Bug 1669839
| Summary: | SELinux denials for chrony during FreeIPA server upgrade | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Adam Williamson <awilliam> |
| Component: | selinux-policy-targeted | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 29 | CC: | dmoluguw, dwalsh |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | openqa | ||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-05-24 21:49:29 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
commit f9e7e9d66adcfa49e62a196d14dd7c41ed07fa7b (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date: Thu Feb 21 13:40:34 2019 +0100
Allow chronyd_t domain to send data over dgram socket
Note: we need this fixed for 29 and 30 too, not just Rawhide... Will be part also of builds for Fedora 29 and Fedora 30 and Rawhide. selinux-policy-3.14.2-51.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-4cc36fafbb selinux-policy-3.14.2-51.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-4cc36fafbb selinux-policy-3.14.2-51.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. It doesn't seem like this really got fixed in F29. We still get these denials in current tests, e.g. here is the latest: https://openqa.fedoraproject.org/tests/397822 https://openqa.fedoraproject.org/tests/397822/file/_console_avc_crash-avcs.txt Still shows these AVCs: ---- time->Wed May 8 11:50:14 2019 type=AVC msg=audit(1557330614.249:284): avc: denied { sendto } for pid=6178 comm="chronyd" path="/run/chrony/chronyc.6183.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:rolekit_t:s0 tclass=unix_dgram_socket permissive=0 ---- time->Wed May 8 11:50:15 2019 type=AVC msg=audit(1557330615.250:285): avc: denied { sendto } for pid=6178 comm="chronyd" path="/run/chrony/chronyc.6183.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:rolekit_t:s0 tclass=unix_dgram_socket permissive=0 ---- time->Wed May 8 11:50:17 2019 type=AVC msg=audit(1557330617.252:286): avc: denied { sendto } for pid=6178 comm="chronyd" path="/run/chrony/chronyc.6183.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:rolekit_t:s0 tclass=unix_dgram_socket permissive=0 I suppose it may be that the fix is needed in F28 policy (since we're testing an F28 to F29 upgrade here), and we never sent it to F28 branch? Hi Adam,
You're right, I backported these changes to F28.
commit 1d0bdb608b131a45ae410bc5f1c0ae77118190fa (HEAD -> f28, origin/f28)
Author: Lukas Vrabec <lvrabec>
Date: Thu Feb 21 13:40:34 2019 +0100
Allow chronyd_t domain to send data over dgram socket
selinux-policy-3.14.2-59.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-38a1de7619 selinux-policy-3.14.2-59.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-38a1de7619 selinux-policy-3.14.2-59.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. |
There's an openQA test which tests upgrading a FreeIPA server from one release to another. When it does this for Fedora 28 to Fedora 29, three SELinux denials for chrony occurs when the freeipa-server scriptlets are running during the upgrade. Here they are: ---- time->Wed Jan 23 11:03:36 2019 type=AVC msg=audit(1548259416.477:287): avc: denied { sendto } for pid=6123 comm="chronyd" path="/run/chrony/chronyc.6128.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:rolekit_t:s0 tclass=unix_dgram_socket permissive=0 ---- time->Wed Jan 23 11:03:37 2019 type=AVC msg=audit(1548259417.479:288): avc: denied { sendto } for pid=6123 comm="chronyd" path="/run/chrony/chronyc.6128.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:rolekit_t:s0 tclass=unix_dgram_socket permissive=0 ---- time->Wed Jan 23 11:03:39 2019 type=AVC msg=audit(1548259419.480:289): avc: denied { sendto } for pid=6123 comm="chronyd" path="/run/chrony/chronyc.6128.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:rolekit_t:s0 tclass=unix_dgram_socket permissive=0 After adjusting for timezones, I'm pretty sure they happen during this seven minute gap in the upgrade logs, which is where the freeipa-server %post script is running: 2019-01-23T16:03:30Z INFO Installed: freeipa-server-4.7.2-1.fc28.x86_64 2019-01-23T16:03:30Z INFO Installed: freeipa-server-dns-4.7.2-1.fc28.noarch 2019-01-23T16:03:30Z INFO Installed: freeipa-server-trust-ad-4.7.2-1.fc28.x86_64 2019-01-23T16:10:53Z INFO --- logging initialized --- I don't see any obvious terrible consequences of this, but it seems worth fixing.