Bug 1470150 - SELinux is preventing chronyd from sendto access on the unix_dgram_socket
SELinux is preventing chronyd from sendto access on the unix_dgram_socket
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.4
Unspecified Unspecified
high Severity low
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
: Regression
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-12 09:01 EDT by RamaKasturi
Modified: 2017-08-17 08:28 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3153701 None None None 2017-08-16 08:56 EDT

  None (edit)
Description RamaKasturi 2017-07-12 09:01:17 EDT
Description of problem:
SELinux is preventing chronyd from sendto access on the unix_dgram_socket. Do not see any functionality impact.

#============= chronyd_t ==============

#!!!! The file '/run/chrony/chronyc.3781.sock' is mislabeled on your system.  
#!!!! Fix with $ restorecon -R -v /run/chrony/chronyc.3781.sock
allow chronyd_t unconfined_service_t:unix_dgram_socket sendto;

Following is seen in audit.log file:
=========================================
type=AVC msg=audit(1499843970.523:161): avc:  denied  { sendto } for  pid=1302 comm="chronyd" path="/run/chrony/chronyc.3936.sock" scontext=system_u:system_r:chronyd_t:s0 tc
ontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_dgram_socket

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-165.el7.noarch

How reproducible:
Always

Steps to Reproduce:
1. Install RHEL7.4 RC candidate
2. Install HC 
3. Once installation is done run the command 'cat /var/log/audit/audit.log | audit2allow' to check if there are any denial.

Actual results:
Following is seen in audit.log and output from step 3 

#============= chronyd_t ==============

#!!!! The file '/run/chrony/chronyc.3781.sock' is mislabeled on your system.  
#!!!! Fix with $ restorecon -R -v /run/chrony/chronyc.3781.sock
allow chronyd_t unconfined_service_t:unix_dgram_socket sendto;

Following is seen in audit.log file:
=========================================
type=AVC msg=audit(1499843970.523:161): avc:  denied  { sendto } for  pid=1302 comm="chronyd" path="/run/chrony/chronyc.3936.sock" scontext=system_u:system_r:chronyd_t:s0 tc
ontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_dgram_socket



Expected results:
No AVCS should be seen.

Additional info:
Comment 2 RamaKasturi 2017-07-12 09:05:14 EDT
I have copied the audit log in the below location

http://rhsqe-repo.lab.eng.blr.redhat.com/sosreports/HC/1470150/
Comment 3 Zdenek Pytela 2017-08-16 08:21:35 EDT
A similar problem occurs when sosreport is run from cron:

----
type=PATH msg=audit(08/16/17 08:05:30.914:548) : item=0 name=/var/run/chrony/chronyc.4016.sock inode=85033 dev=00:13 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:chronyd_var_run_t:s0 objtype=NORMAL
type=CWD msg=audit(08/16/17 08:05:30.914:548) :  cwd=/
type=SOCKADDR msg=audit(08/16/17 08:05:30.914:548) : saddr={ fam=local path=/var/run/chrony/chronyc.4016.sock }
type=SYSCALL msg=audit(08/16/17 08:05:30.914:548) : arch=x86_64 syscall=sendto success=no exit=EACCES(Permission denied) a0=0x5 a1=0x7ffc0ed14c20 a2=0x1a8 a3=0x0 items=1 ppid=1 pid=11183 auid=unset uid=chrony gid=chrony euid=chrony suid=chrony fsuid=chrony egid=chrony sgid=chrony fsgid=chrony tty=(none) ses=unset comm=chronyd exe=/usr/sbin/chronyd subj=system_u:system_r:chronyd_t:s0 key=(null)
type=AVC msg=audit(08/16/17 08:05:30.914:548) : avc:  denied  { sendto } for  pid=11183 comm=chronyd path=/run/chrony/chronyc.4016.sock scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
----

In RHEL up to 7.3 it worked as expected, so adding the Regression keyword.

Reproduced with the package from RHEL 7.4:
selinux-policy-3.13.1-166.el7.noarch

Note You need to log in before you can comment on or make changes to this bug.