Bug 2159919
| Summary: | SELinux is preventing ptp4l from 'name_bind' accesses on the udp_socket port 319. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Robert Hancock <hancockrwd> |
| Component: | linuxptp | Assignee: | Miroslav Lichvar <mlichvar> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 37 | CC: | mlichvar, rmeggins |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:190f1a34a3ecde15db0f99123228ac755a7f9408a3ec2471fe0d0a1d6498a23e;VARIANT_ID=workstation; | ||
| Fixed In Version: | linuxptp-3.1.1-6.fc37 linuxptp-3.1.1-4.fc36 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-01-21 03:31:07 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
/etc/ptp4l.conf file: # For more information about this file, see the ptp4l(8) man page. # Examples are available in /usr/share/doc/linuxptp/configs. [global] domainNumber 0 slaveOnly 1 time_stamping software tx_timestamp_timeout 1 logging_level 6 summary_interval 0 [enp8s0] network_transport UDPv4 hybrid_e2e 0 When starting ptp4l: Jan 10 23:41:43 haswell systemd[1]: Started ptp4l.service - Precision Time Protocol (PTP) service. Jan 10 23:41:43 haswell ptp4l[61126]: [39384.921] bind failed: Permission denied Jan 10 23:41:43 haswell ptp4l[61126]: [39384.921] port 1: INITIALIZING to FAULTY on FAULT_DETECTED (FT_UNSPECIFIED) Jan 10 23:41:43 haswell ptp4l[61126]: [39384.921] port 0: INITIALIZING to LISTENING on INIT_COMPLETE Not sure whether there is any configuration that's supposed to be needed for this? It seems like the SELinux policy for ptp4l is just broken. It seems the label of the PTP event port changed and the packaged policy needs to be updated to allow binding to it. A possibly related issue - the pmc utility can send requests to the ptp4l daemon, but the daemon seems to be unable to send responses back. Running: pmc -u -b 0 'GET CURRENT_DATA_SET' as shown on https://docs.fedoraproject.org/en-US/fedora/latest/system-administrators-guide/servers/Configuring_PTP_Using_ptp4l/ results in: SELinux is preventing ptp4l from sendto access on the unix_dgram_socket /run/pmc.77779. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that ptp4l should be allowed sendto access on the pmc.77779 unix_dgram_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'ptp4l' --raw | audit2allow -M my-ptp4l # semodule -X 300 -i my-ptp4l.pp Additional Information: Source Context system_u:system_r:ptp4l_t:s0 Target Context unconfined_u:unconfined_r:unconfined_t:s0- s0:c0.c1023 Target Objects /run/pmc.77779 [ unix_dgram_socket ] Source ptp4l Source Path ptp4l Port <Unknown> Host haswell Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-37.17-1.fc37.noarch Local Policy RPM linuxptp-selinux-3.1.1-5.fc37.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name haswell Platform Linux haswell 6.0.18-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Jan 7 17:10:00 UTC 2023 x86_64 x86_64 Alert Count 1 First Seen 2023-01-11 10:32:53 CST Last Seen 2023-01-11 10:32:53 CST Local ID b5b7a229-d0c6-46e3-aa68-641fac71548d Raw Audit Messages type=AVC msg=audit(1673454773.132:1023): avc: denied { sendto } for pid=77695 comm="ptp4l" path="/run/pmc.77779" scontext=system_u:system_r:ptp4l_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 Yes, this will be fixed in the update too. FEDORA-2023-61745d58bd has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-61745d58bd FEDORA-2023-fc85c9ba46 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2023-fc85c9ba46 FEDORA-2023-fc85c9ba46 has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-fc85c9ba46` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-fc85c9ba46 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2023-61745d58bd has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-61745d58bd` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-61745d58bd See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. Confirmed both issues appear to be fixed in linuxptp-3.1.1-6.fc37.x86_64 FEDORA-2023-61745d58bd has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2023-fc85c9ba46 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report. |
Description of problem: Started ptp4l SELinux is preventing ptp4l from 'name_bind' accesses on the udp_socket port 319. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that ptp4l should be allowed name_bind access on the port 319 udp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'ptp4l' --raw | audit2allow -M my-ptp4l # semodule -X 300 -i my-ptp4l.pp Additional Information: Source Context system_u:system_r:ptp4l_t:s0 Target Context system_u:object_r:ptp_event_port_t:s0 Target Objects port 319 [ udp_socket ] Source ptp4l Source Path ptp4l Port 319 Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-37.17-1.fc37.noarch Local Policy RPM linuxptp-selinux-3.1.1-5.fc37.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 6.0.18-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Jan 7 17:10:00 UTC 2023 x86_64 x86_64 Alert Count 1 First Seen 2023-01-10 23:41:43 CST Last Seen 2023-01-10 23:41:43 CST Local ID 8e7e36c9-cacf-40f3-87a9-af3c4de0ac03 Raw Audit Messages type=AVC msg=audit(1673415703.915:942): avc: denied { name_bind } for pid=61126 comm="ptp4l" src=319 scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:object_r:ptp_event_port_t:s0 tclass=udp_socket permissive=0 Hash: ptp4l,ptp4l_t,ptp_event_port_t,udp_socket,name_bind Version-Release number of selected component: selinux-policy-targeted-37.17-1.fc37.noarch Additional info: component: linuxptp reporter: libreport-2.17.4 hashmarkername: setroubleshoot kernel: 6.0.18-300.fc37.x86_64 type: libreport