Bug 1243764

Summary:	Failed to lock /var/run/chrony-helper
Product:	Red Hat Enterprise Linux 7	Reporter:	Qian Guo <qiguo>
Component:	selinux-policy	Assignee:	Lukas Vrabec <lvrabec>
Status:	CLOSED ERRATA	QA Contact:	Milos Malik <mmalik>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	7.2	CC:	ilmostro7, ilmostro7, jburke, jstancek, juzhang, lvrabec, mgrepl, michen, mmalik, plautrba, pvrabec, qiguo, ssekidde
Target Milestone:	rc
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	selinux-policy-3.13.1-47.el7	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2015-11-19 10:41:03 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Qian Guo 2015-07-16 09:18:36 UTC

Description of problem:
Selinux should not make it any fail when do dhclient to get ip address

Version-Release number of selected component (if applicable):
kernel-3.10.0-294.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1.Set selinux enforcing
# getenforce 
Enforcing

2.Try to get ip address via dhclient:

3.

Actual results:
hit error:

/usr/libexec/chrony-helper: line 138: /var/run/chrony-helper/lock: Permission denied
flock: 100: Bad file descriptor
Failed to lock /var/run/chrony-helper


Expected results:
Dhclient is a normal command, I think selinux in enforcing mode should not make it any error.

Additional info:

Comment 2 Miroslav Grepl 2015-08-04 15:42:19 UTC

Could you attach AVC msgs?

Comment 3 Qian Guo 2015-08-05 01:36:54 UTC

(In reply to Miroslav Grepl from comment #2)
> Could you attach AVC msgs?

The corresponding AVC log:
...
type=AVC msg=audit(1438738425.637:1356): avc:  denied  { write } for  pid=10915 comm="chrony-helper" name="lock" dev="tmpfs" ino=16076 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1438738425.637:1356): arch=c000003e syscall=2 success=no exit=-13 a0=222a3b0 a1=241 a2=1b6 a3=1 items=0 ppid=10859 pid=10915 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=115 comm="chrony-helper" exe="/usr/bin/bash" subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1438738425.637:1357): avc:  denied  { write } for  pid=10915 comm="chrony-helper" name="lock" dev="tmpfs" ino=16076 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1438738425.637:1357): arch=c000003e syscall=2 success=no exit=-13 a0=222a3b0 a1=201 a2=1b6 a3=1 items=0 ppid=10859 pid=10915 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=115 comm="chrony-helper" exe="/usr/bin/bash" subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null)

Comment 4 Miroslav Grepl 2015-08-05 07:56:58 UTC

It looks we want to label chrony-helper.

Could test it with

# chcon -t chronyd_exec_t PATHTO/chrony-helper

Thanks.

Comment 5 Qian Guo 2015-08-06 03:28:08 UTC

1. when do 

# chcon -t chronyd_exec_t PATHTO/chrony-helper

the avc log:
type=USER_ACCT msg=audit(1438831201.122:1540): pid=6739 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_ACQ msg=audit(1438831201.122:1541): pid=6739 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=LOGIN msg=audit(1438831201.123:1542): pid=6739 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old-auid=4294967295 auid=0 old-ses=4294967295 ses=151 res=1
type=USER_AVC msg=audit(1438831201.133:1543): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=1)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_START msg=audit(1438831201.136:1544): pid=6739 uid=0 auid=0 ses=151 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_REFR msg=audit(1438831201.136:1545): pid=6739 uid=0 auid=0 ses=151 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1438831201.145:1546): pid=6739 uid=0 auid=0 ses=151 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1438831201.147:1547): pid=6739 uid=0 auid=0 ses=151 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'



2.Try to get ip address via dhclient:

# dhclient switch
mkdir: cannot create directory ‘/var/run/chrony-helper’: File exists
/usr/libexec/chrony-helper: line 138: /var/run/chrony-helper/lock: Permission denied
flock: 100: Bad file descriptor
Failed to lock /var/run/chrony-helper


3.Then got new log:
type=AVC msg=audit(1438831362.291:1548): avc:  denied  { read } for  pid=6860 comm="chrony-helper" name="chrony-helper" dev="tmpfs" ino=21722 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=dir
type=SYSCALL msg=audit(1438831362.291:1548): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=1d00010 a2=90800 a3=0 items=0 ppid=6804 pid=6860 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="chrony-helper" exe="/usr/bin/bash" subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null)

Hope helpful.
Thanks,
qian

Comment 12 Milos Malik 2015-08-06 13:26:02 UTC

After loading the policy module:

# getenforce 
Enforcing
# dhclient -r ; sleep 5 ; dhclient eth0
# ls -Z /var/run/chrony-helper/
-rw-r--r--. root root unconfined_u:object_r:dhcpc_var_run_t:s0 added_servers
-rw-r--r--. root root unconfined_u:object_r:dhcpc_var_run_t:s0 lock
# 

everything is OK, until you call restorecon:

# restorecon -Rv /var/run/chrony-helper/
restorecon reset /run/chrony-helper context unconfined_u:object_r:dhcpc_var_run_t:s0->unconfined_u:object_r:var_run_t:s0
restorecon reset /run/chrony-helper/added_servers context unconfined_u:object_r:dhcpc_var_run_t:s0->unconfined_u:object_r:var_run_t:s0
restorecon reset /run/chrony-helper/lock context unconfined_u:object_r:dhcpc_var_run_t:s0->unconfined_u:object_r:var_run_t:s0
#

Comment 13 Miroslav Grepl 2015-08-06 14:07:43 UTC

# ls -Z /var/run/chrony-helper/
-rw-r--r--. root root unconfined_u:object_r:dhcpc_var_run_t:s0 added_servers
-rw-r--r--. root root unconfined_u:object_r:dhcpc_var_run_t:s0 lock

is not OK. We should see chronyd_var_run_t if it is created by the chrony-helper.

Comment 14 Miroslav Grepl 2015-08-06 14:08:56 UTC

Do you have chronyd_exec_t labeling for /usr/libexec/chrony-helper if you test it with the transition?

Comment 15 Milos Malik 2015-08-06 14:23:55 UTC

Sorry, the chrony-helper was labeled bin_t.

# chcon -t chronyd_exec_t /usr/libexec/chrony-helper 
# rm -rf /var/run/chrony-helper/
# dhclient -r ; sleep 5 ; dhclient eth0
# ls -Z /var/run/chrony-helper
ls: cannot access /var/run/chrony-helper: No such file or directory
# ausearch -m avc -m user_avc -m selinux_err -i -ts recent
----
type=SYSCALL msg=audit(08/06/2015 10:20:23.195:346) : arch=ppc64 syscall=stat success=no exit=-13(Permission denied) a0=0x1001bd5a410 a1=0x3ffff6f19278 a2=0x3ffff6f19278 a3=0x8 items=0 ppid=7273 pid=7304 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=chrony-helper exe=/usr/bin/bash subj=unconfined_u:system_r:chronyd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/06/2015 10:20:23.195:346) : avc:  denied  { search } for  pid=7304 comm=chrony-helper name=dhclient dev="dm-0" ino=68074908 scontext=unconfined_u:system_r:chronyd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(08/06/2015 10:20:23.195:345) : arch=ppc64 syscall=openat success=no exit=-13(Permission denied) a0=0xffffffffffffff9c a1=0x1001bd671b0 a2=O_RDONLY|O_NONBLOCK|O_DIRECT|O_CLOEXEC a3=0x0 items=0 ppid=7273 pid=7304 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=chrony-helper exe=/usr/bin/bash subj=unconfined_u:system_r:chronyd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/06/2015 10:20:23.195:345) : avc:  denied  { read } for  pid=7304 comm=chrony-helper name=dhclient dev="dm-0" ino=68074908 scontext=unconfined_u:system_r:chronyd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(08/06/2015 10:20:30.646:348) : arch=ppc64 syscall=stat success=no exit=-13(Permission denied) a0=0x1000834b580 a1=0x3fffe5448798 a2=0x3fffe5448798 a3=0x8 items=0 ppid=7339 pid=7395 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=chrony-helper exe=/usr/bin/bash subj=unconfined_u:system_r:chronyd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/06/2015 10:20:30.646:348) : avc:  denied  { search } for  pid=7395 comm=chrony-helper name=dhclient dev="dm-0" ino=68074908 scontext=unconfined_u:system_r:chronyd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(08/06/2015 10:20:30.646:347) : arch=ppc64 syscall=openat success=no exit=-13(Permission denied) a0=0xffffffffffffff9c a1=0x10008358320 a2=O_RDONLY|O_NONBLOCK|O_DIRECT|O_CLOEXEC a3=0x0 items=0 ppid=7339 pid=7395 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=chrony-helper exe=/usr/bin/bash subj=unconfined_u:system_r:chronyd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/06/2015 10:20:30.646:347) : avc:  denied  { read } for  pid=7395 comm=chrony-helper name=dhclient dev="dm-0" ino=68074908 scontext=unconfined_u:system_r:chronyd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=dir 
----

Comment 16 Miroslav Grepl 2015-08-07 09:46:26 UTC

Ok what about permissive mode?

Comment 17 Milos Malik 2015-08-07 10:51:24 UTC

# chcon -t chronyd_exec_t /usr/libexec/chrony-helper 
# rm -rf /var/run/chrony-helper/
# setenforce 0
# dhclient -r ; sleep 5 ; dhclient eth0
# ls -Z /var/run/chrony-helper
-rw-r--r--. root root unconfined_u:object_r:chronyd_var_run_t:s0 added_servers
-rw-r--r--. root root unconfined_u:object_r:chronyd_var_run_t:s0 lock
# ausearch -m avc -m user_avc -m selinux_err -i -ts recent
----
type=PATH msg=audit(08/07/2015 06:47:43.458:459) : item=0 name=/var/lib/dhclient/ inode=68053817 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:dhcpc_state_t:s0 objtype=NORMAL 
type=CWD msg=audit(08/07/2015 06:47:43.458:459) :  cwd=/etc/sysconfig/network-scripts 
type=SYSCALL msg=audit(08/07/2015 06:47:43.458:459) : arch=s390x syscall=openat success=yes exit=3 a0=0xffffffffffffff9c a1=0x908b0130 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=1 ppid=61882 pid=61907 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=14 comm=chrony-helper exe=/usr/bin/bash subj=unconfined_u:system_r:chronyd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/07/2015 06:47:43.458:459) : avc:  denied  { open } for  pid=61907 comm=chrony-helper path=/var/lib/dhclient dev="dm-0" ino=68053817 scontext=unconfined_u:system_r:chronyd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=dir 
type=AVC msg=audit(08/07/2015 06:47:43.458:459) : avc:  denied  { read } for  pid=61907 comm=chrony-helper name=dhclient dev="dm-0" ino=68053817 scontext=unconfined_u:system_r:chronyd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=dir 
----
type=PATH msg=audit(08/07/2015 06:47:50.778:461) : item=0 name=/bin/mkdir inode=100902660 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 objtype=NORMAL 
type=CWD msg=audit(08/07/2015 06:47:50.778:461) :  cwd=/etc/sysconfig/network-scripts 
type=SYSCALL msg=audit(08/07/2015 06:47:50.778:461) : arch=s390x syscall=access success=yes exit=0 a0=0xaa1ed690 a1=X_OK a2=0x3fffffe7318 a3=0x3ff00000000 items=1 ppid=61936 pid=61985 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=14 comm=chrony-helper exe=/usr/bin/bash subj=unconfined_u:system_r:chronyd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/07/2015 06:47:50.778:461) : avc:  denied  { execute } for  pid=61985 comm=chrony-helper name=mkdir dev="dm-0" ino=100902660 scontext=unconfined_u:system_r:chronyd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file 
----
type=PATH msg=audit(08/07/2015 06:47:50.778:460) : item=0 name=/var/lib/dhclient/chrony.servers.eth0 inode=68803592 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:dhcpc_state_t:s0 objtype=NORMAL 
type=CWD msg=audit(08/07/2015 06:47:50.778:460) :  cwd=/etc/sysconfig/network-scripts 
type=SYSCALL msg=audit(08/07/2015 06:47:50.778:460) : arch=s390x syscall=stat success=yes exit=0 a0=0xaa1ed550 a1=0x3fffffe7178 a2=0x3fffffe7178 a3=0x800be0e0 items=1 ppid=61936 pid=61985 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=14 comm=chrony-helper exe=/usr/bin/bash subj=unconfined_u:system_r:chronyd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/07/2015 06:47:50.778:460) : avc:  denied  { getattr } for  pid=61985 comm=chrony-helper path=/var/lib/dhclient/chrony.servers.eth0 dev="dm-0" ino=68803592 scontext=unconfined_u:system_r:chronyd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:dhcpc_state_t:s0 tclass=file 
----
type=PATH msg=audit(08/07/2015 06:47:50.778:462) : item=1 name=/lib/ld64.so.1 inode=146938 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL 
type=PATH msg=audit(08/07/2015 06:47:50.778:462) : item=0 name=/bin/mkdir inode=100902660 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 objtype=NORMAL 
type=CWD msg=audit(08/07/2015 06:47:50.778:462) :  cwd=/etc/sysconfig/network-scripts 
type=EXECVE msg=audit(08/07/2015 06:47:50.778:462) : argc=3 a0=mkdir a1=-p a2=/var/run/chrony-helper 
type=SYSCALL msg=audit(08/07/2015 06:47:50.778:462) : arch=s390x syscall=execve success=yes exit=0 a0=0xaa1ed690 a1=0xaa1de070 a2=0xaa1edd30 a3=0x0 items=2 ppid=61985 pid=61986 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=14 comm=mkdir exe=/usr/bin/mkdir subj=unconfined_u:system_r:chronyd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/07/2015 06:47:50.778:462) : avc:  denied  { execute_no_trans } for  pid=61986 comm=chrony-helper path=/usr/bin/mkdir dev="dm-0" ino=100902660 scontext=unconfined_u:system_r:chronyd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file 
----
type=PATH msg=audit(08/07/2015 06:47:50.788:463) : item=0 name=/var/lib/dhclient/chrony.servers.eth0 inode=68803592 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:dhcpc_state_t:s0 objtype=NORMAL 
type=CWD msg=audit(08/07/2015 06:47:50.788:463) :  cwd=/etc/sysconfig/network-scripts 
type=SYSCALL msg=audit(08/07/2015 06:47:50.788:463) : arch=s390x syscall=open success=yes exit=3 a0=0x3fffffd8a1e a1=O_RDONLY a2=0x3fffffd7928 a3=0x3ff00000000 items=1 ppid=61989 pid=61990 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=14 comm=cat exe=/usr/bin/cat subj=unconfined_u:system_r:chronyd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/07/2015 06:47:50.788:463) : avc:  denied  { open } for  pid=61990 comm=cat path=/var/lib/dhclient/chrony.servers.eth0 dev="dm-0" ino=68803592 scontext=unconfined_u:system_r:chronyd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:dhcpc_state_t:s0 tclass=file 
type=AVC msg=audit(08/07/2015 06:47:50.788:463) : avc:  denied  { read } for  pid=61990 comm=cat name=chrony.servers.eth0 dev="dm-0" ino=68803592 scontext=unconfined_u:system_r:chronyd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:dhcpc_state_t:s0 tclass=file 
----

Comment 18 Miroslav Grepl 2015-08-07 12:14:19 UTC

Great, it looks much better. So we need to add labeling for chrony-helper and add additional fixes from AVCs.

Again thank you for testing.

Comment 19 Lukas Vrabec 2015-08-10 16:17:50 UTC

commit 3399c01f1675823cc09298250d340b10816838ee
Author: Lukas Vrabec <lvrabec>
Date:   Mon Aug 10 17:34:45 2015 +0200

    Allow chronyd to execute mkdir command.

commit 8914c0feb7c1c1fa73ccc4acbcf88ef8229c4f18
Author: Lukas Vrabec <lvrabec>
Date:   Mon Aug 10 17:23:59 2015 +0200

    Allow chronyd_t to read dhcpc state.

commit 70a0cea5b8dca4a95523d7f521c646ae31c467d4
Author: Lukas Vrabec <lvrabec>
Date:   Mon Aug 10 17:21:09 2015 +0200

    Label /usr/libexec/chrony-helper as chronyd_exec_t

Comment 21 Milos Malik 2015-08-12 17:21:16 UTC

Seen on various machines in enforcing mode:
----
time->Tue Aug 11 14:05:22 2015
type=SYSCALL msg=audit(1439316322.366:209): arch=80000015 syscall=106 success=no exit=-13 a0=10027b9bef0 a1=3ffffed37468 a2=3ffffed37468 a3=0 items=0 ppid=32203 pid=32217 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chrony-helper" exe="/usr/bin/bash" subj=system_u:system_r:chronyd_t:s0 key=(null)
type=AVC msg=audit(1439316322.366:209): avc:  denied  { getattr } for  pid=32217 comm="chrony-helper" path="/usr/bin/systemctl" dev="dm-0" ino=136713910 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
----

Comment 22 Milos Malik 2015-08-12 17:31:04 UTC

# grep systemctl /usr/libexec/chrony-helper 
        systemctl enable "$timer"
        systemctl start "$timer"
        systemctl stop "$timer"
        systemctl disable "$timer"
    systemctl --all --full -t timer list-units | grep "^$dnssrv_timer_prefix" | \
#

Comment 23 Lukas Vrabec 2015-08-13 07:49:55 UTC

Hi Milos,
What about permissive mode?

Comment 24 Milos Malik 2015-08-15 09:54:13 UTC

One of our TCs also triggers following AVC on all architectures:
----
time->Sat Aug 15 08:54:17 2015
type=OBJ_PID msg=audit(1439621657.053:3328): opid=25713 oauid=-1 ouid=0 oses=-1 obj=system_u:system_r:ptp4l_t:s0 ocomm="ptp4l"
type=OBJ_PID msg=audit(1439621657.053:3328): opid=25694 oauid=-1 ouid=0 oses=-1 obj=system_u:system_r:timemaster_t:s0 ocomm="timemaster"
type=OBJ_PID msg=audit(1439621657.053:3328): opid=25712 oauid=-1 ouid=0 oses=-1 obj=system_u:system_r:chronyd_t:s0 ocomm="chronyd"
type=SYSCALL msg=audit(1439621657.053:3328): arch=c000003e syscall=62 success=yes exit=0 a0=0 a1=f a2=7f48cb72f780 a3=4000 items=0 ppid=1 pid=25694 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="timemaster" exe="/usr/sbin/timemaster" subj=system_u:system_r:timemaster_t:s0 key=(null)
type=AVC msg=audit(1439621657.053:3328): avc:  denied  { signal } for  pid=25694 comm="timemaster" scontext=system_u:system_r:timemaster_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=process
----

Comment 25 Lukas Vrabec 2015-08-17 12:41:43 UTC

commit 0a8bbfd5f943af43310567be7ff84b678ad067a8
Author: Lukas Vrabec <lvrabec>
Date:   Mon Aug 17 14:33:59 2015 +0200

    Allow chronyd exec systemctl
    Resolves: #1243764

commit 00e2cada75582a5cf594d28deefefe6a52f650d6
Author: Lukas Vrabec <lvrabec>
Date:   Mon Aug 17 12:01:33 2015 +0200

    Add inteface chronyd_signal
    Allow timemaster_t send generic signals to chronyd_t.
    Resolves: #1243764

Comment 27 Milos Malik 2015-08-26 12:12:58 UTC

----
time->Mon Aug 24 05:08:07 2015
type=SYSCALL msg=audit(1440389287.693:2223): arch=80000015 syscall=106 success=no exit=-13 a0=10016c108f0 a1=3fffd17552a8 a2=3fffd17552a8 a3=0 items=0 ppid=11688 pid=11710 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dhclient-script" exe="/usr/bin/bash" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1440389287.693:2223): avc:  denied  { getattr } for  pid=11710 comm="dhclient-script" path="/usr/libexec/chrony-helper" dev="dm-9" ino=136647523 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file
----

Comment 28 Lukas Vrabec 2015-08-26 12:19:46 UTC

Milos, 
Is it permissive mode? 

Thank you.

Comment 29 Milos Malik 2015-08-26 12:38:51 UTC

Enforcing mode:
----
type=PATH msg=audit(08/26/2015 14:36:00.111:1100) : item=0 name=/usr/libexec/chrony-helper inode=49610 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:chronyd_exec_t:s0 objtype=NORMAL 
type=CWD msg=audit(08/26/2015 14:36:00.111:1100) :  cwd=/etc/sysconfig/network-scripts 
type=SYSCALL msg=audit(08/26/2015 14:36:00.111:1100) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0xfb67b0 a1=0x7ffd695825a0 a2=0x7ffd695825a0 a3=0x7ffd695823d0 items=1 ppid=15705 pid=15747 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dhclient-script exe=/usr/bin/bash subj=system_u:system_r:dhcpc_t:s0 key=(null) 
type=AVC msg=audit(08/26/2015 14:36:00.111:1100) : avc:  denied  { getattr } for  pid=15747 comm=dhclient-script path=/usr/libexec/chrony-helper dev="vda2" ino=49610 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file 
----
type=PATH msg=audit(08/26/2015 14:36:00.111:1101) : item=0 name=/usr/libexec/chrony-helper inode=49610 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:chronyd_exec_t:s0 objtype=NORMAL 
type=CWD msg=audit(08/26/2015 14:36:00.111:1101) :  cwd=/etc/sysconfig/network-scripts 
type=SYSCALL msg=audit(08/26/2015 14:36:00.111:1101) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0xfb67b0 a1=0x7ffd69582580 a2=0x7ffd69582580 a3=0x7ffd695823d0 items=1 ppid=15705 pid=15747 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dhclient-script exe=/usr/bin/bash subj=system_u:system_r:dhcpc_t:s0 key=(null) 
type=AVC msg=audit(08/26/2015 14:36:00.111:1101) : avc:  denied  { getattr } for  pid=15747 comm=dhclient-script path=/usr/libexec/chrony-helper dev="vda2" ino=49610 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file 
----

Permissive mode:
----
type=PATH msg=audit(08/26/2015 14:37:59.293:1108) : item=2 name=/lib64/ld-linux-x86-64.so.2 inode=33658113 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL 
type=PATH msg=audit(08/26/2015 14:37:59.293:1108) : item=1 name=/bin/bash inode=17436826 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 objtype=NORMAL 
type=PATH msg=audit(08/26/2015 14:37:59.293:1108) : item=0 name=/usr/libexec/chrony-helper inode=49610 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:chronyd_exec_t:s0 objtype=NORMAL 
type=CWD msg=audit(08/26/2015 14:37:59.293:1108) :  cwd=/etc/sysconfig/network-scripts 
type=EXECVE msg=audit(08/26/2015 14:37:59.293:1108) : argc=3 a0=/bin/bash a1=/usr/libexec/chrony-helper a2=update-daemon 
type=SYSCALL msg=audit(08/26/2015 14:37:59.293:1108) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x1cd7a80 a1=0x1cce230 a2=0x1c4c030 a3=0x7ffd4a635ca0 items=3 ppid=16276 pid=16316 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chrony-helper exe=/usr/bin/bash subj=system_u:system_r:dhcpc_t:s0 key=(null) 
type=AVC msg=audit(08/26/2015 14:37:59.293:1108) : avc:  denied  { execute_no_trans } for  pid=16316 comm=dhclient-script path=/usr/libexec/chrony-helper dev="vda2" ino=49610 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file 
type=AVC msg=audit(08/26/2015 14:37:59.293:1108) : avc:  denied  { read open } for  pid=16316 comm=dhclient-script path=/usr/libexec/chrony-helper dev="vda2" ino=49610 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file 
type=AVC msg=audit(08/26/2015 14:37:59.293:1108) : avc:  denied  { execute } for  pid=16316 comm=dhclient-script name=chrony-helper dev="vda2" ino=49610 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file 
----
type=SYSCALL msg=audit(08/26/2015 14:37:59.296:1109) : arch=x86_64 syscall=ioctl success=no exit=-25(Inappropriate ioctl for device) a0=0x5 a1=TCGETS a2=0x7ffc3e01b080 a3=0x7ffc3e01ae90 items=0 ppid=16276 pid=16316 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chrony-helper exe=/usr/bin/bash subj=system_u:system_r:dhcpc_t:s0 key=(null) 
type=AVC msg=audit(08/26/2015 14:37:59.296:1109) : avc:  denied  { ioctl } for  pid=16316 comm=chrony-helper path=/usr/libexec/chrony-helper dev="vda2" ino=49610 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file 
----
type=SYSCALL msg=audit(08/26/2015 14:37:59.296:1110) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0xff a1=0x7ffc3e01b020 a2=0x7ffc3e01b020 a3=0x7ffc3e01ada0 items=0 ppid=16276 pid=16316 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chrony-helper exe=/usr/bin/bash subj=system_u:system_r:dhcpc_t:s0 key=(null) 
type=AVC msg=audit(08/26/2015 14:37:59.296:1110) : avc:  denied  { getattr } for  pid=16316 comm=chrony-helper path=/usr/libexec/chrony-helper dev="vda2" ino=49610 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file 
----

Comment 30 Lukas Vrabec 2015-08-27 12:33:02 UTC

commit 2977dd17f69b299a14b4eee2366bbef885b821b4
Author: Lukas Vrabec <lvrabec>
Date:   Thu Aug 27 11:17:52 2015 +0200

    Allow dhcpc_t domain transition to chronyd_t
    Resolves: #1243764


commit f996ef449bfe5d25e7e979dd72a6763c1a81bf19
Author: Lukas Vrabec <lvrabec>
Date:   Thu Aug 13 13:23:54 2015 +0200

    Label /var/run/chrony-helper dir as chronyd_var_run_t.
    Resolves: #1243764

Comment 36 ilmostro7 2015-10-09 15:00:07 UTC

SELinux is preventing /usr/bin/bash from read access on the file /usr/libexec/chrony-helper.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that bash should be allowed read access on the chrony-helper file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep dhclient-script /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:dhcpc_t:s0
Target Context                system_u:object_r:chronyd_exec_t:s0
Target Objects                /usr/libexec/chrony-helper [ file ]
Source                        dhclient-script
Source Path                   /usr/bin/bash
Port                          <Unknown>
Host                          fedpadssd.airportx
Source RPM Packages           bash-4.2.46-19.el7.x86_64
Target RPM Packages           chrony-2.1.1-1.el7.x86_64
Policy RPM                    selinux-policy-3.13.1-44.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedpadssd.airportx
Platform                      Linux fedpadssd.airportx
                              3.10.0-229.14.1.el7.x86_64 #1 SMP Tue Aug 25
                              11:21:22 EDT 2015 x86_64 x86_64
Alert Count                   85
First Seen                    2015-09-19 19:09:55 CDT
Last Seen                     2015-10-09 09:12:41 CDT
Local ID                      c37a338c-b22f-45bb-9e23-4a4dbcb823eb

Raw Audit Messages
type=AVC msg=audit(1444399961.416:5187): avc:  denied  { read } for  pid=27547 comm="dhclient-script" name="chrony-helper" dev="dm-0" ino=135336661 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1444399961.416:5187): arch=x86_64 syscall=open success=no exit=EACCES a0=c945c0 a1=0 a2=43 a3=7ffce791c080 items=0 ppid=27500 pid=27547 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=dhclient-script exe=/usr/bin/bash subj=system_u:system_r:dhcpc_t:s0 key=(null)

Hash: dhclient-script,dhcpc_t,chronyd_exec_t,file,read

Comment 37 Milos Malik 2015-10-09 15:43:29 UTC

The problem is fixed in selinux-policy 3.13.1-47.el7 and above.

Comment 38 ilmostro7 2015-10-16 17:30:53 UTC

# rpm -q selinux-policy
selinux-policy-3.13.1-44.el7.noarch

Uhh...am I missing something?

Comment 39 Miroslav Grepl 2015-10-19 05:58:33 UTC

3.13.1-47.el7 vs. 3.13.1-44.el7

Comment 40 ILMostro 2015-10-19 06:26:11 UTC

I assumed 3.13.1-47 would be pushed to RHEL7.2 repos by now

Comment 42 errata-xmlrpc 2015-11-19 10:41:03 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html