Bug 2101910

Summary: rhel9 avc denied with rm and dhclient-script
Product: Red Hat Enterprise Linux 9 Reporter: Zdenek Pytela <zpytela>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.1CC: lvrabec, mmalik, nknazeko, ssekidde
Target Milestone: rcKeywords: AutoVerified, Triaged
Target Release: 9.1Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-34.1.40-1.el9 Doc Type: Bug Fix
Doc Text:
Cause: The /run/chrony-dhcp/ directory is created by the dhclient-script, but it gets a wrong label, which then leads to the following SELinux denial when the chronyd service is restarted for any reason Consequence: The automated TC failed because of the missing policy rule Fix: Update chronyd_pid_filetrans() interface to allow caller domain to create the /run/chrony-dhcp directory. Result: No AVC denials
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-15 11:13:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Zdenek Pytela 2022-06-28 18:22:56 UTC 
This bug was initially created as a copy of Bug #2094155

I am copying this bug because: 
Additional denials were found by an automated test.


Description of problem:
rhel9 avc denied with rm and dhclient-script

Version-Release number of selected component (if applicable):
selinux-policy-34.1.35-1.el9

How reproducible:
Always

Steps to Reproduce:
The automated TC failed because the following policy rule is missing:

type_transition dhcpc_t var_run_t : dir chronyd_var_run_t chrony-dhcp;

The automated TC performs these steps:

# rpm -qf /run/chrony-dhcp/
file /run/chrony-dhcp is not owned by any package
# ls -alZ /run/chrony-dhcp/
total 0
drwxr-xr-x.  2 root root system_u:object_r:chronyd_var_run_t:s0  40 Jun 28 08:21 .
drwxr-xr-x. 28 root root system_u:object_r:var_run_t:s0         860 Jun 28 08:22 ..
# rm -rf /run/chrony-dhcp/
# dhclient
grep: /etc/sysconfig/network-scripts/ifcfg-*: No such file or directory
grep: /etc/sysconfig/network-scripts/ifcfg-*: No such file or directory
grep: /etc/sysconfig/network-scripts/ifcfg-*: No such file or directory
grep: /etc/sysconfig/network-scripts/ifcfg-*: No such file or directory
grep: /etc/sysconfig/network-scripts/ifcfg-*: No such file or directory
grep: /etc/sysconfig/network-scripts/ifcfg-*: No such file or directory
# ls -alZ /run/chrony-dhcp/
total 0
drwxr-xr-x.  2 root root unconfined_u:object_r:dhcpc_var_run_t:s0  40 Jun 28 09:10 .
drwxr-xr-x. 28 root root system_u:object_r:var_run_t:s0           880 Jun 28 09:10 ..
#

The /run/chrony-dhcp/ directory is created by the dhclient-script, but it gets a wrong label, which then leads to the following SELinux denial when the chronyd service is restarted for any reason:
----
type=PROCTITLE msg=audit(06/28/2022 09:12:04.432:292) : proctitle=/usr/sbin/chronyd -F 2 
type=SYSCALL msg=audit(06/28/2022 09:12:04.432:292) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ffd7f0e7260 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=0 ppid=1 pid=4680 auid=unset uid=chrony gid=chrony euid=chrony suid=chrony fsuid=chrony egid=chrony sgid=chrony fsgid=chrony tty=(none) ses=unset comm=chronyd exe=/usr/sbin/chronyd subj=system_u:system_r:chronyd_t:s0 key=(null) 
type=AVC msg=audit(06/28/2022 09:12:04.432:292) : avc:  denied  { read } for  pid=4680 comm=chronyd name=chrony-dhcp dev="tmpfs" ino=1064 scontext=system_u:system_r:chronyd_t:s0 tcontext=unconfined_u:object_r:dhcpc_var_run_t:s0 tclass=dir permissive=0 
----

Here is the particular script which creates the /run/chrony-dhcp/ directory with incorrect label:

# rpm -qf /etc/dhcp/dhclient.d/chrony.sh 
chrony-4.2-1.el9.x86_64
# grep CHRONY_SOURCEDIR /etc/dhcp/dhclient.d/chrony.sh 
CHRONY_SOURCEDIR=/run/chrony-dhcp
SERVERFILE=$CHRONY_SOURCEDIR/$interface.sources
		mkdir -p $CHRONY_SOURCEDIR
#

Actual results:
avc denied 

Expected results:
No avc denied  

Additional info:
Comment 15 errata-xmlrpc 2022-11-15 11:13:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8283