comment 8 Robert Scheck 2021-12-06 23:25:08 UTC
After about 6 months now: Are there any plans to get this fixed? I would need the fix in CentOS Stream 9, too.

Comment 9 Zdenek Pytela 2021-12-13 16:35:20 UTC
The bug as reported has been fixed already:
# sesearch -A -s systemd_timedated_t -t system_dbusd_var_run_t -c dir -p watch
allow systemd_timedated_t system_dbusd_var_run_t:dir { ioctl lock read watch };
# sesearch -A -s systemd_timedated_t -t var_run_t -c dir -p watchallow systemd_timedated_t var_run_t:dir watch;

For networkd, there is another bz which will be fixed soon.

*** This bug has been marked as a duplicate of bug 1965720 ***

Comment 10 Yanko Kaneti 2021-12-13 18:03:00 UTC
Reopening because I don't think the root cause is addressed.

The issue is not with var_run_t . Its about root_t.
Waiting for the dbus socket to appear in libsystemd involves an inotify watch on "/", as described in the linked systemd issue.

Comment 11 Zdenek Pytela 2021-12-16 19:38:36 UTC
The issue as reported was fixed. There will be a more general solution as a fix of bz#2031668. If you still see another denial once a new build is available, feel free to create another bz.

ALso note root_t was not mentioned in the description, but was added anyway:

# sesearch -A -s systemd_timedated_t -t root_t -c dir -p watch
allow systemd_timedated_t root_t:dir watch;

*** This bug has been marked as a duplicate of bug 1965720 ***

Note You need to log in before you can comment on or make changes to this bug.