2217509 – systemd-timesyncd fails to start with a SELinux denial

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2217509 - systemd-timesyncd fails to start with a SELinux denial

Summary: systemd-timesyncd fails to start with a SELinux denial

Keywords:
Status:	CLOSED DUPLICATE of bug 2175137
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	9.2
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Nikola Knazekova
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:	2151806
Blocks:
TreeView+	depends on / blocked

Reported:	2023-06-26 13:30 UTC by Timothée Ravier
Modified:	2023-09-29 13:07 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:	2151806
Environment:
Last Closed:	2023-06-26 14:19:37 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-160779	0	None	None	None	2023-06-26 13:33:25 UTC
Red Hat Issue Tracker	RHELPLAN-160780	0	None	None	None	2023-06-26 13:33:18 UTC

Description Timothée Ravier 2023-06-26 13:30:29 UTC

+++ This bug was initially created as a clone of Bug #2151806 +++

Description of problem:
After upgrading to Fedora CoreOS 37, systemd-timesyncd fails to start with a SELinux denial.

Version-Release number of selected component (if applicable):
selinux-policy-37.12-2.fc37.noarch
systemd-udev-251.7-611.fc37.aarch64
Fedora CoreOS 37.20221106.3.0

How reproducible:
Always

Steps to Reproduce:
1. systemctl start systemd-timesyncd

Actual results:

Dec 08 06:43:24 systemd[1]: Starting systemd-timesyncd.service - Network Time Synchronization...
Dec 08 06:43:24 audit[7055]: AVC avc:  denied  { watch } for  pid=7055 comm="systemd-timesyn" path="/run/systemd" dev="tmpfs" ino=2 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0
Dec 08 06:43:24 systemd-timesyncd[7055]: Failed to allocate manager: Permission denied
Dec 08 06:43:24 systemd[1]: systemd-timesyncd.service: Main process exited, code=exited, status=1/FAILURE
Dec 08 06:43:24 systemd[1]: systemd-timesyncd.service: Failed with result 'exit-code'.

Expected results:
Service started

Additional info:

--- Additional comment from Zdenek Pytela on 2022-12-08 11:16:25 UTC ---

Juan,

I am unable to reproduce the problem. Do you know what are the triggering conditions?

$ rpm -q systemd selinux-policy
systemd-251.8-586.fc37.x86_64
selinux-policy-37.15-1.fc37.noarch

--- Additional comment from Juan Orti on 2022-12-08 14:15:11 UTC ---

Hi Zdenek,

The bug description is from a Raspberry Pi 4 running FCOS 37.20221106.3.0 in the stable stream.

I've tested it again in a x86_64 VM using the next stream and the issue is reproducible just by starting systemd-timesyncd.

Packages:
selinux-policy-37.14-1.fc37.noarch
systemd-251.8-586.fc37.x86_64

~~~
# rpm-ostree status
State: idle
AutomaticUpdatesDriver: Zincati
  DriverState: active; periodically polling for updates (last checked Thu 2022-12-08 13:59:43 UTC)
Deployments:
● fedora:fedora/x86_64/coreos/next
                  Version: 37.20221127.1.0 (2022-11-28T10:24:58Z)
               BaseCommit: e051d49946dd7685ed1fa52c924506fc997958fd002ab39f9b131d0c45b72bb0
             GPGSignature: Valid signature by ACB5EE4E831C74BB7C168D27F55AD3FB5323552A
          LayeredPackages: borgbackup borgmatic podman-compose qemu-guest-agent vim
~~~


~~~
# journalctl -b --no-hostname
Dec 08 13:57:56 systemd[1]: Starting systemd-timesyncd.service - Network Time Synchronization...
Dec 08 13:57:56 audit[830]: AVC avc:  denied  { watch } for  pid=830 comm="systemd-timesyn" path="/run/systemd" dev="tmpfs" ino=2 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0
Dec 08 13:57:56 audit[830]: SYSCALL arch=c000003e syscall=254 success=no exit=-13 a0=a a1=7f2dfa0b83de a2=40000100 a3=7ffe22e9338c items=0 ppid=1 pid=830 auid=4294967295 uid=993 gid=991 euid=993 suid=993 fsuid=993 egid=991 sgid=991 fsgid=991 tty=(none) ses=4294967295 comm="systemd-timesyn" exe="/usr/lib/systemd/systemd-timesyncd" subj=system_u:system_r:systemd_timedated_t:s0 key=(null)
Dec 08 13:57:56 audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-timesyncd"
Dec 08 13:57:56 systemd-timesyncd[830]: Failed to allocate manager: Permission denied
Dec 08 13:57:56 systemd[1]: systemd-timesyncd.service: Main process exited, code=exited, status=1/FAILURE
Dec 08 13:57:56 systemd[1]: systemd-timesyncd.service: Failed with result 'exit-code'.
Dec 08 13:57:56 systemd[1]: Failed to start systemd-timesyncd.service - Network Time Synchronization.
Dec 08 13:57:56 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Dec 08 13:57:56 systemd[1]: systemd-timesyncd.service: Scheduled restart job, restart counter is at 1.
Dec 08 13:57:56 systemd[1]: Stopped systemd-timesyncd.service - Network Time Synchronization.
~~~

~~~
# ls -laZ /run/systemd
total 0
drwxr-xr-x. 24 root            root            system_u:object_r:init_var_run_t:s0                    600 Dec  8 14:07 .
drwxr-xr-x. 42 root            root            system_u:object_r:var_run_t:s0                        1140 Dec  8 14:07 ..
drwxr-xr-x.  2 root            root            system_u:object_r:systemd_passwd_var_run_t:s0           40 Dec  8 13:57 ask-password
drwx------.  2 root            root            unconfined_u:object_r:systemd_passwd_var_run_t:s0       60 Dec  8 13:59 ask-password-block
srw-------.  1 root            root            system_u:object_r:init_var_run_t:s0                      0 Dec  8 13:57 coredump
drwxr-xr-x.  2 root            root            system_u:object_r:init_var_run_t:s0                     40 Dec  8 14:04 dynamic-uid
drwxr-xr-x.  8 root            root            system_u:object_r:systemd_unit_file_t:s0               220 Dec  8 13:57 generator
drwxr-xr-x.  2 root            root            system_u:object_r:init_var_run_t:s0                     60 Dec  8 13:57 home
drwxr-xr-x.  3 root            root            system_u:object_r:init_var_run_t:s0                    160 Dec  8 13:57 inaccessible
drwxr-xr-x.  2 root            root            system_u:object_r:init_var_run_t:s0                     40 Dec  8 13:57 incoming
drwxr-xr-x.  2 root            root            system_u:object_r:systemd_logind_inhibit_var_run_t:s0   80 Dec  8 13:57 inhibit
srw-rw-rw-.  1 root            root            system_u:object_r:init_var_run_t:s0                      0 Dec  8 13:57 io.system.ManagedOOM
drwxr-xr-x.  3 root            root            system_u:object_r:syslogd_var_run_t:s0                 180 Dec  8 13:57 journal
drwxr-xr-x.  2 root            root            system_u:object_r:systemd_machined_var_run_t:s0         40 Dec  8 13:57 machines
drwxr-xr-x.  2 root            root            system_u:object_r:net_conf_t:s0                         40 Dec  8 13:57 network
srwxrwxrwx.  1 root            root            system_u:object_r:init_var_run_t:s0                      0 Dec  8 13:57 notify
srwx------.  1 root            root            system_u:object_r:init_var_run_t:s0                      0 Dec  8 13:57 private
drw-------. 13 root            root            system_u:object_r:init_var_run_t:s0                    260 Dec  8 14:07 propagate
drwxr-xr-x.  3 systemd-resolve systemd-resolve system_u:object_r:systemd_resolved_var_run_t:s0        120 Dec  8 14:07 resolve
drwxr-xr-x.  2 root            root            system_u:object_r:systemd_logind_var_run_t:s0           60 Dec  8 13:57 seats
drwxr-xr-x.  2 root            root            system_u:object_r:systemd_logind_sessions_t:s0          80 Dec  8 13:59 sessions
-rw-r--r--.  1 root            root            system_u:object_r:init_var_run_t:s0                      0 Dec  8 13:57 show-status
drwxr-xr-x.  2 root            root            system_u:object_r:systemd_logind_var_run_t:s0           40 Dec  8 13:57 shutdown
drwxr-xr-x.  2 root            root            system_u:object_r:systemd_unit_file_t:s0                40 Dec  8 13:57 system
-r--r--r--.  1 root            root            system_u:object_r:init_var_run_t:s0                      0 Dec  8 13:57 systemd-units-load
drwxr-xr-x.  2 root            root            system_u:object_r:systemd_unit_file_t:s0               100 Dec  8 13:59 transient
drwx------.  2 root            root            system_u:object_r:init_var_run_t:s0                     40 Dec  8 13:57 unit-root
drwxr-xr-x.  2 root            root            system_u:object_r:systemd_unit_file_t:s0              1320 Dec  8 14:07 units
drwxr-xr-x.  2 root            root            system_u:object_r:systemd_userdbd_runtime_t:s0         140 Dec  8 13:57 userdb
drwxr-xr-x.  2 root            root            system_u:object_r:systemd_logind_var_run_t:s0           80 Dec  8 13:59 users
~~~

--- Additional comment from Zdenek Pytela on 2022-12-08 19:07:57 UTC ---

Thank you, so this probably reproduces only on an ostree system.

--- Additional comment from Dusty Mabe on 2022-12-08 20:09:49 UTC ---

Opened an FCOS issue tracker issue for this too: https://github.com/coreos/fedora-coreos-tracker/issues/1359

--- Additional comment from Dusty Mabe on 2022-12-08 20:11:01 UTC ---

(In reply to Zdenek Pytela from comment #3)
> Thank you, so this probably reproduces only on an ostree system.

Hey Zdenek. This appears to be true, but do you know why it's specific to only ostree systems? I'm not sure how the PR fix here is special only for OSTree.

--- Additional comment from Zdenek Pytela on 2022-12-12 14:30:10 UTC ---

I am not aware of any manageable way of having separate policy for ostree, so this will be added to selinux-policy in the next build.

--- Additional comment from Dusty Mabe on 2022-12-12 16:51:14 UTC ---

Right. I'm just trying to understand why I can reproduce this on an OSTree system, but not on a non-OSTree system.

I'm happy with the fix, just trying to uderstand the problem space a bit better.

--- Additional comment from Denis Ollier on 2022-12-13 09:34:36 UTC ---

I'm facing the exact same issue on my Fedora 37 box (not FCOS).

--- Additional comment from Fedora Update System on 2022-12-21 10:01:31 UTC ---

FEDORA-2022-fc84e3e4d5 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-fc84e3e4d5

--- Additional comment from Fedora Update System on 2022-12-22 01:40:57 UTC ---

FEDORA-2022-fc84e3e4d5 has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-fc84e3e4d5`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-fc84e3e4d5

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

--- Additional comment from Fedora Update System on 2022-12-27 01:12:52 UTC ---

FEDORA-2022-fc84e3e4d5 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.

--- Additional comment from Lioh Moeller on 2023-02-13 09:10:00 UTC ---

This issue is also present on EL9.

Comment 1 Timothée Ravier 2023-06-26 13:31:44 UTC

For https://issues.redhat.com/browse/OCPBUGS-14237, we need https://github.com/fedora-selinux/selinux-policy/pull/1502 backported to RHEL 9.2. Thanks!

Comment 2 Milos Malik 2023-06-26 13:38:32 UTC

I believe this BZ is a duplicate of BZ#2175137.

Comment 3 Timothée Ravier 2023-06-26 14:19:37 UTC

https://gitlab.cee.redhat.com/SELinux/selinux-policy/-/merge_requests/842 matches https://github.com/fedora-selinux/selinux-policy/pull/1502.

Closing.

*** This bug has been marked as a duplicate of bug 2175137 ***

Note You need to log in before you can comment on or make changes to this bug.