Description of problem: SELinux problem on "Network Time" in "Date and Time Setting" Version-Release number of selected component (if applicable): selinux-policy-3.10.0-80.fc16.noarch setroubleshoot-3.1.3-1.fc16.x86_64 How reproducible: Steps to Reproduce: (In Gnome Desktop) 1.Click Time 2.Select "Date And Time Setting" 3.Unlock and write "Root" password 4.Turnon the Network Time 5.Pop-up the SElinux Warning I get the same error from KDE Desktop too. Actual results: If I try to set Network Time or turnoff , I get this SELinux Message Expected results: I can change time or set network time and nothing comeup from SELinux Additional info: SELinux is preventing /sbin/chkconfig from getattr access on the file /bin/systemd. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that chkconfig should be allowed getattr access on the systemd file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep chkconfig /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 Target Context system_u:object_r:init_exec_t:s0 Target Objects /bin/systemd [ file ] Source chkconfig Source Path /sbin/chkconfig Port <Unknown> Host localhost.localdomain Source RPM Packages chkconfig-1.3.59-1.fc16.x86_64 Target RPM Packages systemd-37-17.fc16.x86_64 Policy RPM selinux-policy-3.10.0-80.fc16.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 3.3.1-3.fc16.x86_64 #1 SMP Wed Apr 4 18:08:51 UTC 2012 x86_64 x86_64 Alert Count 1 First Seen Tue 10 Apr 2012 02:28:47 PM EEST Last Seen Tue 10 Apr 2012 02:28:47 PM EEST Local ID f430d36c-2d43-422b-b4bb-6d43f2d76863 Raw Audit Messages type=AVC msg=audit(1334057327.582:80): avc: denied { getattr } for pid=2698 comm="chkconfig" path="/bin/systemd" dev="dm-1" ino=2106756 scontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_exec_t:s0 tclass=file type=SYSCALL msg=audit(1334057327.582:80): arch=x86_64 syscall=lstat success=no exit=EACCES a0=2153410 a1=7fff322d9780 a2=7fff322d9780 a3=1000 items=0 ppid=2681 pid=2698 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=chkconfig exe=/sbin/chkconfig subj=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 key=(null) Hash: chkconfig,gnomeclock_t,init_exec_t,file,getattr audit2allow #============= gnomeclock_t ============== allow gnomeclock_t init_exec_t:file getattr; audit2allow -R #============= gnomeclock_t ============== allow gnomeclock_t init_exec_t:file getattr;
Can you execute # semanage permissive -a gnomeclock_t And then try this again. # ausearch -m avc -ts recent Attach the output.
I did ; # semange permissive -a gnomeclock_t and, "ausearch -m avc- ts recent " result ; ---- time->Tue Apr 10 22:01:45 2012 type=SYSCALL msg=audit(1334084505.078:130): arch=c000003e syscall=6 success=yes exit=0 a0=84d410 a1=7fffe3f28570 a2=7fffe3f28570 a3=1000 items=0 ppid=9313 pid=9315 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chkconfig" exe="/sbin/chkconfig" subj=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1334084505.078:130): avc: denied { getattr } for pid=9315 comm="chkconfig" path="/bin/systemd" dev="dm-1" ino=2106756 scontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_exec_t:s0 tclass=file
Was network time turned on? Can you turn it off using chkconfig and service command and then turn it on using gnomeclock.
We have this dontaudited in F17.
How can I turn off via chkconfig and service ? And yes If Turn on , SELinux give me warning. Also I have another PC and it's installed KDE-Desktop it's give same SElinux problem If I trying to just change "clock" not network time. Anyway, How can I turnoff network-time via chkconfig or service ?
I think it is # chkconfig ntp off
NTP yes I remember service name now. But the problem is Default F16 GnomeClock not using ; "ntp" or "ntpq" I searched on google for try all alternatives but If give this command ; root@localhost onuralp# chkconfig ntp off error reading information on service ntp: No such file or directory Also I tried "ntpq" but I get same result. I check from this link; http://fedoraproject.org/wiki/Administration_Guide_Draft/NTP
Fedora 16 Document Part ; http://docs.fedoraproject.org/en-US/Fedora/16/html/System_Administrators_Guide/ch-Configuring_the_Date_and_Time.html We can only use "date" command for change date and time. http://docs.fedoraproject.org/en-US/Fedora/16/html/System_Administrators_Guide/sect-Configuring_the_Date_and_Time-Command_Line_Configuration-Time.html
Network Time Protocol explained here. But We have one problem Default F16 Live didn't have this command ( "ntpdate" ) I just tried this. http://docs.fedoraproject.org/en-US/Fedora/16/html/System_Administrators_Guide/sect-Configuring_the_Date_and_Time-Command_Line_Configuration-Network_Time_Protocol.html
Is this still issue?
Fedora 16 changed to end-of-life (EOL) status on 2013-02-12. Fedora 16 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.