Bug 811268 – System Clock SELinux Problem

Bug 811268 - System Clock SELinux Problem

Summary:	System Clock SELinux Problem

Status:	CLOSED WONTFIX

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	selinux-policy (Show other bugs)
Sub Component:
Version:	16
Hardware:	x86_64 Linux

Priority	unspecified Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2012-04-10 11:08 EDT by Onuralp SEZER
Modified:	2013-02-13 21:02 EST (History)
CC List:	3 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2013-02-13 21:01:58 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Onuralp SEZER 2012-04-10 11:08:59 EDT

Description of problem:

SELinux problem on "Network Time" in "Date and Time Setting"


Version-Release number of selected component (if applicable):

selinux-policy-3.10.0-80.fc16.noarch
setroubleshoot-3.1.3-1.fc16.x86_64

How reproducible:


Steps to Reproduce:

(In Gnome Desktop)

1.Click Time
2.Select "Date And Time Setting"
3.Unlock and write "Root" password
4.Turnon the Network Time
5.Pop-up the SElinux Warning

I get the same error from KDE Desktop too.
  
Actual results:
If I try to set Network Time or turnoff , I  get this SELinux Message

Expected results:
I can change time or set network time and nothing comeup from SELinux

Additional info:


SELinux is preventing /sbin/chkconfig from getattr access on the file /bin/systemd.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that chkconfig should be allowed getattr access on the systemd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep chkconfig /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:gnomeclock_t:s0-s0:c0.c1023
Target Context                system_u:object_r:init_exec_t:s0
Target Objects                /bin/systemd [ file ]
Source                        chkconfig
Source Path                   /sbin/chkconfig
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           chkconfig-1.3.59-1.fc16.x86_64
Target RPM Packages           systemd-37-17.fc16.x86_64
Policy RPM                    selinux-policy-3.10.0-80.fc16.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 3.3.1-3.fc16.x86_64 #1
                              SMP Wed Apr 4 18:08:51 UTC 2012 x86_64 x86_64
Alert Count                   1
First Seen                    Tue 10 Apr 2012 02:28:47 PM EEST
Last Seen                     Tue 10 Apr 2012 02:28:47 PM EEST
Local ID                      f430d36c-2d43-422b-b4bb-6d43f2d76863

Raw Audit Messages
type=AVC msg=audit(1334057327.582:80): avc:  denied  { getattr } for  pid=2698 comm="chkconfig" path="/bin/systemd" dev="dm-1" ino=2106756 scontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1334057327.582:80): arch=x86_64 syscall=lstat success=no exit=EACCES a0=2153410 a1=7fff322d9780 a2=7fff322d9780 a3=1000 items=0 ppid=2681 pid=2698 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=chkconfig exe=/sbin/chkconfig subj=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 key=(null)

Hash: chkconfig,gnomeclock_t,init_exec_t,file,getattr

audit2allow

#============= gnomeclock_t ==============
allow gnomeclock_t init_exec_t:file getattr;

audit2allow -R

#============= gnomeclock_t ==============
allow gnomeclock_t init_exec_t:file getattr;

Comment 1 Daniel Walsh 2012-04-10 14:55:04 EDT

Can you execute

# semanage permissive -a gnomeclock_t

And then try this again.

# ausearch -m avc -ts recent

Attach the output.

Comment 2 Onuralp SEZER 2012-04-10 15:05:01 EDT

I did ; # semange permissive -a gnomeclock_t  and, 

"ausearch -m avc- ts recent " result ; 

----
time->Tue Apr 10 22:01:45 2012
type=SYSCALL msg=audit(1334084505.078:130): arch=c000003e syscall=6 success=yes exit=0 a0=84d410 a1=7fffe3f28570 a2=7fffe3f28570 a3=1000 items=0 ppid=9313 pid=9315 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chkconfig" exe="/sbin/chkconfig" subj=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1334084505.078:130): avc:  denied  { getattr } for  pid=9315 comm="chkconfig" path="/bin/systemd" dev="dm-1" ino=2106756 scontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_exec_t:s0 tclass=file

Comment 3 Daniel Walsh 2012-04-10 16:06:51 EDT

Was network time turned on?  Can you turn it off using chkconfig and service command and then turn it on using gnomeclock.

Comment 4 Daniel Walsh 2012-04-10 16:09:45 EDT

We have this dontaudited in F17.

Comment 5 Onuralp SEZER 2012-04-10 16:24:57 EDT

How can I turn off via chkconfig and service ? And yes If Turn on , SELinux give me warning. Also I have another PC and it's installed KDE-Desktop it's give same SElinux problem If I trying to just change "clock" not network time. Anyway, How can I turnoff network-time via chkconfig or service ?

Comment 6 Daniel Walsh 2012-04-10 16:28:49 EDT

I think it is 

# chkconfig ntp off

Comment 7 Onuralp SEZER 2012-04-10 16:38:11 EDT

NTP yes I remember service name now. But the problem is Default F16 GnomeClock not using ; "ntp" or "ntpq" I searched on google for try all alternatives but If give this command ; 

root@localhost onuralp# chkconfig ntp off
error reading information on service ntp: No such file or directory

Also I tried "ntpq" but I get same result. 

I check from this link;

http://fedoraproject.org/wiki/Administration_Guide_Draft/NTP

Comment 8 Onuralp SEZER 2012-04-10 16:41:17 EDT

Fedora 16 Document Part ;

http://docs.fedoraproject.org/en-US/Fedora/16/html/System_Administrators_Guide/ch-Configuring_the_Date_and_Time.html

We can only use "date" command for change date and time. 

http://docs.fedoraproject.org/en-US/Fedora/16/html/System_Administrators_Guide/sect-Configuring_the_Date_and_Time-Command_Line_Configuration-Time.html

Comment 9 Onuralp SEZER 2012-04-10 16:43:09 EDT

Network Time Protocol explained here. But We have one problem Default F16 Live didn't have this command ( "ntpdate" ) I just tried this.

http://docs.fedoraproject.org/en-US/Fedora/16/html/System_Administrators_Guide/sect-Configuring_the_Date_and_Time-Command_Line_Configuration-Network_Time_Protocol.html

Comment 10 Miroslav Grepl 2012-06-22 10:30:26 EDT

Is this still issue?

Comment 11 Fedora End Of Life 2013-02-13 21:02:02 EST

Fedora 16 changed to end-of-life (EOL) status on 2013-02-12. Fedora 16 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.