I’ve got a fresh install of Tumbleweed. Only a week or so old. This issue has been there since the beginning. Apparently, systemd-timesyncd cannot start (as a service) when selinux is in enforcing mode. I can confirm that it starts when set to permissive mode.
systemd-timesyncd wants to watch the /run/systemd (aliased for /var/run/systemd) directory, but does not have permission. From checking the filecontexts, I can deduce that it does have permissions on a particular subset of (potential) subdirectories, using sudo /usr/sbin/semanage fcontext -l. It seems reasonable to think that watch /run/systemd is a recent addition. Just in case, I did check with restorecon -Rv /var/run that security labels for selinux are in place and correct.
I’m not sure how I can configure the selinux configuration such that the process context label and the label for access to /var/run/systemd match up. This seems mostly a matter of missing information, tools to make the changes that I have in mind, but maybe I misunderstand the issue itself.
----
time->Fri Jan 27 19:04:15 2023
type=USER_AVC msg=audit(1674842655.829:1298): pid=944 uid=472 auid=4294967295 ses=4294967295 subj=system_u:system_r:nscd_t:s0 msg='avc: op=load_policy lsm=selinux seqno=2 res=1 exe="/usr/sbin/nscd" sauid=472 hostname=? addr=? terminal=?'
----
time->Fri Jan 27 19:04:16 2023
type=AVC msg=audit(1674842656.017:1305): avc: denied { watch } for pid=7999 comm="systemd-timesyn" path="/run/systemd" dev="tmpfs" ino=2 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0
----
time->Fri Jan 27 19:04:16 2023
type=AVC msg=audit(1674842656.133:1313): avc: denied { watch } for pid=8002 comm="systemd-timesyn" path="/run/systemd" dev="tmpfs" ino=2 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0
----
time->Fri Jan 27 19:04:16 2023
type=AVC msg=audit(1674842656.245:1319): avc: denied { watch } for pid=8006 comm="systemd-timesyn" path="/run/systemd" dev="tmpfs" ino=2 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0
----
time->Fri Jan 27 19:04:16 2023
type=AVC msg=audit(1674842656.357:1325): avc: denied { watch } for pid=8009 comm="systemd-timesyn" path="/run/systemd" dev="tmpfs" ino=2 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0
----
time->Fri Jan 27 19:04:16 2023
type=AVC msg=audit(1674842656.469:1331): avc: denied { watch } for pid=8012 comm="systemd-timesyn" path="/run/systemd" dev="tmpfs" ino=2 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0