Description of problem: After upgrading to Fedora CoreOS 37, systemd-timesyncd fails to start with a SELinux denial. Version-Release number of selected component (if applicable): selinux-policy-37.12-2.fc37.noarch systemd-udev-251.7-611.fc37.aarch64 Fedora CoreOS 37.20221106.3.0 How reproducible: Always Steps to Reproduce: 1. systemctl start systemd-timesyncd Actual results: Dec 08 06:43:24 systemd[1]: Starting systemd-timesyncd.service - Network Time Synchronization... Dec 08 06:43:24 audit[7055]: AVC avc: denied { watch } for pid=7055 comm="systemd-timesyn" path="/run/systemd" dev="tmpfs" ino=2 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0 Dec 08 06:43:24 systemd-timesyncd[7055]: Failed to allocate manager: Permission denied Dec 08 06:43:24 systemd[1]: systemd-timesyncd.service: Main process exited, code=exited, status=1/FAILURE Dec 08 06:43:24 systemd[1]: systemd-timesyncd.service: Failed with result 'exit-code'. Expected results: Service started Additional info:
Juan, I am unable to reproduce the problem. Do you know what are the triggering conditions? $ rpm -q systemd selinux-policy systemd-251.8-586.fc37.x86_64 selinux-policy-37.15-1.fc37.noarch
Hi Zdenek, The bug description is from a Raspberry Pi 4 running FCOS 37.20221106.3.0 in the stable stream. I've tested it again in a x86_64 VM using the next stream and the issue is reproducible just by starting systemd-timesyncd. Packages: selinux-policy-37.14-1.fc37.noarch systemd-251.8-586.fc37.x86_64 ~~~ # rpm-ostree status State: idle AutomaticUpdatesDriver: Zincati DriverState: active; periodically polling for updates (last checked Thu 2022-12-08 13:59:43 UTC) Deployments: ● fedora:fedora/x86_64/coreos/next Version: 37.20221127.1.0 (2022-11-28T10:24:58Z) BaseCommit: e051d49946dd7685ed1fa52c924506fc997958fd002ab39f9b131d0c45b72bb0 GPGSignature: Valid signature by ACB5EE4E831C74BB7C168D27F55AD3FB5323552A LayeredPackages: borgbackup borgmatic podman-compose qemu-guest-agent vim ~~~ ~~~ # journalctl -b --no-hostname Dec 08 13:57:56 systemd[1]: Starting systemd-timesyncd.service - Network Time Synchronization... Dec 08 13:57:56 audit[830]: AVC avc: denied { watch } for pid=830 comm="systemd-timesyn" path="/run/systemd" dev="tmpfs" ino=2 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0 Dec 08 13:57:56 audit[830]: SYSCALL arch=c000003e syscall=254 success=no exit=-13 a0=a a1=7f2dfa0b83de a2=40000100 a3=7ffe22e9338c items=0 ppid=1 pid=830 auid=4294967295 uid=993 gid=991 euid=993 suid=993 fsuid=993 egid=991 sgid=991 fsgid=991 tty=(none) ses=4294967295 comm="systemd-timesyn" exe="/usr/lib/systemd/systemd-timesyncd" subj=system_u:system_r:systemd_timedated_t:s0 key=(null) Dec 08 13:57:56 audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-timesyncd" Dec 08 13:57:56 systemd-timesyncd[830]: Failed to allocate manager: Permission denied Dec 08 13:57:56 systemd[1]: systemd-timesyncd.service: Main process exited, code=exited, status=1/FAILURE Dec 08 13:57:56 systemd[1]: systemd-timesyncd.service: Failed with result 'exit-code'. Dec 08 13:57:56 systemd[1]: Failed to start systemd-timesyncd.service - Network Time Synchronization. Dec 08 13:57:56 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' Dec 08 13:57:56 systemd[1]: systemd-timesyncd.service: Scheduled restart job, restart counter is at 1. Dec 08 13:57:56 systemd[1]: Stopped systemd-timesyncd.service - Network Time Synchronization. ~~~ ~~~ # ls -laZ /run/systemd total 0 drwxr-xr-x. 24 root root system_u:object_r:init_var_run_t:s0 600 Dec 8 14:07 . drwxr-xr-x. 42 root root system_u:object_r:var_run_t:s0 1140 Dec 8 14:07 .. drwxr-xr-x. 2 root root system_u:object_r:systemd_passwd_var_run_t:s0 40 Dec 8 13:57 ask-password drwx------. 2 root root unconfined_u:object_r:systemd_passwd_var_run_t:s0 60 Dec 8 13:59 ask-password-block srw-------. 1 root root system_u:object_r:init_var_run_t:s0 0 Dec 8 13:57 coredump drwxr-xr-x. 2 root root system_u:object_r:init_var_run_t:s0 40 Dec 8 14:04 dynamic-uid drwxr-xr-x. 8 root root system_u:object_r:systemd_unit_file_t:s0 220 Dec 8 13:57 generator drwxr-xr-x. 2 root root system_u:object_r:init_var_run_t:s0 60 Dec 8 13:57 home drwxr-xr-x. 3 root root system_u:object_r:init_var_run_t:s0 160 Dec 8 13:57 inaccessible drwxr-xr-x. 2 root root system_u:object_r:init_var_run_t:s0 40 Dec 8 13:57 incoming drwxr-xr-x. 2 root root system_u:object_r:systemd_logind_inhibit_var_run_t:s0 80 Dec 8 13:57 inhibit srw-rw-rw-. 1 root root system_u:object_r:init_var_run_t:s0 0 Dec 8 13:57 io.system.ManagedOOM drwxr-xr-x. 3 root root system_u:object_r:syslogd_var_run_t:s0 180 Dec 8 13:57 journal drwxr-xr-x. 2 root root system_u:object_r:systemd_machined_var_run_t:s0 40 Dec 8 13:57 machines drwxr-xr-x. 2 root root system_u:object_r:net_conf_t:s0 40 Dec 8 13:57 network srwxrwxrwx. 1 root root system_u:object_r:init_var_run_t:s0 0 Dec 8 13:57 notify srwx------. 1 root root system_u:object_r:init_var_run_t:s0 0 Dec 8 13:57 private drw-------. 13 root root system_u:object_r:init_var_run_t:s0 260 Dec 8 14:07 propagate drwxr-xr-x. 3 systemd-resolve systemd-resolve system_u:object_r:systemd_resolved_var_run_t:s0 120 Dec 8 14:07 resolve drwxr-xr-x. 2 root root system_u:object_r:systemd_logind_var_run_t:s0 60 Dec 8 13:57 seats drwxr-xr-x. 2 root root system_u:object_r:systemd_logind_sessions_t:s0 80 Dec 8 13:59 sessions -rw-r--r--. 1 root root system_u:object_r:init_var_run_t:s0 0 Dec 8 13:57 show-status drwxr-xr-x. 2 root root system_u:object_r:systemd_logind_var_run_t:s0 40 Dec 8 13:57 shutdown drwxr-xr-x. 2 root root system_u:object_r:systemd_unit_file_t:s0 40 Dec 8 13:57 system -r--r--r--. 1 root root system_u:object_r:init_var_run_t:s0 0 Dec 8 13:57 systemd-units-load drwxr-xr-x. 2 root root system_u:object_r:systemd_unit_file_t:s0 100 Dec 8 13:59 transient drwx------. 2 root root system_u:object_r:init_var_run_t:s0 40 Dec 8 13:57 unit-root drwxr-xr-x. 2 root root system_u:object_r:systemd_unit_file_t:s0 1320 Dec 8 14:07 units drwxr-xr-x. 2 root root system_u:object_r:systemd_userdbd_runtime_t:s0 140 Dec 8 13:57 userdb drwxr-xr-x. 2 root root system_u:object_r:systemd_logind_var_run_t:s0 80 Dec 8 13:59 users ~~~
Thank you, so this probably reproduces only on an ostree system.
Opened an FCOS issue tracker issue for this too: https://github.com/coreos/fedora-coreos-tracker/issues/1359
(In reply to Zdenek Pytela from comment #3) > Thank you, so this probably reproduces only on an ostree system. Hey Zdenek. This appears to be true, but do you know why it's specific to only ostree systems? I'm not sure how the PR fix here is special only for OSTree.
I am not aware of any manageable way of having separate policy for ostree, so this will be added to selinux-policy in the next build.
Right. I'm just trying to understand why I can reproduce this on an OSTree system, but not on a non-OSTree system. I'm happy with the fix, just trying to uderstand the problem space a bit better.
I'm facing the exact same issue on my Fedora 37 box (not FCOS).
FEDORA-2022-fc84e3e4d5 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-fc84e3e4d5
FEDORA-2022-fc84e3e4d5 has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-fc84e3e4d5` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-fc84e3e4d5 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-fc84e3e4d5 has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report.
This issue is also present on EL9.