Comments (5)
elsaco
commented on August 26, 2024
@liesenml SELinux is preventing timedatectl to modify /etc/localtime
Sample journal entries when trying to change timezone to America/Los_Angeles:
systemd[1]: Starting Time & Date Service...
systemd-timedated[3450]: /etc/localtime should be a symbolic link to a time zone data file in /usr/share/zoneinfo/.
audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timedated comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
systemd[1]: Started Time & Date Service.
audit[3450]: AVC avc: denied { unlink } for pid=3450 comm="systemd-timedat" name="localtime" dev="xvda1" ino=8778361 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
systemd-timedated[3450]: Changed time zone to 'America/Los_Angeles' (PDT).
audit[3447]: USER_END pid=3447 uid=1000 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
sudo[3447]: pam_unix(sudo:session): session closed for user root
If SELinux is temporarily disabled with setenforce 0 the timezone update will succeed w/out having to delete /etc/localtime first.
from amazon-linux-2023.
edwardvdv
commented on August 26, 2024
I can confirm this behaviour. The workaround by elsaco works.
from amazon-linux-2023.
commented on August 26, 2024
Hi, I confirmed current Amazon Linux 2022 SELinux feature is Permissive by default. Probably due to #180.
https://docs.aws.amazon.com/linux/al2022/ug/selinux-modes.html
By default, Security Enhanced Linux (SELinux) is enabled and set to permissive mode for Amazon Linux 2022. In permissive mode, permission denials are logged but not enforced. SELinux is a collection of kernel features and utilities to provide a strong, flexible, mandatory access control (MAC) architecture to the major subsystems of the kernel.
https://aws.amazon.com/linux/amazon-linux-2022/faqs/
Q: What is the default AL2022 SELinux configuration?
A: AL2022 will have SELinux in permissive mode by default. You can change SELinux settings to enforced mode via command line by executing ‘setenforce’ or by running this command on launch from cloud-init userdata. When the instance is rebooted, it will remember and use the SELinux setting that was specified the first time unless you change it. Please refer to the AL2022 documentation for more details.
I think don't need elsaco's workaround anymore.
$ getenforce
Permissive
$ curl -w '\n' 169.254.169.254/latest/meta-data/ami-id
ami-0481d65847c3dfb90
$ timedatectl
Local time: Sat 2022-11-19 02:55:31 UTC
Universal time: Sat 2022-11-19 02:55:31 UTC
RTC time: Sat 2022-11-19 02:55:30
Time zone: n/a (UTC, +0000)
System clock synchronized: yes
NTP service: active
RTC in local TZ: no
$ sudo timedatectl set-timezone Asia/Tokyo
$ timedatectl
Local time: Sat 2022-11-19 11:55:43 JST
Universal time: Sat 2022-11-19 02:55:43 UTC
RTC time: Sat 2022-11-19 02:55:43
Time zone: Asia/Tokyo (JST, +0900)
System clock synchronized: yes
NTP service: active
RTC in local TZ: no
$
$ journalctl -u systemd-timedated
...
...
Nov 19 11:55:31 ip-172-31-20-224.ap-northeast-1.compute.internal systemd[1]: Started systemd-timedated.service - Time & Date Service.
Nov 19 11:55:41 ip-172-31-20-224.ap-northeast-1.compute.internal systemd-timedated[2078]: Changed time zone to 'Asia/Tokyo' (JST).
Nov 19 11:56:13 ip-172-31-20-224.ap-northeast-1.compute.internal systemd[1]: systemd-timedated.service: Deactivated successfully.
$
from amazon-linux-2023.
nmeyerhans
commented on August 26, 2024
I've confirmed that this issue is still present in the AL2023 GA AMIs. Since we're running in permissive mode by default, functionality is not impaired and changing timezones works as intended, but the avc: denied messages does indicate that this operation would fail if you were to switch to enforcing mode.
If you do need to use timedatectl to change the timezone after enabling enforcing mode, you should be able to remove /etc/localtime manually before invoking it.
Will see about getting this fixed in a future release.
from amazon-linux-2023.
nmeyerhans
commented on August 26, 2024
This is resolved current AL2023 releases with selinux-policy-36.16-1.amzn2023.0.3
from amazon-linux-2023.
Related Issues (20)
- [Package Request] - Upgrade dnf default system python and libcap HOT 1
- [Package Request] - xerces-c HOT 5
- [Bug] - python3-boto3 1.33.6 conflicts with awscli-2 HOT 4
- [Bug] - python3 cflags HOT 2
- Chromium: Not able to install Chromium HOT 1
- [Package Request] - libcap update
- [Package Update Request] - Upgrade Squid V6.6 to Higher Versions
- [Package Request] - ntfsprogs HOT 1
- Amazon linux 2023: 403 Errors during downloading metadata for repository 'amazonlinux' HOT 2
- [Package Request] - Upgrade GNU nano HOT 3
- [Feature Request] - XFRM Interfaces Kernel module
- [Package Request] - xclip HOT 1
- [Package Request] - aws-nitro-enclaves-cli 1.3.0 HOT 1
- [Bug] - AL2023 Python3.11 is not the newest version
- [Package Request] - PostgreSQL 15 update to 15.6 HOT 1
- [Package Request] - nginx 1.26 HOT 2
- [Package Request] - libreoffice HOT 3
- [clamav] - clamav-1.0.x
- [Package Request] - Update ImageMagick 6.x
- [Bug] - Lustre Client not compatible with FsX for Lustre HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from amazon-linux-2023.