Bug 1669839 - SELinux denials for chrony during FreeIPA server upgrade
Summary: SELinux denials for chrony during FreeIPA server upgrade
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 29
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Ben Levenson
URL:
Whiteboard: openqa
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-01-27 13:51 UTC by Adam Williamson
Modified: 2019-05-24 21:49 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-05-24 21:49:29 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Adam Williamson 2019-01-27 13:51:15 UTC
There's an openQA test which tests upgrading a FreeIPA server from one release to another. When it does this for Fedora 28 to Fedora 29, three SELinux denials for chrony occurs when the freeipa-server scriptlets are running during the upgrade. Here they are:

----
time->Wed Jan 23 11:03:36 2019
type=AVC msg=audit(1548259416.477:287): avc:  denied  { sendto } for  pid=6123 comm="chronyd" path="/run/chrony/chronyc.6128.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:rolekit_t:s0 tclass=unix_dgram_socket permissive=0
----
time->Wed Jan 23 11:03:37 2019
type=AVC msg=audit(1548259417.479:288): avc:  denied  { sendto } for  pid=6123 comm="chronyd" path="/run/chrony/chronyc.6128.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:rolekit_t:s0 tclass=unix_dgram_socket permissive=0
----
time->Wed Jan 23 11:03:39 2019
type=AVC msg=audit(1548259419.480:289): avc:  denied  { sendto } for  pid=6123 comm="chronyd" path="/run/chrony/chronyc.6128.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:rolekit_t:s0 tclass=unix_dgram_socket permissive=0

After adjusting for timezones, I'm pretty sure they happen during this seven minute gap in the upgrade logs, which is where the freeipa-server %post script is running:

2019-01-23T16:03:30Z INFO Installed: freeipa-server-4.7.2-1.fc28.x86_64
2019-01-23T16:03:30Z INFO Installed: freeipa-server-dns-4.7.2-1.fc28.noarch
2019-01-23T16:03:30Z INFO Installed: freeipa-server-trust-ad-4.7.2-1.fc28.x86_64
2019-01-23T16:10:53Z INFO --- logging initialized ---

I don't see any obvious terrible consequences of this, but it seems worth fixing.

Comment 1 Lukas Vrabec 2019-02-21 12:40:56 UTC
commit f9e7e9d66adcfa49e62a196d14dd7c41ed07fa7b (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Thu Feb 21 13:40:34 2019 +0100

    Allow chronyd_t domain to send data over dgram socket

Comment 2 Adam Williamson 2019-02-21 19:47:33 UTC
Note: we need this fixed for 29 and 30 too, not just Rawhide...

Comment 3 Lukas Vrabec 2019-02-22 12:51:45 UTC
Will be part also of builds for Fedora 29 and Fedora 30 and Rawhide.

Comment 4 Fedora Update System 2019-03-12 18:37:37 UTC
selinux-policy-3.14.2-51.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-4cc36fafbb

Comment 5 Fedora Update System 2019-03-12 23:41:23 UTC
selinux-policy-3.14.2-51.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-4cc36fafbb

Comment 6 Fedora Update System 2019-03-15 18:29:16 UTC
selinux-policy-3.14.2-51.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 7 Adam Williamson 2019-05-09 00:28:15 UTC
It doesn't seem like this really got fixed in F29. We still get these denials in current tests, e.g. here is the latest:

https://openqa.fedoraproject.org/tests/397822
https://openqa.fedoraproject.org/tests/397822/file/_console_avc_crash-avcs.txt

Still shows these AVCs:

----
time->Wed May  8 11:50:14 2019
type=AVC msg=audit(1557330614.249:284): avc:  denied  { sendto } for  pid=6178 comm="chronyd" path="/run/chrony/chronyc.6183.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:rolekit_t:s0 tclass=unix_dgram_socket permissive=0
----
time->Wed May  8 11:50:15 2019
type=AVC msg=audit(1557330615.250:285): avc:  denied  { sendto } for  pid=6178 comm="chronyd" path="/run/chrony/chronyc.6183.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:rolekit_t:s0 tclass=unix_dgram_socket permissive=0
----
time->Wed May  8 11:50:17 2019
type=AVC msg=audit(1557330617.252:286): avc:  denied  { sendto } for  pid=6178 comm="chronyd" path="/run/chrony/chronyc.6183.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:rolekit_t:s0 tclass=unix_dgram_socket permissive=0

Comment 8 Adam Williamson 2019-05-09 00:34:12 UTC
I suppose it may be that the fix is needed in F28 policy (since we're testing an F28 to F29 upgrade here), and we never sent it to F28 branch?

Comment 9 Lukas Vrabec 2019-05-15 13:07:15 UTC
Hi Adam, 

You're right, I backported these changes to F28.

commit 1d0bdb608b131a45ae410bc5f1c0ae77118190fa (HEAD -> f28, origin/f28)
Author: Lukas Vrabec <lvrabec>
Date:   Thu Feb 21 13:40:34 2019 +0100

    Allow chronyd_t domain to send data over dgram socket

Comment 10 Fedora Update System 2019-05-18 11:05:31 UTC
selinux-policy-3.14.2-59.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-38a1de7619

Comment 11 Fedora Update System 2019-05-19 10:49:52 UTC
selinux-policy-3.14.2-59.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-38a1de7619

Comment 12 Fedora Update System 2019-05-24 21:49:29 UTC
selinux-policy-3.14.2-59.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.