Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 922347

Summary: SELinux is preventing /usr/lib64/sa/sadc from 'open' accesses on the file /etc/localtime.
Product: Red Hat Enterprise Linux 7 Reporter: Petr Sklenar <psklenar>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: mmalik, mtruneck
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: abrt_hash:de43c4f16a7a214b99ff77beca880670a5a74c67b66131e9b91d5c2b861dbe1c
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 12:03:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
audit.log none

Description Petr Sklenar 2013-03-16 10:58:30 UTC 
Description of problem:
set up time and time zone in kde
SELinux is preventing /usr/lib64/sa/sadc from 'open' accesses on the file /etc/localtime.

*****  Plugin restorecon (99.5 confidence) suggests  *************************

If you want to fix the label. 
/etc/localtime default label should be locale_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /etc/localtime

*****  Plugin catchall (1.49 confidence) suggests  ***************************

If you believe that sadc should be allowed open access on the localtime file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sadc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:sysstat_t:s0-s0:c0.c1023
Target Context                system_u:object_r:gnomeclock_tmp_t:s0
Target Objects                /etc/localtime [ file ]
Source                        sadc
Source Path                   /usr/lib64/sa/sadc
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           sysstat-10.1.2-2.el7.x86_64
Target RPM Packages           systemd-197-1.el7.1.2.x86_64
Policy RPM                    selinux-policy-3.11.1-75.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.7.0-0.36.el7.x86_64 #1 SMP Thu
                              Feb 21 14:52:48 EST 2013 x86_64 x86_64
Alert Count                   3
First Seen                    2013-03-16 11:50:01 CET
Last Seen                     2013-03-16 11:50:01 CET
Local ID                      8bfc6801-ccc8-46ce-aa79-e8ee5b04a9b2

Raw Audit Messages
type=AVC msg=audit(1363431001.228:1308): avc:  denied  { open } for  pid=2439 comm="sadc" path="/etc/localtime" dev="dm-1" ino=203774897 scontext=system_u:system_r:sysstat_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gnomeclock_tmp_t:s0 tclass=file


type=SYSCALL msg=audit(1363431001.228:1308): arch=x86_64 syscall=open success=no exit=EACCES a0=3449577cd0 a1=80000 a2=1b6 a3=238 items=0 ppid=2435 pid=2439 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=41 tty=(none) comm=sadc exe=/usr/lib64/sa/sadc subj=system_u:system_r:sysstat_t:s0-s0:c0.c1023 key=(null)

Hash: sadc,sysstat_t,gnomeclock_tmp_t,file,open

audit2allow

#============= sysstat_t ==============
allow sysstat_t gnomeclock_tmp_t:file open;

audit2allow -R

#============= sysstat_t ==============
allow sysstat_t gnomeclock_tmp_t:file open;


Additional info:
hashmarkername: setroubleshoot
kernel:         3.7.0-0.36.el7.x86_64
type:           libreport
Comment 2 Milos Malik 2013-03-18 08:52:19 UTC 
/etc/localtime was mislabeled.

# matchpathcon /etc/localtime
/etc/localtime	system_u:object_r:locale_t:s0
#

Suspects are here:
/usr/lib/systemd/systemd-timedated                 regular file       system_u:object_r:gnomeclock_exec_t:s0 
/usr/libexec/gnome-clock-applet-mechanism          regular file       system_u:object_r:gnomeclock_exec_t:s0 
/usr/libexec/gsd-datetime-mechanism                regular file       system_u:object_r:gnomeclock_exec_t:s0 
/usr/libexec/kde(3|4)/kcmdatetimehelper            regular file       system_u:object_r:gnomeclock_exec_t:s0
Comment 3 Miroslav Grepl 2013-03-18 09:34:09 UTC 
Actually, we moved this policy to systemd_timedated_t which I believe will solve this issue.

I mean the policy based on F19.
Comment 4 Petr Sklenar 2013-03-27 12:44:34 UTC 
Created attachment 717050 [details]
audit.log

hello,
I am sorry for the late answer, there is my full audit.log after the denial.
Machine is in permissive state. I just change the timezone in the KDE "digital clock setting"
Comment 5 Miroslav Grepl 2013-03-27 14:22:18 UTC 
This is with the old policy which should go away with the latest RHEL7 policies.
Comment 6 Michal Trunecka 2013-03-28 08:07:07 UTC 
So what is the intention with these tools? There are several related bugs, so it would be helpful for us to know more about this to create some meaningful regression test.

https://bugzilla.redhat.com/show_bug.cgi?id=922346
https://bugzilla.redhat.com/show_bug.cgi?id=922347

Is bin_t the correct contexts for the mentioned tools or is it going to change? And what is the context the tools should be running under?
Comment 7 Miroslav Grepl 2013-04-02 09:05:32 UTC 
Well, the problem is there was a lot of issues on F19 so we changed the way how we confine it. If you need, you can find all these bugs.  If the policy tells you, the labeling is bin_t then it is correct for now.
Comment 8 Miroslav Grepl 2013-04-02 09:05:45 UTC 
*** Bug 922346 has been marked as a duplicate of this bug. ***
Comment 10 Ludek Smid 2014-06-13 12:03:54 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.