Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1734197 - SELinux denial "denied { send_msg } for scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus" prevents timedatex.service from starting in current Rawhide
Summary: SELinux denial "denied { send_msg } for scontext=system_u:system_r:timedate...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 31
Hardware: x86_64
OS: Linux
high
urgent
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Ben Levenson
URL:
Whiteboard: openqa
Depends On:
Blocks: F31BetaBlocker
TreeView+ depends on / blocked
 
Reported: 2019-07-29 23:32 UTC by Adam Williamson
Modified: 2020-10-02 14:06 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-16 21:11:48 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Adam Williamson 2019-07-29 23:32:07 UTC 
In current Fedora Rawhide (Fedora-Rawhide-20190729.n.0), it seems an SELinux denial prevents timedatex.service from starting on a freshly-installed Workstation system:

Jul 29 16:01:55 localhost-live audit[837]: USER_AVC pid=837 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=0
Jul 29 16:01:55 localhost-live timedatex[1370]: Failed to create org.freedesktop.systemd1 proxy: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Sender is not authorized to send message
Jul 29 16:01:55 localhost-live systemd[1]: timedatex.service: Main process exited, code=exited, status=1/FAILURE
Jul 29 16:01:55 localhost-live systemd[1]: timedatex.service: Failed with result 'exit-code'.

This happens to be a major issue because gnome-initial-setup then crashes because timedatex isn't running. I'm filing that as a separate bug, but will propose both as release blockers per "A system installed with a release-blocking desktop must boot to a log in screen where it is possible to log in to a working desktop using a user account created during installation or a 'first boot' utility" - these bugs means that Workstation live installs just boot to a broken state where g-i-s has crashed and you can't interact with the system at all.
Comment 1 Adam Williamson 2019-07-29 23:36:51 UTC 
https://bugzilla.redhat.com/show_bug.cgi?id=1734198 is the g-i-s bug, for the record.
Comment 2 Adam Williamson 2019-07-29 23:41:04 UTC 
Confirmed that setting SELinux to permissive and rebooting (which you can only do if you hack in a root password for the installed system after installing it...) results in g-i-s running OK.
Comment 3 Adam Williamson 2019-07-29 23:41:57 UTC 
Full list of denials from that boot:

[root@localhost-live ~]# ausearch -m avc -ts recent
----
time->Mon Jul 29 16:40:22 2019
type=AVC msg=audit(1564443622.335:209): avc:  denied  { read } for  pid=1321 comm="timedatex" name="adjtime" dev="dm-0" ino=786923 scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:adjtime_t:s0 tclass=file permissive=1
----
time->Mon Jul 29 16:40:22 2019
type=AVC msg=audit(1564443622.335:210): avc:  denied  { open } for  pid=1321 comm="timedatex" path="/etc/adjtime" dev="dm-0" ino=786923 scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:adjtime_t:s0 tclass=file permissive=1
----
time->Mon Jul 29 16:40:22 2019
type=AVC msg=audit(1564443622.335:211): avc:  denied  { getattr } for  pid=1321 comm="timedatex" path="/etc/adjtime" dev="dm-0" ino=786923 scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:adjtime_t:s0 tclass=file permissive=1
----
time->Mon Jul 29 16:40:22 2019
type=AVC msg=audit(1564443622.352:212): avc:  denied  { read } for  pid=1321 comm="timedatex" name="rtc0" dev="devtmpfs" ino=1246 scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file permissive=1
----
time->Mon Jul 29 16:40:22 2019
type=AVC msg=audit(1564443622.352:213): avc:  denied  { open } for  pid=1321 comm="timedatex" path="/dev/rtc0" dev="devtmpfs" ino=1246 scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file permissive=1
----
time->Mon Jul 29 16:40:22 2019
type=AVC msg=audit(1564443622.352:214): avc:  denied  { ioctl } for  pid=1321 comm="timedatex" path="/dev/rtc0" dev="devtmpfs" ino=1246 ioctlcmd=0x7009 scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file permissive=1
Comment 4 nknazeko 2019-07-31 12:08:37 UTC 
PR for Fedora: https://github.com/fedora-selinux/selinux-policy-contrib/pull/129
Comment 5 Lukas Vrabec 2019-07-31 15:35:58 UTC 
PR merged.
Comment 6 Adam Williamson 2019-08-06 22:57:52 UTC 
Should be MODIFIED since 3.14.4-27 I believe.
Comment 7 Adam Williamson 2019-08-08 15:58:51 UTC 
Unfortunately this still seems to be broken in current Rawhide. Will recreate manually later, but from openQA audit.log I can see a bunch of AVCs:

var/log/audit/audit.log:type=USER_AVC msg=audit(1565259535.281:182): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:avahi_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
var/log/audit/audit.log:type=USER_AVC msg=audit(1565259541.326:194): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
var/log/audit/audit.log:type=USER_AVC msg=audit(1565259541.328:195): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:policykit_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
var/log/audit/audit.log:type=USER_AVC msg=audit(1565259541.329:196): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
var/log/audit/audit.log:type=USER_AVC msg=audit(1565259541.331:197): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
var/log/audit/audit.log:type=USER_AVC msg=audit(1565259541.332:198): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { acquire_svc } for  scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
var/log/audit/audit.log:type=USER_AVC msg=audit(1565259566.346:200): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
var/log/audit/audit.log:type=USER_AVC msg=audit(1565259566.346:201): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
var/log/audit/audit.log:type=USER_AVC msg=audit(1565259566.348:202): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
var/log/audit/audit.log:type=USER_AVC msg=audit(1565259566.357:203): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
var/log/audit/audit.log:type=USER_AVC msg=audit(1565259566.593:206): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
var/log/audit/audit.log:type=USER_AVC msg=audit(1565259566.615:208): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
var/log/audit/audit.log:type=USER_AVC msg=audit(1565259567.506:210): pid=709 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
Comment 8 Adam Williamson 2019-08-13 15:57:28 UTC 
Ping? This is still happening and still breaking all Workstation tests. It is kind of a big problem. Thanks.
Comment 9 Lukas Vrabec 2019-08-13 16:39:09 UTC 
commit c55a896148db8d2b16ef06149399a6c6b110d8b5 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Lukas Vrabec <lvrabec>
Date:   Tue Aug 13 18:36:14 2019 +0200

    Update timedatex policy BZ(1734197)
    
    Added more allow rules for dbus communication with more services
    (policykit_t, init_t).


Creating also new build. Sorry for noise (again and again :) )
Comment 10 Ben Cotton 2019-08-13 16:47:30 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to '31'.
Comment 11 Adam Williamson 2019-08-16 21:11:48 UTC 
This looks good in the recent Rawhide compose, see e.g. https://openqa.fedoraproject.org/tests/432379 - g-i-s runs. The matching f31 build is tagged stable, so even though we haven't had a Branched compose yet I think we can close this. Thanks.
Comment 12 Peter Larsen 2020-10-02 14:06:14 UTC 
Fedora 32 - still an issue. Perhaps caused by something else (hard to tell):
audit[1346]: USER_AVC pid=1346 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=s>
              exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
audit[1346]: USER_AVC pid=1346 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=s>
              exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
audit[1346]: USER_AVC pid=1346 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=s>
              exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
audit[1346]: USER_AVC pid=1346 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=s>
              exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
audit[1346]: USER_AVC pid=1346 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=s>
              exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
audit[1346]: USER_AVC pid=1346 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=s>
              exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
audit[1346]: USER_AVC pid=1346 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=s>
              exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
audit[1346]: USER_AVC pid=1346 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=s>
              exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
audit[1346]: USER_AVC pid=1346 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=s>
              exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'

$ rpm -qa selinux-policy\*
selinux-policy-targeted-3.14.5-43.fc32.noarch
selinux-policy-3.14.5-43.fc32.noarch
selinux-policy-minimum-3.14.5-43.fc32.noarch
Note You need to log in before you can comment on or make changes to this bug.