Bug 1259636 - SELinux issues with latest chrony
SELinux issues with latest chrony
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
:
: 1268607 1268608 (view as bug list)
Depends On:
Blocks: 1273733
  Show dependency treegraph
 
Reported: 2015-09-03 04:56 EDT by Miroslav Lichvar
Modified: 2016-06-28 09:33 EDT (History)
8 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-154.fc24
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1273733 (view as bug list)
Environment:
Last Closed: 2015-11-10 04:13:47 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Miroslav Lichvar 2015-09-03 04:56:50 EDT
Description of problem:

chrony from the current git now uses Unix domain sockets for configuration commands from chronyc. Both the server (chronyd) and the client (chronyc) sockets are created in /var/run/chrony. One problem is that chronyd is not allowed to change ownership of the directory and the other is that chronyd (or chronyc run from the chrony-helper script) is not allowed to send a reply to the socket.

I get these AVCs:

type=AVC msg=audit(1441269749.876:6546): avc:  denied  { chown } for  pid=12578 comm="chronyd" capability=0  scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1441269757.966:6548): avc:  denied  { sendto } for  pid=12578 comm="chronyd" path="/run/chrony/chronyc.12583.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1
type=AVC msg=audit(1441269927.465:6550): avc:  denied  { sendto } for  pid=12633 comm="chronyc" path="/run/chrony/chronyd.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=unix_dgram_socket permissive=1
type=AVC msg=audit(1441269958.143:6553): avc:  denied  { write } for  pid=12578 comm="chronyd" name="chronyc.12687.sock" dev="tmpfs" ino=750666 scontext=system_u:system_r:chronyd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file permissive=1


There is also an issue with labelling of /var/run/chrony and /var/run/chrony-helper, restorecon resets their label to var_run_t.

If you would like to test it, chrony packages built from git snapshot are here:
https://copr.fedoraproject.org/coprs/mlichvar/chrony/
Comment 1 Lukas Vrabec 2015-09-03 17:59:23 EDT
Hi, 

We label following dirs:
/var/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0)
/var/run/chrony-helper(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0)

So do we need change first dir (chronyd) to /va/run/chrony ? 
For chrony-helper we have label, could you add version of selinux-policy package on tested system? 

Thank you.
Comment 2 Miroslav Lichvar 2015-09-04 03:26:19 EDT
I was testing with selinux-policy-3.13.1-128.12.fc22.

I'm not sure what /var/run/chronyd/ is used for. It's not a path from the default upstream configuration, maybe it's specific to some Linux distribution. Maybe keep both?

Thanks for looking into this, Lukas.
Comment 3 Miroslav Lichvar 2015-10-02 09:14:34 EDT
chrony-2.2-pre1 is now in rawhide. It hits these errors in default configuration.
Comment 4 Lukas Vrabec 2015-10-05 17:02:18 EDT
*** Bug 1268607 has been marked as a duplicate of this bug. ***
Comment 5 Lukas Vrabec 2015-10-05 17:02:45 EDT
*** Bug 1268608 has been marked as a duplicate of this bug. ***
Comment 6 Miroslav Lichvar 2015-10-15 05:40:43 EDT
Any news on this? Final chrony-2.2 will be probably released in the next week and there will an F23 update too.
Comment 7 Lukas Vrabec 2015-10-16 06:49:53 EDT
Fixes Added to rawhide, This will be fixed in: selinux-policy-3.13.1-154.fc24

Could you test it, please? Then we can move it also to F23.
Comment 8 Miroslav Lichvar 2015-10-20 10:08:03 EDT
With selinux-policy-3.13.1-154.fc24 it seems to be working nicely. I don't see any AVCs. Thanks!
Comment 9 Lukas Vrabec 2015-10-20 15:37:20 EDT
Thank you for testing! 

Could you also create F23 bug? 

Thank you.

Note You need to log in before you can comment on or make changes to this bug.