Description of problem: systemd-timesyncd fails on boot. After boot, with the network running, it can be manually started. It is possibly failing because the systemd unit file has it loading before the network is online. By making the following changes to the [Unit] stanza, it loads properly on boot. Add network-online.target to After= Remove sysinit.target from Before=
Please also attach a log ('journactl -b -o short-monotonic --no-hostname').
As requested. See journal.txt. The final start is where after boot I manually start the process and then it succeeds.
Created attachment 1791880 [details] requsted systemd journal showing boot
This doesn't have anything to do with the network, but with the dbus connection. Setting After=dbus.service should fix the issue. (Setting After=network-online.target also works, by delaying the service. ExecStartPre=sleep 30 would probably also work…) [ 14.033417] audit[1030]: AVC avc: denied { watch } for pid=1030 comm="systemd-timesyn" path="/run/dbus" dev="tmpfs" ino=38 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir permissive=0 [ 14.033545] audit[1030]: SYSCALL arch=c000003e syscall=254 success=no exit=-13 a0=b a1=55b4db2e1e10 a2=2000d84 a3=55b4db2e1dc0 items=0 ppid=1 pid=1030 auid=4294967295 uid=999 gid=997 euid=999 suid=999 fsuid=999 egid=997 sgid=997 fsgid=997 tty=(none) ses=4294967295 comm="systemd-timesyn" exe="/usr/lib/systemd/systemd-timesyncd" subj=system_u:system_r:systemd_timedated_t:s0 key=(null) [ 14.033630] audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-timesyncd" [ 14.033715] systemd-timesyncd[1030]: Failed to connect to bus: Permission denied [ 14.034283] systemd-timesyncd[1030]: Could not connect to bus: Permission denied [ 14.036726] systemd[1]: systemd-timesyncd.service: Main process exited, code=exited, status=1/FAILURE [ 14.036975] systemd[1]: systemd-timesyncd.service: Failed with result 'exit-code'. [ 14.037439] systemd[1]: Failed to start Network Time Synchronization. libsystemd supports waiting for the dbus connection socket to appear. If the socket is not present when the connection attempt is made, libsystemd will create an inotify watch for the socket. This should be allowed by the policy, so that the daemon can be started independently of the bus broker.
Please do the same policy adjustment for systemd-networkd. See https://bugzilla.redhat.com/show_bug.cgi?id=1948042.
FYI, here are the AVCs I saw: Jul 11 00:52:28 audit[705]: AVC avc: denied { watch } for pid=705 comm="systemd-network" path="/" dev="dm-1" ino=2 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0 Jul 11 01:23:13 audit[703]: AVC avc: denied { watch } for pid=703 comm="systemd-network" path="/run" dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=0 Jul 11 01:27:32 audit[683]: AVC avc: denied { watch } for pid=683 comm="systemd-network" path="/run/dbus" dev="tmpfs" ino=1133 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir permissive=0 And the relevant allow entries in CIL: (allow systemd_networkd_t root_t (dir (watch))) (allow systemd_networkd_t system_dbusd_var_run_t (dir (watch))) (allow systemd_networkd_t var_run_t (dir (watch)))
Upstream (systemd, libsystemd shared by most systemd daemons relying on dbus) refuses to work around not being able to watch the rootfs, so this needs addressing. https://github.com/systemd/systemd/issues/21009 Or unsuspecting people like me are left without networking or timesyncing or resolving...
After about 6 months now: Are there any plans to get this fixed? I would need the fix in CentOS Stream 9, too.
The bug as reported has been fixed already: # sesearch -A -s systemd_timedated_t -t system_dbusd_var_run_t -c dir -p watch allow systemd_timedated_t system_dbusd_var_run_t:dir { ioctl lock read watch }; # sesearch -A -s systemd_timedated_t -t var_run_t -c dir -p watchallow systemd_timedated_t var_run_t:dir watch; For networkd, there is another bz which will be fixed soon. *** This bug has been marked as a duplicate of bug 1965720 ***
Reopening because I don't think the root cause is addressed. The issue is not with var_run_t . Its about root_t. Waiting for the dbus socket to appear in libsystemd involves an inotify watch on "/", as described in the linked systemd issue.
The issue as reported was fixed. There will be a more general solution as a fix of bz#2031668. If you still see another denial once a new build is available, feel free to create another bz. ALso note root_t was not mentioned in the description, but was added anyway: # sesearch -A -s systemd_timedated_t -t root_t -c dir -p watch allow systemd_timedated_t root_t:dir watch; *** This bug has been marked as a duplicate of bug 1965720 ***