Bug 2169949

Summary: selinux policy doesn't support chronyd-restricted service
Product: [Fedora] Fedora Reporter: Miroslav Lichvar <mlichvar>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 38CC: dwalsh, lvrabec, mmalik, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-38.20-1.fc38 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-07-01 01:45:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Miroslav Lichvar 2023-02-15 08:22:26 UTC 
Description of problem:
The latest chrony package includes a chronyd-restricted service, which starts chronyd without root privileges. It fails to start when selinux is enabled.

type=AVC msg=audit(1676448867.811:153): avc:  denied  { nnp_transition } for  pid=825 comm="(chronyd)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=process2 permissive=0

Version-Release number of selected component (if applicable):
selinux-policy-38.7-1.fc38.noarch
chrony-4.3-3.fc38.x86_64

How reproducible:
always

Steps to Reproduce:
1. systemctl start chronyd-restricted

Actual results:
fails to start

Expected results:
starts and no AVC reported

Additional info:
Comment 1 Zdenek Pytela 2023-02-15 11:45:46 UTC 
Mirku,

Is the permissions set for chronyd-restricted expected be any different to chronyd or can we let it share the policy with chrony?
Comment 2 Miroslav Lichvar 2023-02-15 11:56:50 UTC 
The restricted service is expected to work only as an NTP and possibly NTS client. It shouldn't open reference clocks, shared memory segments, set realtime priority, create directories, etc.

I think it could have its own trimmed-down policy, but I'm not sure if it's worth the trouble of maintaining two policies.
Comment 3 Milos Malik 2023-02-15 12:02:55 UTC 
Caught in enforcing mode:
----
type=PROCTITLE msg=audit(02/15/2023 07:00:20.830:462) : proctitle=/usr/sbin/chronyd -U -F 2 
type=PATH msg=audit(02/15/2023 07:00:20.830:462) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=139866 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(02/15/2023 07:00:20.830:462) : item=0 name=/usr/sbin/chronyd inode=161293 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:chronyd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/15/2023 07:00:20.830:462) : cwd=/ 
type=EXECVE msg=audit(02/15/2023 07:00:20.830:462) : argc=4 a0=/usr/sbin/chronyd a1=-U a2=-F a3=2 
type=SYSCALL msg=audit(02/15/2023 07:00:20.830:462) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x564d8a312420 a1=0x564d8a3f5110 a2=0x564d8a29c520 a3=0x1 items=2 ppid=1 pid=1346 auid=unset uid=chrony gid=chrony euid=chrony suid=chrony fsuid=chrony egid=chrony sgid=chrony fsgid=chrony tty=(none) ses=unset comm=chronyd exe=/usr/sbin/chronyd subj=system_u:system_r:init_t:s0 key=(null) 
type=SELINUX_ERR msg=audit(02/15/2023 07:00:20.830:462) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:chronyd_t:s0 
type=AVC msg=audit(02/15/2023 07:00:20.830:462) : avc:  denied  { nnp_transition } for  pid=1346 comm=(chronyd) scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=process2 permissive=0 
----
type=PROCTITLE msg=audit(02/15/2023 07:00:20.838:463) : proctitle=/usr/sbin/chronyd -U -F 2 
type=PATH msg=audit(02/15/2023 07:00:20.838:463) : item=0 name=/run/chrony/ inode=911 dev=00:18 mode=dir,750 ouid=chrony ogid=chrony rdev=00:00 obj=system_u:object_r:chronyd_var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/15/2023 07:00:20.838:463) : cwd=/ 
type=SYSCALL msg=audit(02/15/2023 07:00:20.838:463) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ffd57e74770 a2=O_WRONLY|O_CREAT|O_EXCL a3=0x1a4 items=1 ppid=1 pid=1348 auid=unset uid=chrony gid=chrony euid=chrony suid=chrony fsuid=chrony egid=chrony sgid=chrony fsgid=chrony tty=(none) ses=unset comm=chronyd exe=/usr/sbin/chronyd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(02/15/2023 07:00:20.838:463) : avc:  denied  { create } for  pid=1348 comm=chronyd name=chronyd.pid scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=file permissive=0 
----

Caught in permissive mode:
----
type=PROCTITLE msg=audit(02/15/2023 07:01:18.491:469) : proctitle=/usr/sbin/chronyd -U -F 2 
type=PATH msg=audit(02/15/2023 07:01:18.491:469) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=139866 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(02/15/2023 07:01:18.491:469) : item=0 name=/usr/sbin/chronyd inode=161293 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:chronyd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/15/2023 07:01:18.491:469) : cwd=/ 
type=EXECVE msg=audit(02/15/2023 07:01:18.491:469) : argc=4 a0=/usr/sbin/chronyd a1=-U a2=-F a3=2 
type=SYSCALL msg=audit(02/15/2023 07:01:18.491:469) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x564d8a390d90 a1=0x564d8a3a78f0 a2=0x564d8a29c520 a3=0x1 items=2 ppid=1 pid=1368 auid=unset uid=chrony gid=chrony euid=chrony suid=chrony fsuid=chrony egid=chrony sgid=chrony fsgid=chrony tty=(none) ses=unset comm=chronyd exe=/usr/sbin/chronyd subj=system_u:system_r:chronyd_t:s0 key=(null) 
type=AVC msg=audit(02/15/2023 07:01:18.491:469) : avc:  denied  { nnp_transition } for  pid=1368 comm=(chronyd) scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=process2 permissive=1 
----

I stopped the chronyd service before starting the chronyd-restricted service.
Comment 4 Zdenek Pytela 2023-06-19 14:23:09 UTC 
Mirku,

The service keep failing even after allowing the nnp transition:

# cat local_chrony.cil
(allow init_t chronyd_t (process2 (nnp_transition)))
# semodule -i local_chrony.cil
# systemctl restart chronyd-restricted
# systemctl status chronyd-restricted --full
● chronyd-restricted.service - NTP client (restricted)
     Loaded: loaded (/usr/lib/systemd/system/chronyd-restricted.service; disabled; preset: disabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: active (running) since Mon 2023-06-19 10:13:38 EDT; 47s ago
       Docs: man:chronyd(8)
             man:chrony.conf(5)
    Process: 767 ExecStart=/usr/sbin/chronyd -U $OPTIONS (code=exited, status=0/SUCCESS)
   Main PID: 769 (chronyd)
      Tasks: 1 (limit: 2311)
     Memory: 1.1M
        CPU: 36ms
     CGroup: /system.slice/chronyd-restricted.service
             └─769 /usr/sbin/chronyd -U -F 2

Jun 19 10:13:37 ci-vm-10-0-139-173.hosted.upshift.rdu2.redhat.com systemd[1]: Starting chronyd-restricted.service - NTP client (restricted)...
Jun 19 10:13:38 ci-vm-10-0-139-173.hosted.upshift.rdu2.redhat.com chronyd[769]: chronyd version 4.4-pre1 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 +DEBUG)
Jun 19 10:13:38 ci-vm-10-0-139-173.hosted.upshift.rdu2.redhat.com chronyd[769]: Could not open command socket on 127.0.0.1:323
Jun 19 10:13:38 ci-vm-10-0-139-173.hosted.upshift.rdu2.redhat.com chronyd[769]: Could not open command socket on [::1]:323
Jun 19 10:13:38 ci-vm-10-0-139-173.hosted.upshift.rdu2.redhat.com chronyd[769]: Frequency 0.000 +/- 1000000.000 ppm read from /var/lib/chrony/drift
Jun 19 10:13:38 ci-vm-10-0-139-173.hosted.upshift.rdu2.redhat.com chronyd[769]: Using right/UTC timezone to obtain leap second data
Jun 19 10:13:38 ci-vm-10-0-139-173.hosted.upshift.rdu2.redhat.com chronyd[769]: Loaded seccomp filter (level 2)
Jun 19 10:13:38 ci-vm-10-0-139-173.hosted.upshift.rdu2.redhat.com systemd[1]: Started chronyd-restricted.service - NTP client (restricted).

Is this expected in the current development status, perhaps too restrictive unit settings?

$ rpm -q chrony selinux-policy
chrony-4.4-0.1.pre1.fc39.x86_64
selinux-policy-38.17-1.fc39.noarch

FYI: What I plan now is to create a new domain and start the service with
SELinuxContext=system_u:system_r:chronyd_restricted_t:s0
Comment 5 Miroslav Lichvar 2023-06-19 14:43:43 UTC 
The service seems to be running. The two "Could not open command socket" messages are expected. The "code=exited, status=0/SUCCESS" line is for the process which forked the daemon. Main PID is still running.
Comment 6 Zdenek Pytela 2023-06-20 14:39:55 UTC 
I have a policy update, the service starts without any AVC denial. Please use the following scratchbuild:

https://github.com/fedora-selinux/selinux-policy/pull/1751
Checks -> Artifacts -> rpms.zip

and try other scenarios which possibly apply to the service or some interactions with other ones.
Comment 7 Miroslav Lichvar 2023-06-20 15:00:47 UTC 
The service doesn't start for me with default config:
type=AVC msg=audit(1687273041.989:206): avc:  denied  { nnp_transition } for  pid=984 comm="(chronyd)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=process2 permissive=0
type=AVC msg=audit(1687273041.991:208): avc:  denied  { create } for  pid=986 comm="chronyd" name="chronyd.pid" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=file permissive=0

# rpm -qa | grep selinux-policy
selinux-policy-38.17-1.20230620_142328.cbe4213.fc39.noarch
selinux-policy-targeted-38.17-1.20230620_142328.cbe4213.fc39.noarch
Comment 8 Zdenek Pytela 2023-06-20 21:53:08 UTC 
This is needed to add to the unit file:

[Service]
SELinuxContext=system_u:system_r:chronyd_restricted_t:s0
Comment 9 Miroslav Lichvar 2023-06-21 08:52:26 UTC 
With that change it works nicely. I tested it as an NTP and NTS client. No issues observed. Thanks.
Comment 10 Zdenek Pytela 2023-06-21 11:27:57 UTC 
If this solution which includes the service unit modification is fine with you, I'll include it in the next F38 and F39 builds. I believe it was commented on enough.
No need for a side tag, there is one-way dependency.
Comment 11 Miroslav Lichvar 2023-06-21 11:33:02 UTC 
Yes, that's fine with me. I'll modify the service file in the next chrony update. Thanks.
Comment 12 Zdenek Pytela 2023-06-26 09:55:32 UTC 
A few more permissions were added comparing to the previous version as a result of our internal testing.
Comment 13 Fedora Update System 2023-06-29 16:14:35 UTC 
FEDORA-2023-ba070ee6ba has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-ba070ee6ba
Comment 14 Fedora Update System 2023-06-30 01:40:13 UTC 
FEDORA-2023-ba070ee6ba has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-ba070ee6ba`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-ba070ee6ba

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 15 Fedora Update System 2023-07-01 01:45:45 UTC 
FEDORA-2023-ba070ee6ba has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.