CentOS > SELinux > /etc/localtime error

How do I fix this?

SELinux is preventing tzdata-update (tzdata_t) "unlink" to localtime (etc_t).

Detailed Description:

SELinux is preventing tzdata-update (tzdata_t) "unlink" to localtime (etc_t).
The SELinux type etc_t, is a generic type for all files in the directory and
very few processes (SELinux Domains) are allowed to write to this SELinux type.
This type of denial usual indicates a mislabeled file. By default a file created
in a directory has the gets the context of the parent directory, but SELinux
policy has rules about the creation of directories, that say if a process
running in one SELinux Domain (D1) creates a file in a directory with a
particular SELinux File Context (F1) the file gets a different File Context
(F2). The policy usually allows the SELinux Domain (D1) the ability to write,
unlink, and append on (F2). But if for some reason a file (localtime) was
created with the wrong context, this domain will be denied. The usual solution
to this problem is to reset the file context on the target file, restorecon -v
'localtime'. If the file context does not change from etc_t, then this is
probably a bug in policy. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the selinux-policy
package. If it does change, you can try your application again to see if it
works. The file context could have been mislabeled by editing the file or moving
the file from a different directory, if the file keeps getting mislabeled, check
the init scripts to see if they are doing something to mislabel the file.

Allowing Access:

You can attempt to fix file context by executing restorecon -v 'localtime'

The following command will allow this access:

restorecon 'localtime'

Additional Information:

Source Context                root:system_r:tzdata_t:SystemLow-SystemHigh
Target Context                root:object_r:etc_t
Target Objects                localtime [ lnk_file ]
Source                        tzdata-update
Source Path                   /usr/sbin/tzdata-update
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           glibc-common-2.5-118.el5_10.2
Target RPM Packages
Policy RPM                    selinux-policy-2.4.6-346.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   mislabeled_file
Host Name                     www.t1shopper.com
Platform                      Linux www.t1shopper.com 2.6.18-371.8.1.el5 #1 SMP
                              Thu Apr 24 18:19:36 EDT 2014 x86_64 x86_64
Alert Count                   1
First Seen                    Fri Jul 18 21:16:23 2014
Last Seen                     Fri Jul 18 21:16:23 2014
Local ID                      7c273cdf-e822-48f4-90a3-2e13b6e1996e
Line Numbers                  16744, 16745

Raw Audit Messages

type=AVC msg=audit(1405718183.87:560873): avc:  denied  { unlink } for  pid=2777 comm="tzdata-update" name="localtime" dev=dm-0 ino=29262001 scontext=root:system_r:tzdata_t:s0-s0:c0.c1023 tcontext=root:object_r:etc_t:s0 tclass=lnk_file

type=SYSCALL msg=audit(1405718183.87:560873): arch=c000003e syscall=82 success=no exit=-13 a0=7fff66233ca0 a1=400cf9 a2=76 a3=6094e0 items=0 ppid=29416 pid=2777 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=
92051 comm="tzdata-update" exe="/usr/sbin/tzdata-update" subj=root:system_r:tzdata_t:s0-s0:c0.c1023 key=(null)

Open in new window

Geoff MillikanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

duncanb7Commented:
The attachment you posted  said try to

You can attempt to fix file context by executing restorecon -v 'localtime'

And  it suggests to use restorecon '/etc/localtime'  in this blog that is similar to your issue at

https://bugzilla.redhat.com/show_bug.cgi?id=517452

What command or utility tool recently  you ran so that you have such issue ?

Duncan
0
Geoff MillikanAuthor Commented:
What command or utility tool recently  you ran so that you have such issue ?
Probably when the system ran yum update it tried to update the timezone files.

Here's the steps I took to fix it which didn't seem to work because the security settings on the file didn't change.
[root@www ~]# ls -Z /etc/localtime
lrwxrwxrwx  root root root:object_r:etc_t              /etc/localtime -> /usr/share/zoneinfo/GMT

[root@www ~]# restorecon '/etc/localtime'
[root@www ~]# restorecon -v 'localtime'
lstat(localtime) failed: No such file or directory

[root@www ~]# ls -Z /etc/localtime
lrwxrwxrwx  root root root:object_r:etc_t              /etc/localtime -> /usr/share/zoneinfo/GMT

[root@www ~]# ls -Z /usr/share/zoneinfo/GMT
-rw-r--r--  root root system_u:object_r:locale_t       /usr/share/zoneinfo/GMT

Open in new window

0
duncanb7Commented:
You are already in root access, why it will have issue ? could you do sudo with the command ?

Duncan
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Geoff MillikanAuthor Commented:
You are already in root access, why it will have issue ?
I don't know, that's what I'm asking you!
0
duncanb7Commented:
how about sudo ?
0
Geoff MillikanAuthor Commented:
No change in permissions or context.
[root@www ~]# sudo restorecon -v '/etc/localtime'
[root@www ~]# ls -Z /etc/localtime
lrwxrwxrwx  root root root:object_r:etc_t              /etc/localtime -> /usr/share/zoneinfo/GMT

[root@www ~]sudo restorecon -v '/usr/share/zoneinfo/GMT'
[root@www ~]# ls -Z '/usr/share/zoneinfo/GMT'
-rw-r--r--  root root system_u:object_r:locale_t       /usr/share/zoneinfo/GMT

Open in new window

0
duncanb7Commented:
could you check the file or directory permisision privilege  or right on that file /etc/localtime or its link file or directory ?

Duncan
0
Geoff MillikanAuthor Commented:
Is this what you want?  If not, please give me exact commands to run.  Thanks.
drwxr-xr-x  root root system_u:object_r:etc_t          etc

drwxr-xr-x  root root system_u:object_r:locale_t       zoneinfo

Open in new window

0
SandyCommented:
Restorecon -R /etc localtime
0
duncanb7Commented:
sandy reminds me, thanks,  Sorry, tishopper question post that it   mentioned

Allowing Access:

You can attempt to fix file context by executing restorecon -v 'localtime'

The following command will allow this access:

restorecon 'localtime'

Additional Information:

So try
- TEST-1, restorecon -v 'localtime'
-TEST-2, restorcon 'localtme'
-Test-3, restorecon -R -v  /etc 'localtime'
-TEst-4, restorecon -R   /etc 'localtime'

Probably it will work hopefully

Duncan
0
Geoff MillikanAuthor Commented:
I'm not sure if any of this fixed it but here's the status:
Sandy: The output of your solution is included below.
Duncanb7: Here's the output if the 4 tests.
[root@www ~]# restorecon -v 'localtime'
lstat(localtime) failed: No such file or directory
[root@www ~]# restorcon 'localtme'
-bash: restorcon: command not found
[root@www ~]# restorecon 'localtme'
lstat(localtme) failed: No such file or directory
[root@www ~]# restorecon 'localtime'
lstat(localtime) failed: No such file or directory
[root@www ~]# restorecon -R -v  /etc 'localtime'
restorecon reset /etc/aliases context root:object_r:etc_t:s0->system_u:object_r:etc_aliases_t:s0
restorecon reset /etc/dovecot.conf context root:object_r:etc_t:s0->system_u:object_r:dovecot_etc_t:s0
restorecon reset /etc/rc.d/init.d/php_mysql_memory_table_maxmind context root:object_r:etc_t:s0->system_u:object_r:initrc_exec_t:s0
restorecon reset /etc/my.cnf context root:object_r:etc_t:s0->system_u:object_r:mysqld_etc_t:s0
restorecon reset /etc/modprobe.d/anaconda.conf context system_u:object_r:file_t:s0->system_u:object_r:etc_t:s0
restorecon reset /etc/aliases.original context system_u:object_r:etc_aliases_t:s0->system_u:object_r:etc_t:s0
restorecon reset /etc/openwsman/serverkey.pem context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /etc/openwsman/servercert.pem context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /etc/sysconfig/mkinitrd/multipath context system_u:object_r:file_t:s0->system_u:object_r:etc_t:s0
restorecon reset /etc/sysconfig/iptables.2012-03-01.default.original context root:object_r:etc_t:s0->system_u:object_r:iptables_conf_t:s0
restorecon reset /etc/sysconfig/iptables.2013-02-13 context root:object_r:etc_runtime_t:s0->system_u:object_r:iptables_conf_t:s0
restorecon reset /etc/sysconfig/iptables.2011-01-10 context root:object_r:etc_t:s0->system_u:object_r:iptables_conf_t:s0
restorecon reset /etc/sysconfig/iptables_base_configuration context root:object_r:etc_t:s0->system_u:object_r:iptables_conf_t:s0
restorecon reset /etc/sysconfig/iptables context root:object_r:etc_t:s0->system_u:object_r:iptables_conf_t:s0
restorecon reset /etc/sysconfig/ip6tables context root:object_r:etc_t:s0->system_u:object_r:iptables_conf_t:s0
restorecon reset /etc/sysconfig/iptables.2013-04-20 context root:object_r:etc_t:s0->system_u:object_r:iptables_conf_t:s0
restorecon reset /etc/sysconfig/iptables.2013-08-31 context root:object_r:etc_t:s0->system_u:object_r:iptables_conf_t:s0
restorecon reset /etc/sysconfig/iptables-config context root:object_r:etc_t:s0->system_u:object_r:iptables_conf_t:s0
restorecon reset /etc/my.cnf.2013-03-01.original context system_u:object_r:mysqld_etc_t:s0->system_u:object_r:etc_t:s0
restorecon:  error while labeling files under localtime
[root@www ~]# restorecon -R   /etc 'localtime'
restorecon:  error while labeling files under localtime

Open in new window

0
SandyCommented:
hold on...  you execute the correct command from wrong path

#cd /etc/
# restorecon -R   /etc 'localtime'

#ls -lZ localtime

Now check and post...

TY/SA
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Geoff MillikanAuthor Commented:
That all seemed to run successfully (see below).  Should it be fixed?
[root@www ~]# cd /etc/
[root@www etc]# restorecon -R   /etc 'localtime'
[root@www etc]# ls -lZ localtime
lrwxrwxrwx  root root root:object_r:etc_t              localtime -> /usr/share/zoneinfo/GMT
[root@www etc]#

Open in new window

0
SandyCommented:
Seems like yes..  check and suggest

ty/sa
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.