Description of problem: So far I collected 122 alerts of that kind on a laptop which occasionally is used pretty intensively but it also has a prolonged periods when it is not powered on at all: SELinux is preventing chronyd from sendto access on the unix_dgram_socket /run/chrony/chronyc.783.sock. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that chronyd should be allowed sendto access on the chronyc.783.sock unix_dgram_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'chronyd' --raw | audit2allow -M my-chronyd # semodule -X 300 -i my-chronyd.pp Additional Information: Source Context system_u:system_r:chronyd_t:s0 Target Context system_u:system_r:unconfined_service_t:s0 Target Objects /run/chrony/chronyc.783.sock [ unix_dgram_socket ] Source chronyd Source Path chronyd Port <Unknown> Host aaa.bbb.cc Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-158.24.fc23.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name aaa.bbb.cc Platform Linux aaa.bbb.cc 4.8.8-100.fc23.x86_64 #1 SMP Tue Nov 15 18:51:53 UTC 2016 x86_64 x86_64 Alert Count 122 First Seen 2016-06-24 12:18:28 MDT Last Seen 2016-11-27 13:09:58 MST Local ID 6375dca9-dd0b-4536-a352-58fc9d05f5fb Raw Audit Messages type=AVC msg=audit(1480277398.118:209): avc: denied { sendto } for pid=690 comm="chronyd" path="/run/chrony/chronyc.783.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_dgram_socket permissive=1 Hash: chronyd,chronyd_t,unconfined_service_t,unix_dgram_socket,sendto ryjek:$ cat alert.chrony SELinux is preventing chronyd from sendto access on the unix_dgram_socket /run/chrony/chronyc.783.sock. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that chronyd should be allowed sendto access on the chronyc.783.sock unix_dgram_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'chronyd' --raw | audit2allow -M my-chronyd # semodule -X 300 -i my-chronyd.pp Additional Information: Source Context system_u:system_r:chronyd_t:s0 Target Context system_u:system_r:unconfined_service_t:s0 Target Objects /run/chrony/chronyc.783.sock [ unix_dgram_socket ] Source chronyd Source Path chronyd Port <Unknown> Host aaa.bbb.cc Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-158.24.fc23.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name aaa.bbb.cc Platform Linux aaa.bbb.cc 4.8.8-100.fc23.x86_64 #1 SMP Tue Nov 15 18:51:53 UTC 2016 x86_64 x86_64 Alert Count 122 First Seen 2016-06-24 12:18:28 MDT Last Seen 2016-11-27 13:09:58 MST Local ID 6375dca9-dd0b-4536-a352-58fc9d05f5fb Raw Audit Messages type=AVC msg=audit(1480277398.118:209): avc: denied { sendto } for pid=690 comm="chronyd" path="/run/chrony/chronyc.783.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_dgram_socket permissive=1 Hash: chronyd,chronyd_t,unconfined_service_t,unix_dgram_socket,sendto Version-Release number of selected component (if applicable): selinux-policy-3.13.1-158.24.fc23 How reproducible: see "Alert Count"
If I remember correctly, this was fixed in chronyd. But I don't know if it was backported to F23
That was bug #1350815 and it wasn't fixed in F23 yet. We can certainly do that. I'll submit an update. *** This bug has been marked as a duplicate of bug 1350815 ***