Bug 2173604

Summary:	SELinux prevents the chronyc process from searching in the /proc/sys/net/ipv6/conf/all/ directory
Product:	Red Hat Enterprise Linux 9	Reporter:	Filip Dvorak <fdvorak>
Component:	selinux-policy	Assignee:	Nobody <nobody>
Status:	CLOSED ERRATA	QA Contact:	Milos Malik <mmalik>
Severity:	low	Docs Contact:
Priority:	medium
Version:	9.2	CC:	lvrabec, mmalik, zpytela
Target Milestone:	rc	Keywords:	AutoVerified, Triaged
Target Release:	---	Flags:	pm-rhel: mirror+
Hardware:	Unspecified
OS:	Linux
Whiteboard:
Fixed In Version:	selinux-policy-38.1.12-1.el9	Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2023-11-07 08:52:17 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Filip Dvorak 2023-02-27 11:42:42 UTC

Description of problem:
avc:  denied  { search } for  pid=4109 comm="chronyc" name="net"

Version-Release number of selected component (if applicable):
RHEL-9.2.0-20230220.9
selinux-policy-38.1.8-1.el9.noarch


Steps to Reproduce:
1. install RHEL9.2
2. run "chronyc sources"

Actual results:
time->Mon Feb 27 05:50:59 2023
type=PROCTITLE msg=audit(1677495059.158:2403): proctitle=6368726F6E796300736F7572636573
type=SYSCALL msg=audit(1677495059.158:2403): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffd2795cc50 a2=80100 a3=0 items=0 ppid=23107 pid=24158 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="chronyc" exe="/usr/bin/chronyc" subj=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1677495059.158:2403): avc:  denied  { search } for  pid=24158 comm="chronyc" name="net" dev="proc" ino=13214 scontext=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0

Expected results:
No AVC message

Additional info:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-38.1.8-1.el9.noarch
----
time->Mon Feb 27 05:50:59 2023
type=PROCTITLE msg=audit(1677495059.158:2403): proctitle=6368726F6E796300736F7572636573
type=SYSCALL msg=audit(1677495059.158:2403): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffd2795cc50 a2=80100 a3=0 items=0 ppid=23107 pid=24158 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="chronyc" exe="/usr/bin/chronyc" subj=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1677495059.158:2403): avc:  denied  { search } for  pid=24158 comm="chronyc" name="net" dev="proc" ino=13214 scontext=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0

Comment 3 Zdenek Pytela 2023-03-03 11:44:49 UTC

It seems to be called from libnss_myhostname.so (systemd-libs):

chronyc  4059 [000]  1255.760563: avc:selinux_audited: requested=0x10000000 denied=0x10000000 audi>

        ffffffffbc0aa0a2 avc_audit_post_callback+0x202 ([kernel.kallsyms])
        ffffffffbc0aa0a2 avc_audit_post_callback+0x202 ([kernel.kallsyms])
        ffffffffbc0cea19 common_lsm_audit+0x69 ([kernel.kallsyms])
        ffffffffbc0aabda slow_avc_audit+0x7a ([kernel.kallsyms])
        ffffffffbc0ad767 audit_inode_permission+0x77 ([kernel.kallsyms])
        ffffffffbc0b31ee selinux_inode_permission+0x19e ([kernel.kallsyms])
        ffffffffbc0a690d security_inode_permission+0x2d ([kernel.kallsyms])
        ffffffffbbfd8b33 link_path_walk.part.0.constprop.0+0x2d3 ([kernel.kallsyms])
        ffffffffbbfd9611 path_openat+0xb1 ([kernel.kallsyms])
        ffffffffbbfda7f2 do_filp_open+0xb2 ([kernel.kallsyms])
        ffffffffbbfc32ca do_sys_openat2+0x9a ([kernel.kallsyms])
        ffffffffbbfc3693 __x64_sys_openat+0x53 ([kernel.kallsyms])
        ffffffffbc725159 do_syscall_64+0x59 ([kernel.kallsyms])
        ffffffffbc80009b entry_SYSCALL_64_after_hwframe+0x63 ([kernel.kallsyms])
                  13e9c6 __GI___openat+0x46 (inlined)
                    9f74 [unknown] (/usr/lib64/libnss_myhostname.so.2)
                   13db5 [unknown] (/usr/lib64/libnss_myhostname.so.2)
                    72f3 [unknown] (/usr/lib64/libnss_myhostname.so.2)
                    ec96 _nss_myhostname_gethostbyaddr2_r+0x266 (/usr/lib64/libnss_myhostname.so.2)
                    f166 _nss_myhostname_gethostbyaddr_r+0x16 (/usr/lib64/libnss_myhostname.so.2)
                  15dbae __new_gethostbyaddr_r+0x16e (inlined)
                  166cff __GI_getnameinfo+0x65f (inlined)
                    b595 DNS_IPAddress2Name.isra.0+0x75 (/usr/bin/chronyc)
                    b662 format_name+0x72 (inlined)
                    b884 format_name+0x1e4 (inlined)
                    b884 process_cmd_sources+0x1e4 (/usr/bin/chronyc)
                    ed8e process_line+0x2ece (inlined)

Comment 15 errata-xmlrpc 2023-11-07 08:52:17 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6617