Bug 1530525 – chronyc can't write keys to /etc/chrony.keys

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1530525 - chronyc can't write keys to /etc/chrony.keys

Summary:	chronyc can't write keys to /etc/chrony.keys

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy (Show other bugs)
Sub Component:
Version:	7.5
Hardware:	All Linux

Priority	unspecified Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2018-01-03 04:22 EST by Miroslav Lichvar
Modified:	2018-04-10 08:48 EDT (History)
CC List:	6 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2018-04-10 08:47:26 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:0763	None	None	None	2018-04-10 08:48 EDT

Groups: None (edit)

Description Miroslav Lichvar 2018-01-03 04:22:20 EST

Description of problem:
When using the chronyc keygen command to add a symmetric key to the keys file, no key is actually added to the file. It seems the writes to stdout are blocked by a SELinux rule. I'm not sure if this is intentional or not.

# chronyc keygen 1111 SHA1 >> /etc/chrony.keys

type=AVC msg=audit(1514970600.249:9791): avc:  denied  { append } for  pid=25439 comm="chronyc" path="/etc/chrony.keys" dev="dm-0" ino=67355218 scontext=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:chronyd_keys_t:s0 tclass=file

Trying to create a new file doesn't work either.

# chronyc keygen 1111 SHA1 > /etc/chrony.keys

type=AVC msg=audit(1514971011.949:9792): avc:  denied  { write } for  pid=25801 comm="chronyc" path="/etc/chrony.keys" dev="dm-0" ino=67355218 scontext=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:chronyd_keys_t:s0 tclass=file

When the output is piped to cat, it works.

# chronyc keygen 1111 SHA1 | cat >> /etc/chrony.keys


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-183.el7.noarch
chrony-3.2-2.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. run "chronyc keygen 1111 SHA1 >> /etc/chrony.keys"
2. check if a key was appended to the file

Actual results:
No such key in the keys file

Expected results:
Added key

Additional info:

Comment 2 Milos Malik 2018-01-03 04:35:26 EST

Caught in enforcing mode:
----
type=PROCTITLE msg=audit(01/03/2018 04:30:51.909:319) : proctitle=chronyc keygen 1111 SHA1 
type=SYSCALL msg=audit(01/03/2018 04:30:51.909:319) : arch=ppc64le syscall=execve success=yes exit=0 a0=0x1003120b4f0 a1=0x10031216720 a2=0x1003120f650 a3=0x0 items=0 ppid=12839 pid=55963 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=chronyc exe=/usr/bin/chronyc subj=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(01/03/2018 04:30:51.909:319) : avc:  denied  { append } for  pid=55963 comm=chronyc path=/etc/chrony.keys dev="dm-0" ino=67954137 scontext=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:chronyd_keys_t:s0 tclass=file 
----
type=PROCTITLE msg=audit(01/03/2018 04:31:38.890:320) : proctitle=chronyc keygen 1111 SHA1 
type=SYSCALL msg=audit(01/03/2018 04:31:38.890:320) : arch=ppc64le syscall=execve success=yes exit=0 a0=0x1003120b630 a1=0x1003120de50 a2=0x1003120f650 a3=0x0 items=0 ppid=12839 pid=56015 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=chronyc exe=/usr/bin/chronyc subj=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(01/03/2018 04:31:38.890:320) : avc:  denied  { write } for  pid=56015 comm=chronyc path=/etc/chrony.keys dev="dm-0" ino=67954137 scontext=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:chronyd_keys_t:s0 tclass=file 
----

Caught in permissive mode:
----
type=PROCTITLE msg=audit(01/03/2018 04:33:03.682:323) : proctitle=chronyc keygen 1111 SHA1 
type=SYSCALL msg=audit(01/03/2018 04:33:03.682:323) : arch=ppc64le syscall=execve success=yes exit=0 a0=0x10031210bc0 a1=0x1003120b650 a2=0x1003120f650 a3=0x0 items=0 ppid=12839 pid=56103 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=chronyc exe=/usr/bin/chronyc subj=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(01/03/2018 04:33:03.682:323) : avc:  denied  { append } for  pid=56103 comm=chronyc path=/etc/chrony.keys dev="dm-0" ino=67954137 scontext=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:chronyd_keys_t:s0 tclass=file 
----
type=PROCTITLE msg=audit(01/03/2018 04:33:03.682:324) : proctitle=chronyc keygen 1111 SHA1 
type=SYSCALL msg=audit(01/03/2018 04:33:03.682:324) : arch=ppc64le syscall=ioctl success=no exit=ENOTTY(Inappropriate ioctl for device) a0=0x1 a1=0x402c7413 a2=0x3fffd40a1720 a3=0x13111a1217000000 items=0 ppid=12839 pid=56103 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=chronyc exe=/usr/bin/chronyc subj=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(01/03/2018 04:33:03.682:324) : avc:  denied  { ioctl } for  pid=56103 comm=chronyc path=/etc/chrony.keys dev="dm-0" ino=67954137 scontext=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:chronyd_keys_t:s0 tclass=file 
----
type=PROCTITLE msg=audit(01/03/2018 04:33:03.682:325) : proctitle=chronyc keygen 1111 SHA1 
type=SYSCALL msg=audit(01/03/2018 04:33:03.682:325) : arch=ppc64le syscall=fstat success=yes exit=0 a0=0x1 a1=0x3fffd409fbc0 a2=0x3fffd409fbc0 a3=0x0 items=0 ppid=12839 pid=56103 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=chronyc exe=/usr/bin/chronyc subj=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(01/03/2018 04:33:03.682:325) : avc:  denied  { getattr } for  pid=56103 comm=chronyc path=/etc/chrony.keys dev="dm-0" ino=67954137 scontext=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:chronyd_keys_t:s0 tclass=file 
----
type=PROCTITLE msg=audit(01/03/2018 04:33:18.542:326) : proctitle=chronyc keygen 1111 SHA1 
type=SYSCALL msg=audit(01/03/2018 04:33:18.542:326) : arch=ppc64le syscall=execve success=yes exit=0 a0=0x1003122e350 a1=0x10031210c80 a2=0x1003120f650 a3=0x0 items=0 ppid=12839 pid=56122 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=chronyc exe=/usr/bin/chronyc subj=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(01/03/2018 04:33:18.542:326) : avc:  denied  { write } for  pid=56122 comm=chronyc path=/etc/chrony.keys dev="dm-0" ino=67954137 scontext=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:chronyd_keys_t:s0 tclass=file 
----

Comment 9 errata-xmlrpc 2018-04-10 08:47:26 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763

Note You need to log in before you can comment on or make changes to this bug.