Bug 1350815 - systemctl restart chrony-wait causes AVC denials
Summary: systemctl restart chrony-wait causes AVC denials
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: chrony
Version: 24
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ---
Assignee: Miroslav Lichvar
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1284691 1390204 1398980 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-06-28 13:07 UTC by Jan Pazdziora
Modified: 2016-12-08 03:20 UTC (History)
16 users (show)

Fixed In Version: chrony-2.4-4.fc24 chrony-2.4-4.fc25 chrony-2.4.1-1.fc23
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-12-08 03:20:10 UTC


Attachments (Terms of Use)

Description Jan Pazdziora 2016-06-28 13:07:19 UTC
Description of problem:

When systemctl restart chrony-wait is run (and time is a bit off, I assume),
AVC denial is logged.

Version-Release number of selected component (if applicable):

chrony-2.4-1.fc24.x86_64

How reproducible:

Semi-deterministic.

Steps to Reproduce:
1. Have Fedora 24 installed.
2. Set time five seconds back: date -s '-5 sec'
3. Run systemctl restart chrony-wait

Actual results:

type=AVC msg=audit(1467119106.048:204): avc:  denied  { sendto } for  pid=671 comm="chronyd" path="/run/chrony/chronyc.1654.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_dgram_socket permissive=0

Expected results:

No AVC denial.

Additional info:

Comment 1 Jan Pazdziora 2016-06-28 13:08:18 UTC
The process of pid 1654 is

/usr/bin/chronyc waitsync 600 0.1 0.0 1

Comment 3 Jan Pazdziora 2016-06-28 13:09:57 UTC
The SELinux policy is selinux-policy-targeted-3.13.1-191.fc24.2.noarch.

Comment 4 Jan Pazdziora 2016-06-28 13:11:34 UTC
I can actually see this on Fedora 23 as well:

chrony-2.4-1.fc23.x86_64
selinux-policy-targeted-3.13.1-158.15.fc23.noarch

I haven't seen it in automated Fedora 23 tests in the past and I see it with virtually every Fedora 24 setup now. But maybe Fedora 23 did not run chrony-wait in the past?

Comment 6 Miroslav Lichvar 2016-06-28 13:20:45 UTC
chrony since 2.4 uses a Unix domain socket for communication between chronyd and chronyc (running with root privileges). There was a request to support this change in bug #1259636. I think it worked for me before, so I'm not sure if the initial support was incomplete or the policy has changed recently.

Comment 7 Miroslav Lichvar 2016-06-28 13:22:40 UTC
It's actually chrony version 2.2 and later which use the Unix socket. In Fedora 23 there was recently an update from 2.1.1 to 2.4

Comment 8 Jan Pazdziora 2016-06-30 11:57:16 UTC
Do you think this is an issue in chrony, or should I move the bugzilla to selinux-policy?

Comment 10 Miroslav Lichvar 2016-06-30 12:40:37 UTC
I think it's a missing rule in the selinux policy. chronyd can't respond to chronyc when it's running as a service (it has unconfined_service_t context).

As a quick workaround you can force chronyc in the chrony-wait service to not use Unix domain socket:

sed 's|chronyc waitsync|chronyc -h ::1 waitsync|' \
      < /usr/lib/systemd/system/chrony-wait.service \
      > /etc/systemd/system/chrony-wait.service

Another issue I noticed when I was trying different configuration directives is blocked access to /etc/adjtime:

#============= chronyd_t ==============
allow chronyd_t adjtime_t:file { read open getattr };

Comment 11 Jan Pazdziora 2016-07-11 07:27:46 UTC
(In reply to Miroslav Lichvar from comment #10)
> I think it's a missing rule in the selinux policy. chronyd can't respond to
> chronyc when it's running as a service (it has unconfined_service_t context).
> 
> As a quick workaround you can force chronyc in the chrony-wait service to
> not use Unix domain socket:
> 
> sed 's|chronyc waitsync|chronyc -h ::1 waitsync|' \
>       < /usr/lib/systemd/system/chrony-wait.service \
>       > /etc/systemd/system/chrony-wait.service

I confirm that

   sed -i 's|chronyc waitsync|chronyc -h ::1 waitsync|' /usr/lib/systemd/system/chrony-wait.service

makes the problem go away.

Do we know what the proper fix (in the SELinux policy) would be?

> Another issue I noticed when I was trying different configuration directives
> is blocked access to /etc/adjtime:
> 
> #============= chronyd_t ==============
> allow chronyd_t adjtime_t:file { read open getattr };

Comment 12 Jan Pazdziora 2016-09-05 12:36:18 UTC
Could we please get the proper fix in? The need to include workaround complicates our testing of other components.

Comment 14 Fedora Admin XMLRPC Client 2016-09-27 15:08:27 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 15 Jan Pazdziora 2016-10-03 11:29:35 UTC
Could we please get the proper fix in? The need to include workaround complicates our testing of other components.

Comment 16 Jan Hutař 2016-10-04 08:21:44 UTC
Possibly a duplicate of bug 1284691?

Comment 19 Miroslav Grepl 2016-10-26 08:35:26 UTC
*** Bug 1284691 has been marked as a duplicate of this bug. ***

Comment 20 Miroslav Grepl 2016-10-26 09:28:46 UTC
The problem is with

ExecStart=/usr/bin/chronyc waitsync 600 0.1 0.0 1

because /usr/bin/chronyc is labeled as bin_t and we end up with unconfined_service_t. We don't want to label it as chronyd_exec_t because of chronyc is a command line interface.

Could we get a helper script here which we could label as chronyd_exec_t?

Comment 21 Miroslav Lichvar 2016-10-26 10:00:48 UTC
You mean to change the ExecStart line to call /usr/libexec/chrony-helper instead of /usr/bin/chronyc?

We can do that, but this change wouldn't go upstream and I'd rather avoid adding another Fedora-specific patch. If this can't be fixed properly, I liked better the workaround from comment #10.

Comment 22 Fedora Update System 2016-10-28 14:55:36 UTC
chrony-2.4-4.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-1121fb57c9

Comment 23 Fedora Update System 2016-10-29 03:55:25 UTC
chrony-2.4-4.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-2ee0547cf1

Comment 24 Fedora Update System 2016-10-31 07:37:54 UTC
chrony-2.4-4.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 25 Lukas Vrabec 2016-11-01 14:37:05 UTC
*** Bug 1390204 has been marked as a duplicate of this bug. ***

Comment 26 Fedora Update System 2016-11-03 23:54:39 UTC
chrony-2.4-4.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 27 Miroslav Lichvar 2016-11-28 09:19:29 UTC
*** Bug 1398980 has been marked as a duplicate of this bug. ***

Comment 28 Fedora Update System 2016-11-28 09:32:08 UTC
chrony-2.4.1-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-e62d5b25ee

Comment 29 Michal Jaegermann 2016-11-28 18:25:45 UTC
(In reply to Fedora Update System from comment #28)
> chrony-2.4.1-1.fc23 has been submitted as an update to Fedora 23.

Long waits for the next flight in Toronto seem to have some advantages. :-)  This refers to a duplicate bug 1398980.

Comment 30 Fedora Update System 2016-11-30 06:52:06 UTC
chrony-2.4.1-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-e62d5b25ee

Comment 31 Fedora Update System 2016-12-08 03:20:10 UTC
chrony-2.4.1-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.