1243764 – Failed to lock /var/run/chrony-helper

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1243764 - Failed to lock /var/run/chrony-helper

Summary: Failed to lock /var/run/chrony-helper

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.2
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-07-16 09:18 UTC by Qian Guo
Modified:	2015-11-19 10:41 UTC (History)
CC List:	13 users (show)
Fixed In Version:	selinux-policy-3.13.1-47.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-11-19 10:41:03 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:2300	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2015-11-19 09:55:26 UTC

Description Qian Guo 2015-07-16 09:18:36 UTC

Description of problem:
Selinux should not make it any fail when do dhclient to get ip address

Version-Release number of selected component (if applicable):
kernel-3.10.0-294.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1.Set selinux enforcing
# getenforce 
Enforcing

2.Try to get ip address via dhclient:

3.

Actual results:
hit error:

/usr/libexec/chrony-helper: line 138: /var/run/chrony-helper/lock: Permission denied
flock: 100: Bad file descriptor
Failed to lock /var/run/chrony-helper


Expected results:
Dhclient is a normal command, I think selinux in enforcing mode should not make it any error.

Additional info:

Comment 2 Miroslav Grepl 2015-08-04 15:42:19 UTC

Could you attach AVC msgs?

Comment 3 Qian Guo 2015-08-05 01:36:54 UTC

(In reply to Miroslav Grepl from comment #2)
> Could you attach AVC msgs?

The corresponding AVC log:
...
type=AVC msg=audit(1438738425.637:1356): avc:  denied  { write } for  pid=10915 comm="chrony-helper" name="lock" dev="tmpfs" ino=16076 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1438738425.637:1356): arch=c000003e syscall=2 success=no exit=-13 a0=222a3b0 a1=241 a2=1b6 a3=1 items=0 ppid=10859 pid=10915 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=115 comm="chrony-helper" exe="/usr/bin/bash" subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1438738425.637:1357): avc:  denied  { write } for  pid=10915 comm="chrony-helper" name="lock" dev="tmpfs" ino=16076 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1438738425.637:1357): arch=c000003e syscall=2 success=no exit=-13 a0=222a3b0 a1=201 a2=1b6 a3=1 items=0 ppid=10859 pid=10915 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=115 comm="chrony-helper" exe="/usr/bin/bash" subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null)

Comment 4 Miroslav Grepl 2015-08-05 07:56:58 UTC

It looks we want to label chrony-helper.

Could test it with

# chcon -t chronyd_exec_t PATHTO/chrony-helper

Thanks.

Comment 5 Qian Guo 2015-08-06 03:28:08 UTC

1. when do 

# chcon -t chronyd_exec_t PATHTO/chrony-helper

the avc log:
type=USER_ACCT msg=audit(1438831201.122:1540): pid=6739 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_ACQ msg=audit(1438831201.122:1541): pid=6739 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=LOGIN msg=audit(1438831201.123:1542): pid=6739 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old-auid=4294967295 auid=0 old-ses=4294967295 ses=151 res=1
type=USER_AVC msg=audit(1438831201.133:1543): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=1)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_START msg=audit(1438831201.136:1544): pid=6739 uid=0 auid=0 ses=151 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_REFR msg=audit(1438831201.136:1545): pid=6739 uid=0 auid=0 ses=151 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1438831201.145:1546): pid=6739 uid=0 auid=0 ses=151 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1438831201.147:1547): pid=6739 uid=0 auid=0 ses=151 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'



2.Try to get ip address via dhclient:

# dhclient switch
mkdir: cannot create directory ‘/var/run/chrony-helper’: File exists
/usr/libexec/chrony-helper: line 138: /var/run/chrony-helper/lock: Permission denied
flock: 100: Bad file descriptor
Failed to lock /var/run/chrony-helper


3.Then got new log:
type=AVC msg=audit(1438831362.291:1548): avc:  denied  { read } for  pid=6860 comm="chrony-helper" name="chrony-helper" dev="tmpfs" ino=21722 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=dir
type=SYSCALL msg=audit(1438831362.291:1548): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=1d00010 a2=90800 a3=0 items=0 ppid=6804 pid=6860 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="chrony-helper" exe="/usr/bin/bash" subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null)

Hope helpful.
Thanks,
qian

Comment 12 Milos Malik 2015-08-06 13:26:02 UTC

After loading the policy module:

# getenforce 
Enforcing
# dhclient -r ; sleep 5 ; dhclient eth0
# ls -Z /var/run/chrony-helper/
-rw-r--r--. root root unconfined_u:object_r:dhcpc_var_run_t:s0 added_servers
-rw-r--r--. root root unconfined_u:object_r:dhcpc_var_run_t:s0 lock
# 

everything is OK, until you call restorecon:

# restorecon -Rv /var/run/chrony-helper/
restorecon reset /run/chrony-helper context unconfined_u:object_r:dhcpc_var_run_t:s0->unconfined_u:object_r:var_run_t:s0
restorecon reset /run/chrony-helper/added_servers context unconfined_u:object_r:dhcpc_var_run_t:s0->unconfined_u:object_r:var_run_t:s0
restorecon reset /run/chrony-helper/lock context unconfined_u:object_r:dhcpc_var_run_t:s0->unconfined_u:object_r:var_run_t:s0
#

Comment 13 Miroslav Grepl 2015-08-06 14:07:43 UTC

# ls -Z /var/run/chrony-helper/
-rw-r--r--. root root unconfined_u:object_r:dhcpc_var_run_t:s0 added_servers
-rw-r--r--. root root unconfined_u:object_r:dhcpc_var_run_t:s0 lock

is not OK. We should see chronyd_var_run_t if it is created by the chrony-helper.

Comment 14 Miroslav Grepl 2015-08-06 14:08:56 UTC

Do you have chronyd_exec_t labeling for /usr/libexec/chrony-helper if you test it with the transition?

Comment 15 Milos Malik 2015-08-06 14:23:55 UTC

Sorry, the chrony-helper was labeled bin_t.

# chcon -t chronyd_exec_t /usr/libexec/chrony-helper 
# rm -rf /var/run/chrony-helper/
# dhclient -r ; sleep 5 ; dhclient eth0
# ls -Z /var/run/chrony-helper
ls: cannot access /var/run/chrony-helper: No such file or directory
# ausearch -m avc -m user_avc -m selinux_err -i -ts recent
----
type=SYSCALL msg=audit(08/06/2015 10:20:23.195:346) : arch=ppc64 syscall=stat success=no exit=-13(Permission denied) a0=0x1001bd5a410 a1=0x3ffff6f19278 a2=0x3ffff6f19278 a3=0x8 items=0 ppid=7273 pid=7304 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=chrony-helper exe=/usr/bin/bash subj=unconfined_u:system_r:chronyd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/06/2015 10:20:23.195:346) : avc:  denied  { search } for  pid=7304 comm=chrony-helper name=dhclient dev="dm-0" ino=68074908 scontext=unconfined_u:system_r:chronyd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(08/06/2015 10:20:23.195:345) : arch=ppc64 syscall=openat success=no exit=-13(Permission denied) a0=0xffffffffffffff9c a1=0x1001bd671b0 a2=O_RDONLY|O_NONBLOCK|O_DIRECT|O_CLOEXEC a3=0x0 items=0 ppid=7273 pid=7304 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=chrony-helper exe=/usr/bin/bash subj=unconfined_u:system_r:chronyd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/06/2015 10:20:23.195:345) : avc:  denied  { read } for  pid=7304 comm=chrony-helper name=dhclient dev="dm-0" ino=68074908 scontext=unconfined_u:system_r:chronyd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(08/06/2015 10:20:30.646:348) : arch=ppc64 syscall=stat success=no exit=-13(Permission denied) a0=0x1000834b580 a1=0x3fffe5448798 a2=0x3fffe5448798 a3=0x8 items=0 ppid=7339 pid=7395 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=chrony-helper exe=/usr/bin/bash subj=unconfined_u:system_r:chronyd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/06/2015 10:20:30.646:348) : avc:  denied  { search } for  pid=7395 comm=chrony-helper name=dhclient dev="dm-0" ino=68074908 scontext=unconfined_u:system_r:chronyd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(08/06/2015 10:20:30.646:347) : arch=ppc64 syscall=openat success=no exit=-13(Permission denied) a0=0xffffffffffffff9c a1=0x10008358320 a2=O_RDONLY|O_NONBLOCK|O_DIRECT|O_CLOEXEC a3=0x0 items=0 ppid=7339 pid=7395 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=chrony-helper exe=/usr/bin/bash subj=unconfined_u:system_r:chronyd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/06/2015 10:20:30.646:347) : avc:  denied  { read } for  pid=7395 comm=chrony-helper name=dhclient dev="dm-0" ino=68074908 scontext=unconfined_u:system_r:chronyd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=dir 
----

Comment 16 Miroslav Grepl 2015-08-07 09:46:26 UTC

Ok what about permissive mode?

Comment 17 Milos Malik 2015-08-07 10:51:24 UTC

# chcon -t chronyd_exec_t /usr/libexec/chrony-helper 
# rm -rf /var/run/chrony-helper/
# setenforce 0
# dhclient -r ; sleep 5 ; dhclient eth0
# ls -Z /var/run/chrony-helper
-rw-r--r--. root root unconfined_u:object_r:chronyd_var_run_t:s0 added_servers
-rw-r--r--. root root unconfined_u:object_r:chronyd_var_run_t:s0 lock
# ausearch -m avc -m user_avc -m selinux_err -i -ts recent
----
type=PATH msg=audit(08/07/2015 06:47:43.458:459) : item=0 name=/var/lib/dhclient/ inode=68053817 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:dhcpc_state_t:s0 objtype=NORMAL 
type=CWD msg=audit(08/07/2015 06:47:43.458:459) :  cwd=/etc/sysconfig/network-scripts 
type=SYSCALL msg=audit(08/07/2015 06:47:43.458:459) : arch=s390x syscall=openat success=yes exit=3 a0=0xffffffffffffff9c a1=0x908b0130 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=1 ppid=61882 pid=61907 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=14 comm=chrony-helper exe=/usr/bin/bash subj=unconfined_u:system_r:chronyd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/07/2015 06:47:43.458:459) : avc:  denied  { open } for  pid=61907 comm=chrony-helper path=/var/lib/dhclient dev="dm-0" ino=68053817 scontext=unconfined_u:system_r:chronyd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=dir 
type=AVC msg=audit(08/07/2015 06:47:43.458:459) : avc:  denied  { read } for  pid=61907 comm=chrony-helper name=dhclient dev="dm-0" ino=68053817 scontext=unconfined_u:system_r:chronyd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=dir 
----
type=PATH msg=audit(08/07/2015 06:47:50.778:461) : item=0 name=/bin/mkdir inode=100902660 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 objtype=NORMAL 
type=CWD msg=audit(08/07/2015 06:47:50.778:461) :  cwd=/etc/sysconfig/network-scripts 
type=SYSCALL msg=audit(08/07/2015 06:47:50.778:461) : arch=s390x syscall=access success=yes exit=0 a0=0xaa1ed690 a1=X_OK a2=0x3fffffe7318 a3=0x3ff00000000 items=1 ppid=61936 pid=61985 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=14 comm=chrony-helper exe=/usr/bin/bash subj=unconfined_u:system_r:chronyd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/07/2015 06:47:50.778:461) : avc:  denied  { execute } for  pid=61985 comm=chrony-helper name=mkdir dev="dm-0" ino=100902660 scontext=unconfined_u:system_r:chronyd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file 
----
type=PATH msg=audit(08/07/2015 06:47:50.778:460) : item=0 name=/var/lib/dhclient/chrony.servers.eth0 inode=68803592 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:dhcpc_state_t:s0 objtype=NORMAL 
type=CWD msg=audit(08/07/2015 06:47:50.778:460) :  cwd=/etc/sysconfig/network-scripts 
type=SYSCALL msg=audit(08/07/2015 06:47:50.778:460) : arch=s390x syscall=stat success=yes exit=0 a0=0xaa1ed550 a1=0x3fffffe7178 a2=0x3fffffe7178 a3=0x800be0e0 items=1 ppid=61936 pid=61985 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=14 comm=chrony-helper exe=/usr/bin/bash subj=unconfined_u:system_r:chronyd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/07/2015 06:47:50.778:460) : avc:  denied  { getattr } for  pid=61985 comm=chrony-helper path=/var/lib/dhclient/chrony.servers.eth0 dev="dm-0" ino=68803592 scontext=unconfined_u:system_r:chronyd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:dhcpc_state_t:s0 tclass=file 
----
type=PATH msg=audit(08/07/2015 06:47:50.778:462) : item=1 name=/lib/ld64.so.1 inode=146938 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL 
type=PATH msg=audit(08/07/2015 06:47:50.778:462) : item=0 name=/bin/mkdir inode=100902660 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 objtype=NORMAL 
type=CWD msg=audit(08/07/2015 06:47:50.778:462) :  cwd=/etc/sysconfig/network-scripts 
type=EXECVE msg=audit(08/07/2015 06:47:50.778:462) : argc=3 a0=mkdir a1=-p a2=/var/run/chrony-helper 
type=SYSCALL msg=audit(08/07/2015 06:47:50.778:462) : arch=s390x syscall=execve success=yes exit=0 a0=0xaa1ed690 a1=0xaa1de070 a2=0xaa1edd30 a3=0x0 items=2 ppid=61985 pid=61986 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=14 comm=mkdir exe=/usr/bin/mkdir subj=unconfined_u:system_r:chronyd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/07/2015 06:47:50.778:462) : avc:  denied  { execute_no_trans } for  pid=61986 comm=chrony-helper path=/usr/bin/mkdir dev="dm-0" ino=100902660 scontext=unconfined_u:system_r:chronyd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file 
----
type=PATH msg=audit(08/07/2015 06:47:50.788:463) : item=0 name=/var/lib/dhclient/chrony.servers.eth0 inode=68803592 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:dhcpc_state_t:s0 objtype=NORMAL 
type=CWD msg=audit(08/07/2015 06:47:50.788:463) :  cwd=/etc/sysconfig/network-scripts 
type=SYSCALL msg=audit(08/07/2015 06:47:50.788:463) : arch=s390x syscall=open success=yes exit=3 a0=0x3fffffd8a1e a1=O_RDONLY a2=0x3fffffd7928 a3=0x3ff00000000 items=1 ppid=61989 pid=61990 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=14 comm=cat exe=/usr/bin/cat subj=unconfined_u:system_r:chronyd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/07/2015 06:47:50.788:463) : avc:  denied  { open } for  pid=61990 comm=cat path=/var/lib/dhclient/chrony.servers.eth0 dev="dm-0" ino=68803592 scontext=unconfined_u:system_r:chronyd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:dhcpc_state_t:s0 tclass=file 
type=AVC msg=audit(08/07/2015 06:47:50.788:463) : avc:  denied  { read } for  pid=61990 comm=cat name=chrony.servers.eth0 dev="dm-0" ino=68803592 scontext=unconfined_u:system_r:chronyd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:dhcpc_state_t:s0 tclass=file 
----

Comment 18 Miroslav Grepl 2015-08-07 12:14:19 UTC

Great, it looks much better. So we need to add labeling for chrony-helper and add additional fixes from AVCs.

Again thank you for testing.

Comment 19 Lukas Vrabec 2015-08-10 16:17:50 UTC

commit 3399c01f1675823cc09298250d340b10816838ee
Author: Lukas Vrabec <lvrabec>
Date:   Mon Aug 10 17:34:45 2015 +0200

    Allow chronyd to execute mkdir command.

commit 8914c0feb7c1c1fa73ccc4acbcf88ef8229c4f18
Author: Lukas Vrabec <lvrabec>
Date:   Mon Aug 10 17:23:59 2015 +0200

    Allow chronyd_t to read dhcpc state.

commit 70a0cea5b8dca4a95523d7f521c646ae31c467d4
Author: Lukas Vrabec <lvrabec>
Date:   Mon Aug 10 17:21:09 2015 +0200

    Label /usr/libexec/chrony-helper as chronyd_exec_t

Comment 21 Milos Malik 2015-08-12 17:21:16 UTC

Seen on various machines in enforcing mode:
----
time->Tue Aug 11 14:05:22 2015
type=SYSCALL msg=audit(1439316322.366:209): arch=80000015 syscall=106 success=no exit=-13 a0=10027b9bef0 a1=3ffffed37468 a2=3ffffed37468 a3=0 items=0 ppid=32203 pid=32217 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chrony-helper" exe="/usr/bin/bash" subj=system_u:system_r:chronyd_t:s0 key=(null)
type=AVC msg=audit(1439316322.366:209): avc:  denied  { getattr } for  pid=32217 comm="chrony-helper" path="/usr/bin/systemctl" dev="dm-0" ino=136713910 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
----

Comment 22 Milos Malik 2015-08-12 17:31:04 UTC

# grep systemctl /usr/libexec/chrony-helper 
        systemctl enable "$timer"
        systemctl start "$timer"
        systemctl stop "$timer"
        systemctl disable "$timer"
    systemctl --all --full -t timer list-units | grep "^$dnssrv_timer_prefix" | \
#

Comment 23 Lukas Vrabec 2015-08-13 07:49:55 UTC

Hi Milos,
What about permissive mode?

Comment 24 Milos Malik 2015-08-15 09:54:13 UTC

One of our TCs also triggers following AVC on all architectures:
----
time->Sat Aug 15 08:54:17 2015
type=OBJ_PID msg=audit(1439621657.053:3328): opid=25713 oauid=-1 ouid=0 oses=-1 obj=system_u:system_r:ptp4l_t:s0 ocomm="ptp4l"
type=OBJ_PID msg=audit(1439621657.053:3328): opid=25694 oauid=-1 ouid=0 oses=-1 obj=system_u:system_r:timemaster_t:s0 ocomm="timemaster"
type=OBJ_PID msg=audit(1439621657.053:3328): opid=25712 oauid=-1 ouid=0 oses=-1 obj=system_u:system_r:chronyd_t:s0 ocomm="chronyd"
type=SYSCALL msg=audit(1439621657.053:3328): arch=c000003e syscall=62 success=yes exit=0 a0=0 a1=f a2=7f48cb72f780 a3=4000 items=0 ppid=1 pid=25694 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="timemaster" exe="/usr/sbin/timemaster" subj=system_u:system_r:timemaster_t:s0 key=(null)
type=AVC msg=audit(1439621657.053:3328): avc:  denied  { signal } for  pid=25694 comm="timemaster" scontext=system_u:system_r:timemaster_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=process
----

Comment 25 Lukas Vrabec 2015-08-17 12:41:43 UTC

commit 0a8bbfd5f943af43310567be7ff84b678ad067a8
Author: Lukas Vrabec <lvrabec>
Date:   Mon Aug 17 14:33:59 2015 +0200

    Allow chronyd exec systemctl
    Resolves: #1243764

commit 00e2cada75582a5cf594d28deefefe6a52f650d6
Author: Lukas Vrabec <lvrabec>
Date:   Mon Aug 17 12:01:33 2015 +0200

    Add inteface chronyd_signal
    Allow timemaster_t send generic signals to chronyd_t.
    Resolves: #1243764

Comment 27 Milos Malik 2015-08-26 12:12:58 UTC

----
time->Mon Aug 24 05:08:07 2015
type=SYSCALL msg=audit(1440389287.693:2223): arch=80000015 syscall=106 success=no exit=-13 a0=10016c108f0 a1=3fffd17552a8 a2=3fffd17552a8 a3=0 items=0 ppid=11688 pid=11710 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dhclient-script" exe="/usr/bin/bash" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1440389287.693:2223): avc:  denied  { getattr } for  pid=11710 comm="dhclient-script" path="/usr/libexec/chrony-helper" dev="dm-9" ino=136647523 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file
----

Comment 28 Lukas Vrabec 2015-08-26 12:19:46 UTC

Milos, 
Is it permissive mode? 

Thank you.

Comment 29 Milos Malik 2015-08-26 12:38:51 UTC

Enforcing mode:
----
type=PATH msg=audit(08/26/2015 14:36:00.111:1100) : item=0 name=/usr/libexec/chrony-helper inode=49610 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:chronyd_exec_t:s0 objtype=NORMAL 
type=CWD msg=audit(08/26/2015 14:36:00.111:1100) :  cwd=/etc/sysconfig/network-scripts 
type=SYSCALL msg=audit(08/26/2015 14:36:00.111:1100) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0xfb67b0 a1=0x7ffd695825a0 a2=0x7ffd695825a0 a3=0x7ffd695823d0 items=1 ppid=15705 pid=15747 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dhclient-script exe=/usr/bin/bash subj=system_u:system_r:dhcpc_t:s0 key=(null) 
type=AVC msg=audit(08/26/2015 14:36:00.111:1100) : avc:  denied  { getattr } for  pid=15747 comm=dhclient-script path=/usr/libexec/chrony-helper dev="vda2" ino=49610 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file 
----
type=PATH msg=audit(08/26/2015 14:36:00.111:1101) : item=0 name=/usr/libexec/chrony-helper inode=49610 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:chronyd_exec_t:s0 objtype=NORMAL 
type=CWD msg=audit(08/26/2015 14:36:00.111:1101) :  cwd=/etc/sysconfig/network-scripts 
type=SYSCALL msg=audit(08/26/2015 14:36:00.111:1101) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0xfb67b0 a1=0x7ffd69582580 a2=0x7ffd69582580 a3=0x7ffd695823d0 items=1 ppid=15705 pid=15747 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dhclient-script exe=/usr/bin/bash subj=system_u:system_r:dhcpc_t:s0 key=(null) 
type=AVC msg=audit(08/26/2015 14:36:00.111:1101) : avc:  denied  { getattr } for  pid=15747 comm=dhclient-script path=/usr/libexec/chrony-helper dev="vda2" ino=49610 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file 
----

Permissive mode:
----
type=PATH msg=audit(08/26/2015 14:37:59.293:1108) : item=2 name=/lib64/ld-linux-x86-64.so.2 inode=33658113 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL 
type=PATH msg=audit(08/26/2015 14:37:59.293:1108) : item=1 name=/bin/bash inode=17436826 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 objtype=NORMAL 
type=PATH msg=audit(08/26/2015 14:37:59.293:1108) : item=0 name=/usr/libexec/chrony-helper inode=49610 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:chronyd_exec_t:s0 objtype=NORMAL 
type=CWD msg=audit(08/26/2015 14:37:59.293:1108) :  cwd=/etc/sysconfig/network-scripts 
type=EXECVE msg=audit(08/26/2015 14:37:59.293:1108) : argc=3 a0=/bin/bash a1=/usr/libexec/chrony-helper a2=update-daemon 
type=SYSCALL msg=audit(08/26/2015 14:37:59.293:1108) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x1cd7a80 a1=0x1cce230 a2=0x1c4c030 a3=0x7ffd4a635ca0 items=3 ppid=16276 pid=16316 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chrony-helper exe=/usr/bin/bash subj=system_u:system_r:dhcpc_t:s0 key=(null) 
type=AVC msg=audit(08/26/2015 14:37:59.293:1108) : avc:  denied  { execute_no_trans } for  pid=16316 comm=dhclient-script path=/usr/libexec/chrony-helper dev="vda2" ino=49610 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file 
type=AVC msg=audit(08/26/2015 14:37:59.293:1108) : avc:  denied  { read open } for  pid=16316 comm=dhclient-script path=/usr/libexec/chrony-helper dev="vda2" ino=49610 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file 
type=AVC msg=audit(08/26/2015 14:37:59.293:1108) : avc:  denied  { execute } for  pid=16316 comm=dhclient-script name=chrony-helper dev="vda2" ino=49610 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file 
----
type=SYSCALL msg=audit(08/26/2015 14:37:59.296:1109) : arch=x86_64 syscall=ioctl success=no exit=-25(Inappropriate ioctl for device) a0=0x5 a1=TCGETS a2=0x7ffc3e01b080 a3=0x7ffc3e01ae90 items=0 ppid=16276 pid=16316 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chrony-helper exe=/usr/bin/bash subj=system_u:system_r:dhcpc_t:s0 key=(null) 
type=AVC msg=audit(08/26/2015 14:37:59.296:1109) : avc:  denied  { ioctl } for  pid=16316 comm=chrony-helper path=/usr/libexec/chrony-helper dev="vda2" ino=49610 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file 
----
type=SYSCALL msg=audit(08/26/2015 14:37:59.296:1110) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0xff a1=0x7ffc3e01b020 a2=0x7ffc3e01b020 a3=0x7ffc3e01ada0 items=0 ppid=16276 pid=16316 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chrony-helper exe=/usr/bin/bash subj=system_u:system_r:dhcpc_t:s0 key=(null) 
type=AVC msg=audit(08/26/2015 14:37:59.296:1110) : avc:  denied  { getattr } for  pid=16316 comm=chrony-helper path=/usr/libexec/chrony-helper dev="vda2" ino=49610 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file 
----

Comment 30 Lukas Vrabec 2015-08-27 12:33:02 UTC

commit 2977dd17f69b299a14b4eee2366bbef885b821b4
Author: Lukas Vrabec <lvrabec>
Date:   Thu Aug 27 11:17:52 2015 +0200

    Allow dhcpc_t domain transition to chronyd_t
    Resolves: #1243764


commit f996ef449bfe5d25e7e979dd72a6763c1a81bf19
Author: Lukas Vrabec <lvrabec>
Date:   Thu Aug 13 13:23:54 2015 +0200

    Label /var/run/chrony-helper dir as chronyd_var_run_t.
    Resolves: #1243764

Comment 36 ilmostro7 2015-10-09 15:00:07 UTC

SELinux is preventing /usr/bin/bash from read access on the file /usr/libexec/chrony-helper.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that bash should be allowed read access on the chrony-helper file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep dhclient-script /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:dhcpc_t:s0
Target Context                system_u:object_r:chronyd_exec_t:s0
Target Objects                /usr/libexec/chrony-helper [ file ]
Source                        dhclient-script
Source Path                   /usr/bin/bash
Port                          <Unknown>
Host                          fedpadssd.airportx
Source RPM Packages           bash-4.2.46-19.el7.x86_64
Target RPM Packages           chrony-2.1.1-1.el7.x86_64
Policy RPM                    selinux-policy-3.13.1-44.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedpadssd.airportx
Platform                      Linux fedpadssd.airportx
                              3.10.0-229.14.1.el7.x86_64 #1 SMP Tue Aug 25
                              11:21:22 EDT 2015 x86_64 x86_64
Alert Count                   85
First Seen                    2015-09-19 19:09:55 CDT
Last Seen                     2015-10-09 09:12:41 CDT
Local ID                      c37a338c-b22f-45bb-9e23-4a4dbcb823eb

Raw Audit Messages
type=AVC msg=audit(1444399961.416:5187): avc:  denied  { read } for  pid=27547 comm="dhclient-script" name="chrony-helper" dev="dm-0" ino=135336661 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1444399961.416:5187): arch=x86_64 syscall=open success=no exit=EACCES a0=c945c0 a1=0 a2=43 a3=7ffce791c080 items=0 ppid=27500 pid=27547 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=dhclient-script exe=/usr/bin/bash subj=system_u:system_r:dhcpc_t:s0 key=(null)

Hash: dhclient-script,dhcpc_t,chronyd_exec_t,file,read

Comment 37 Milos Malik 2015-10-09 15:43:29 UTC

The problem is fixed in selinux-policy 3.13.1-47.el7 and above.

Comment 38 ilmostro7 2015-10-16 17:30:53 UTC

# rpm -q selinux-policy
selinux-policy-3.13.1-44.el7.noarch

Uhh...am I missing something?

Comment 39 Miroslav Grepl 2015-10-19 05:58:33 UTC

3.13.1-47.el7 vs. 3.13.1-44.el7

Comment 40 ILMostro 2015-10-19 06:26:11 UTC

I assumed 3.13.1-47 would be pushed to RHEL7.2 repos by now

Comment 42 errata-xmlrpc 2015-11-19 10:41:03 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html

Note You need to log in before you can comment on or make changes to this bug.