Bug 1284691

Summary: chronyd denial during installation
Product: [Fedora] Fedora Reporter: matt jia <mjia>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 24CC: dominick.grift, dwalsh, edgar.hoch, lslebodn, lvrabec, mgrepl, mjia, plautrba, pstudeni
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-26 08:35:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description matt jia 2015-11-23 22:31:00 UTC 
Description of problem:

Experienced chronyd denials when installing the latest rawhide.

The actual AVC denial is in the avc.log:

type=AVC msg=audit(1447735905.213:77): avc:  denied  { sendto } for  pid=571 comm="chronyd" path="/run/chrony/chronyc.590.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_dgram_socket permissive=0
Comment 1 Lukas Vrabec 2015-11-24 12:48:52 UTC 
Hi, 
Could you attach output of:
ps -efZ | grep unconfined_service_t

Thank you.
Comment 2 Jan Kurik 2016-02-24 15:51:29 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase
Comment 3 Pavel Studeník 2016-06-29 15:46:08 UTC 
On Fedora 24 I received this AVC messages:

time->Tue Jun 28 20:09:52 2016
type=AVC msg=audit(1467158992.759:88): avc:  denied  { sendto } for  pid=797 comm="chronyd" path="/run/chrony/chronyc.803.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_dgram_socket permissive=0
Comment 4 Pavel Studeník 2016-07-13 13:51:45 UTC 
This message I see on system with Fedora 23 as well.

time->Mon Jul 11 20:13:29 2016
type=AVC msg=audit(1468282409.735:108): avc:  denied  { sendto } for  pid=823 comm="chronyd" path="/run/chrony/chronyc.844.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_dgram_socket permissive=0
Comment 6 Edgar Hoch 2016-07-19 18:58:10 UTC 
I have run the command of comment #24 on an Fedora 24 system:

# ps -efZ | grep unconfined_service_t
system_u:system_r:unconfined_service_t:s0 root 1005 1  0 20:20 ?       00:00:00 /usr/libexec/udisks2/udisksd --no-debug
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 2313 2239  0 20:55 pts/0 00:00:00 grep --color=auto unconfined_service_t

I have the same messages:

type=AVC msg=audit(1468952437.787:227): avc:  denied  { sendto } for  pid=1018 comm="chronyd" path="/run/chrony/chronyc.1108.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_dgram_socket permissive=0
Comment 7 Lukas Slebodnik 2016-08-27 14:37:10 UTC 
It looks like a issue with service chrony-wait.service.

[root@host ~]# systemctl stop chrony-wait.service
[root@host ~]# systemctl restart chronyd.service
[root@host ~]# ausearch -m avc -i
<no matches>

[root@host ~]# systemctl start chrony-wait.service
[root@host ~]# systemctl restart chronyd.service
[root@host ~]# ausearch -m avc -i
----
type=AVC msg=audit(08/27/2016 10:29:00.155:189) : avc:  denied  { sendto } for  pid=13418 comm=chronyd path=/run/chrony/chronyc.13455.sock scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_dgram_socket permissive=1

and it also look like a duplicate of BZ1350815
Comment 8 Lukas Slebodnik 2016-09-30 18:16:04 UTC 
Bump
Comment 9 Miroslav Grepl 2016-10-26 08:35:26 UTC 

*** This bug has been marked as a duplicate of bug 1350815 ***