Bug 1284691 - chronyd denial during installation
Summary: chronyd denial during installation
Keywords:
Status: CLOSED DUPLICATE of bug 1350815
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 24
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-11-23 22:31 UTC by matt jia
Modified: 2019-04-29 09:15 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-10-26 08:35:26 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description matt jia 2015-11-23 22:31:00 UTC 
Description of problem:

Experienced chronyd denials when installing the latest rawhide.

The actual AVC denial is in the avc.log:

type=AVC msg=audit(1447735905.213:77): avc:  denied  { sendto } for  pid=571 comm="chronyd" path="/run/chrony/chronyc.590.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_dgram_socket permissive=0
Comment 1 Lukas Vrabec 2015-11-24 12:48:52 UTC 
Hi, 
Could you attach output of:
ps -efZ | grep unconfined_service_t

Thank you.
Comment 2 Jan Kurik 2016-02-24 15:51:29 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase
Comment 3 Pavel Studeník 2016-06-29 15:46:08 UTC 
On Fedora 24 I received this AVC messages:

time->Tue Jun 28 20:09:52 2016
type=AVC msg=audit(1467158992.759:88): avc:  denied  { sendto } for  pid=797 comm="chronyd" path="/run/chrony/chronyc.803.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_dgram_socket permissive=0
Comment 4 Pavel Studeník 2016-07-13 13:51:45 UTC 
This message I see on system with Fedora 23 as well.

time->Mon Jul 11 20:13:29 2016
type=AVC msg=audit(1468282409.735:108): avc:  denied  { sendto } for  pid=823 comm="chronyd" path="/run/chrony/chronyc.844.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_dgram_socket permissive=0
Comment 6 Edgar Hoch 2016-07-19 18:58:10 UTC 
I have run the command of comment #24 on an Fedora 24 system:

# ps -efZ | grep unconfined_service_t
system_u:system_r:unconfined_service_t:s0 root 1005 1  0 20:20 ?       00:00:00 /usr/libexec/udisks2/udisksd --no-debug
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 2313 2239  0 20:55 pts/0 00:00:00 grep --color=auto unconfined_service_t

I have the same messages:

type=AVC msg=audit(1468952437.787:227): avc:  denied  { sendto } for  pid=1018 comm="chronyd" path="/run/chrony/chronyc.1108.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_dgram_socket permissive=0
Comment 7 Lukas Slebodnik 2016-08-27 14:37:10 UTC 
It looks like a issue with service chrony-wait.service.

[root@host ~]# systemctl stop chrony-wait.service
[root@host ~]# systemctl restart chronyd.service
[root@host ~]# ausearch -m avc -i
<no matches>

[root@host ~]# systemctl start chrony-wait.service
[root@host ~]# systemctl restart chronyd.service
[root@host ~]# ausearch -m avc -i
----
type=AVC msg=audit(08/27/2016 10:29:00.155:189) : avc:  denied  { sendto } for  pid=13418 comm=chronyd path=/run/chrony/chronyc.13455.sock scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_dgram_socket permissive=1

and it also look like a duplicate of BZ1350815
Comment 8 Lukas Slebodnik 2016-09-30 18:16:04 UTC 
Bump
Comment 9 Miroslav Grepl 2016-10-26 08:35:26 UTC 

*** This bug has been marked as a duplicate of bug 1350815 ***
Note You need to log in before you can comment on or make changes to this bug.