1273733 – SELinux issues with latest chrony (F23)

Bug 1273733 - SELinux issues with latest chrony (F23)

Summary: SELinux issues with latest chrony (F23)

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	23
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:	1259636
Blocks:
TreeView+	depends on / blocked

Reported:	2015-10-21 06:55 UTC by Miroslav Lichvar
Modified:	2015-11-13 22:53 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-3.13.1-153.fc23 selinux-policy-3.13.1-154.fc23
Doc Type:	Bug Fix
Doc Text:
Clone Of:	1259636
Environment:
Last Closed:	2015-11-13 22:53:45 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Miroslav Lichvar 2015-10-21 06:55:02 UTC

+++ This bug was initially created as a clone of Bug #1259636 +++

Description of problem:

chrony from the current git now uses Unix domain sockets for configuration commands from chronyc. Both the server (chronyd) and the client (chronyc) sockets are created in /var/run/chrony. One problem is that chronyd is not allowed to change ownership of the directory and the other is that chronyd (or chronyc run from the chrony-helper script) is not allowed to send a reply to the socket.

I get these AVCs:

type=AVC msg=audit(1441269749.876:6546): avc:  denied  { chown } for  pid=12578 comm="chronyd" capability=0  scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1441269757.966:6548): avc:  denied  { sendto } for  pid=12578 comm="chronyd" path="/run/chrony/chronyc.12583.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1
type=AVC msg=audit(1441269927.465:6550): avc:  denied  { sendto } for  pid=12633 comm="chronyc" path="/run/chrony/chronyd.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=unix_dgram_socket permissive=1
type=AVC msg=audit(1441269958.143:6553): avc:  denied  { write } for  pid=12578 comm="chronyd" name="chronyc.12687.sock" dev="tmpfs" ino=750666 scontext=system_u:system_r:chronyd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file permissive=1


There is also an issue with labelling of /var/run/chrony and /var/run/chrony-helper, restorecon resets their label to var_run_t.

If you would like to test it, chrony packages built from git snapshot are here:
https://copr.fedoraproject.org/coprs/mlichvar/chrony/

--- Additional comment from Lukas Vrabec on 2015-09-03 17:59:23 EDT ---

Hi, 

We label following dirs:
/var/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0)
/var/run/chrony-helper(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0)

So do we need change first dir (chronyd) to /va/run/chrony ? 
For chrony-helper we have label, could you add version of selinux-policy package on tested system? 

Thank you.

--- Additional comment from Miroslav Lichvar on 2015-09-04 03:26:19 EDT ---

I was testing with selinux-policy-3.13.1-128.12.fc22.

I'm not sure what /var/run/chronyd/ is used for. It's not a path from the default upstream configuration, maybe it's specific to some Linux distribution. Maybe keep both?

Thanks for looking into this, Lukas.

--- Additional comment from Miroslav Lichvar on 2015-10-02 09:14:34 EDT ---

chrony-2.2-pre1 is now in rawhide. It hits these errors in default configuration.

--- Additional comment from Miroslav Lichvar on 2015-10-20 10:08:03 EDT ---

With selinux-policy-3.13.1-154.fc24 it seems to be working nicely. I don't see any AVCs. Thanks!

Comment 1 Lukas Vrabec 2015-10-27 14:30:53 UTC

commit 403b49d6408dd5684444ee8d62790eccdebf00e4
Author: Lukas Vrabec <lvrabec>
Date:   Tue Oct 6 10:59:00 2015 +0200

    Label /var/run/chrony directory as chronyd_var_run_t. BZ(1259636)

commit e9fb01f1b39a5e62259226eb4809508289349c5a
Author: Lukas Vrabec <lvrabec>
Date:   Fri Oct 16 12:39:34 2015 +0200

    Fixes for chrony version 2.2 BZ(#1259636)
     * Allow chrony chown capability
     * Allow sendto dgram_sockets to itself and to unconfined_t domains.

Comment 2 Fedora Update System 2015-11-03 09:49:20 UTC

selinux-policy-3.13.1-153.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-0f80dc6c64

Comment 3 Fedora Update System 2015-11-03 19:53:15 UTC

selinux-policy-3.13.1-153.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update selinux-policy'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-0f80dc6c64

Comment 4 Fedora Update System 2015-11-09 15:11:15 UTC

selinux-policy-3.13.1-154.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-6b85d80ba8

Comment 5 Fedora Update System 2015-11-10 03:22:24 UTC

selinux-policy-3.13.1-154.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update selinux-policy'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-6b85d80ba8

Comment 6 Fedora Update System 2015-11-13 22:53:18 UTC

selinux-policy-3.13.1-154.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.