1259636 – SELinux issues with latest chrony

Bug 1259636 - SELinux issues with latest chrony

Summary: SELinux issues with latest chrony

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	1268607 1268608 (view as bug list)
Depends On:
Blocks:	1273733
TreeView+	depends on / blocked

Reported:	2015-09-03 08:56 UTC by Miroslav Lichvar
Modified:	2016-06-28 13:33 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-3.13.1-154.fc24
Clone Of:
Clones:	1273733 (view as bug list)
Environment:
Last Closed:	2015-11-10 09:13:47 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Miroslav Lichvar 2015-09-03 08:56:50 UTC

Description of problem:

chrony from the current git now uses Unix domain sockets for configuration commands from chronyc. Both the server (chronyd) and the client (chronyc) sockets are created in /var/run/chrony. One problem is that chronyd is not allowed to change ownership of the directory and the other is that chronyd (or chronyc run from the chrony-helper script) is not allowed to send a reply to the socket.

I get these AVCs:

type=AVC msg=audit(1441269749.876:6546): avc:  denied  { chown } for  pid=12578 comm="chronyd" capability=0  scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1441269757.966:6548): avc:  denied  { sendto } for  pid=12578 comm="chronyd" path="/run/chrony/chronyc.12583.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1
type=AVC msg=audit(1441269927.465:6550): avc:  denied  { sendto } for  pid=12633 comm="chronyc" path="/run/chrony/chronyd.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=unix_dgram_socket permissive=1
type=AVC msg=audit(1441269958.143:6553): avc:  denied  { write } for  pid=12578 comm="chronyd" name="chronyc.12687.sock" dev="tmpfs" ino=750666 scontext=system_u:system_r:chronyd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file permissive=1


There is also an issue with labelling of /var/run/chrony and /var/run/chrony-helper, restorecon resets their label to var_run_t.

If you would like to test it, chrony packages built from git snapshot are here:
https://copr.fedoraproject.org/coprs/mlichvar/chrony/

Comment 1 Lukas Vrabec 2015-09-03 21:59:23 UTC

Hi, 

We label following dirs:
/var/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0)
/var/run/chrony-helper(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0)

So do we need change first dir (chronyd) to /va/run/chrony ? 
For chrony-helper we have label, could you add version of selinux-policy package on tested system? 

Thank you.

Comment 2 Miroslav Lichvar 2015-09-04 07:26:19 UTC

I was testing with selinux-policy-3.13.1-128.12.fc22.

I'm not sure what /var/run/chronyd/ is used for. It's not a path from the default upstream configuration, maybe it's specific to some Linux distribution. Maybe keep both?

Thanks for looking into this, Lukas.

Comment 3 Miroslav Lichvar 2015-10-02 13:14:34 UTC

chrony-2.2-pre1 is now in rawhide. It hits these errors in default configuration.

Comment 4 Lukas Vrabec 2015-10-05 21:02:18 UTC

*** Bug 1268607 has been marked as a duplicate of this bug. ***

Comment 5 Lukas Vrabec 2015-10-05 21:02:45 UTC

*** Bug 1268608 has been marked as a duplicate of this bug. ***

Comment 6 Miroslav Lichvar 2015-10-15 09:40:43 UTC

Any news on this? Final chrony-2.2 will be probably released in the next week and there will an F23 update too.

Comment 7 Lukas Vrabec 2015-10-16 10:49:53 UTC

Fixes Added to rawhide, This will be fixed in: selinux-policy-3.13.1-154.fc24

Could you test it, please? Then we can move it also to F23.

Comment 8 Miroslav Lichvar 2015-10-20 14:08:03 UTC

With selinux-policy-3.13.1-154.fc24 it seems to be working nicely. I don't see any AVCs. Thanks!

Comment 9 Lukas Vrabec 2015-10-20 19:37:20 UTC

Thank you for testing! 

Could you also create F23 bug? 

Thank you.

Note You need to log in before you can comment on or make changes to this bug.