Bug 1872624
Summary: | selinux issues with latest chrony | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Miroslav Lichvar <mlichvar> |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 33 | CC: | angelapuget, dwalsh, grepl.miroslav, lvrabec, mmalik, plautrba, vmojzis, zpytela |
Target Milestone: | --- | Keywords: | Triaged |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.14.6-28.fc33 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-10-02 00:35:09 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1834855 |
Description
Miroslav Lichvar
2020-08-26 08:42:22 UTC
I haven't found IANA port assignment so I suppose the name will be nts-ke. It also looks only tcp is used. https://blog.apnic.net/2019/11/08/network-time-security-new-ntp-authentication-mechanism/ I've submitted a Fedora PR to create the new port label: https://github.com/fedora-selinux/selinux-policy/pull/438 The service is called "ntske" https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=ntske I made some pull requests for the NTS-KE part: https://github.com/fedora-selinux/selinux-policy/pull/437 https://github.com/fedora-selinux/selinux-policy-contrib/pull/335 Please feel free to ignore/close, or modify as needed. *** Bug 1883051 has been marked as a duplicate of this bug. *** FEDORA-2020-a1e9ff2c00 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-a1e9ff2c00 FEDORA-2020-a1e9ff2c00 has been pushed to the Fedora 33 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-a1e9ff2c00` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-a1e9ff2c00 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. The NTS-KE fixes seem to be good. Thanks. The DHCP-related AVCs are still there: type=AVC msg=audit(1601548430.312:130): avc: denied { read } for pid=470 comm="chronyd" name="enp0s3.sources" dev="tmpfs" ino=22040 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1601548430.312:131): avc: denied { open } for pid=470 comm="chronyd" path="/run/chrony-dhcp/enp0s3.sources" dev="tmpfs" ino=22040 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1601548430.312:132): avc: denied { getattr } for pid=470 comm="chronyd" path="/run/chrony-dhcp/enp0s3.sources" dev="tmpfs" ino=22040 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1 FEDORA-2020-a1e9ff2c00 has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report. The remaining AVCs will be resolved in bz#1880948 - now the runtime files also have the initrc_var_run_t type, different to the original one reported. |