Bug 1764485 - SELinux is preventing /usr/bin/bash from add_name access on the directory ntp.conf.predhclient.ens3
Summary: SELinux is preventing /usr/bin/bash from add_name access on the directory ntp...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 31
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: nknazeko
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1764912 1775881 1775895 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-10-23 06:57 UTC by Lukas Slebodnik
Modified: 2020-01-21 01:38 UTC (History)
15 users (show)

Fixed In Version: selinux-policy-3.14.4-44.fc31
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-01-21 01:38:31 UTC
Type: Bug


Attachments (Terms of Use)

Description Lukas Slebodnik 2019-10-23 06:57:58 UTC
SELinux is preventing /usr/bin/bash from add_name access on the directory ntp.conf.predhclient.ens3.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that bash should be allowed add_name access on the ntp.conf.predhclient.ens3 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c '11-dhclient' --raw | audit2allow -M my-11dhclient
# semodule -X 300 -i my-11dhclient.pp


Additional Information:
Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:dhcpc_state_t:s0
Target Objects                ntp.conf.predhclient.ens3 [ dir ]
Source                        11-dhclient
Source Path                   /usr/bin/bash
Port                          <Unknown>
Host                          host.testrelm.test
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.5-10.fc32.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     host.testrelm.test
Platform                      Linux host.testrelm.test
                              5.4.0-0.rc4.git1.1.fc32.x86_64 #1 SMP Tue Oct 22
                              14:11:41 UTC 2019 x86_64 x86_64
Alert Count                   2
First Seen                    2019-10-23 08:55:24 CEST
Last Seen                     2019-10-23 08:55:24 CEST
Local ID                      c78682ec-41b0-432d-9c70-f38fdd87e944

Raw Audit Messages
type=AVC msg=audit(1571813724.245:587): avc:  denied  { add_name } for  pid=32883 comm="touch" name="ntp.conf.predhclient.ens3" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=dir permissive=0


Hash: 11-dhclient,NetworkManager_t,dhcpc_state_t,dir,add_name

Comment 1 Lukas Slebodnik 2019-10-23 06:58:48 UTC
Other AVCs in enforcing mode

type=PROCTITLE msg=audit(10/23/2019 08:55:24.152:582) : proctitle=/usr/bin/bash /usr/lib/NetworkManager/dispatcher.d/11-dhclient ens3 up 
type=PATH msg=audit(10/23/2019 08:55:24.152:582) : item=0 name=/var/lib/dhclient/ inode=17183586 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:dhcpc_state_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(10/23/2019 08:55:24.152:582) : cwd=/ 
type=SYSCALL msg=audit(10/23/2019 08:55:24.152:582) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x563172747a60 a2=O_WRONLY|O_CREAT|O_APPEND a3=0x1b6 items=1 ppid=32850 pid=32868 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=11-dhclient exe=/usr/bin/bash subj=system_u:system_r:NetworkManager_t:s0 key=(null) 
type=AVC msg=audit(10/23/2019 08:55:24.152:582) : avc:  denied  { add_name } for  pid=32868 comm=11-dhclient name=chrony.servers.ens3 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(10/23/2019 08:55:24.161:583) : proctitle=/usr/bin/bash /usr/lib/NetworkManager/dispatcher.d/11-dhclient ens3 up 
type=PATH msg=audit(10/23/2019 08:55:24.161:583) : item=0 name=/usr/libexec/chrony-helper inode=25664864 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:chronyd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(10/23/2019 08:55:24.161:583) : cwd=/ 
type=SYSCALL msg=audit(10/23/2019 08:55:24.161:583) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x563172747980 a1=0x5631727476c0 a2=0x5631727471d0 a3=0x8 items=1 ppid=32868 pid=32870 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=11-dhclient exe=/usr/bin/bash subj=system_u:system_r:NetworkManager_t:s0 key=(null) 
type=AVC msg=audit(10/23/2019 08:55:24.161:583) : avc:  denied  { execute } for  pid=32870 comm=11-dhclient name=chrony-helper dev="dm-0" ino=25664864 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(10/23/2019 08:55:24.163:584) : proctitle=/usr/bin/bash /usr/lib/NetworkManager/dispatcher.d/11-dhclient ens3 up 
type=PATH msg=audit(10/23/2019 08:55:24.163:584) : item=0 name=/usr/libexec/chrony-helper inode=25664864 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:chronyd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(10/23/2019 08:55:24.163:584) : cwd=/ 
type=SYSCALL msg=audit(10/23/2019 08:55:24.163:584) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x563172747980 a1=0x7ffeea0f5ef0 a2=0x7ffeea0f5ef0 a3=0x8 items=1 ppid=32868 pid=32870 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=11-dhclient exe=/usr/bin/bash subj=system_u:system_r:NetworkManager_t:s0 key=(null) 
type=AVC msg=audit(10/23/2019 08:55:24.163:584) : avc:  denied  { getattr } for  pid=32870 comm=11-dhclient path=/usr/libexec/chrony-helper dev="dm-0" ino=25664864 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(10/23/2019 08:55:24.164:585) : proctitle=/usr/bin/bash /usr/lib/NetworkManager/dispatcher.d/11-dhclient ens3 up 
type=PATH msg=audit(10/23/2019 08:55:24.164:585) : item=0 name=/usr/libexec/chrony-helper inode=25664864 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:chronyd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(10/23/2019 08:55:24.164:585) : cwd=/ 
type=SYSCALL msg=audit(10/23/2019 08:55:24.164:585) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x563172747980 a1=0x7ffeea0f5ed0 a2=0x7ffeea0f5ed0 a3=0x8 items=1 ppid=32868 pid=32870 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=11-dhclient exe=/usr/bin/bash subj=system_u:system_r:NetworkManager_t:s0 key=(null) 
type=AVC msg=audit(10/23/2019 08:55:24.164:585) : avc:  denied  { getattr } for  pid=32870 comm=11-dhclient path=/usr/libexec/chrony-helper dev="dm-0" ino=25664864 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(10/23/2019 08:55:24.245:587) : proctitle=touch /var/lib/dhclient/ntp.conf.predhclient.ens3 
type=PATH msg=audit(10/23/2019 08:55:24.245:587) : item=0 name=/var/lib/dhclient/ inode=17183586 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:dhcpc_state_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(10/23/2019 08:55:24.245:587) : cwd=/ 
type=SYSCALL msg=audit(10/23/2019 08:55:24.245:587) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7ffd33702430 a2=O_WRONLY|O_CREAT|O_NOCTTY|O_NONBLOCK a3=0x1b6 items=1 ppid=32868 pid=32883 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=touch exe=/usr/bin/touch subj=system_u:system_r:NetworkManager_t:s0 key=(null) 
type=AVC msg=audit(10/23/2019 08:55:24.245:587) : avc:  denied  { add_name } for  pid=32883 comm=touch name=ntp.conf.predhclient.ens3 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=dir permissive=0

Comment 2 Lukas Slebodnik 2019-10-23 06:59:48 UTC
AVCs in permissive mode

type=PROCTITLE msg=audit(10/23/2019 08:59:17.473:601) : proctitle=/usr/bin/bash /usr/libexec/chrony-helper update-daemon 
type=PATH msg=audit(10/23/2019 08:59:17.473:601) : item=2 name=/lib64/ld-linux-x86-64.so.2 inode=25167897 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(10/23/2019 08:59:17.473:601) : item=1 name=/usr/bin/bash inode=16799767 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(10/23/2019 08:59:17.473:601) : item=0 name=/usr/libexec/chrony-helper inode=25664864 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:chronyd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(10/23/2019 08:59:17.473:601) : cwd=/ 
type=EXECVE msg=audit(10/23/2019 08:59:17.473:601) : argc=3 a0=/usr/bin/bash a1=/usr/libexec/chrony-helper a2=update-daemon 
type=SYSCALL msg=audit(10/23/2019 08:59:17.473:601) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x5623e8ed36d0 a1=0x5623e8ed3450 a2=0x5623e8ed2f70 a3=0x8 items=3 ppid=32952 pid=32954 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chrony-helper exe=/usr/bin/bash subj=system_u:system_r:NetworkManager_t:s0 key=(null) 
type=AVC msg=audit(10/23/2019 08:59:17.473:601) : avc:  denied  { execute_no_trans } for  pid=32954 comm=11-dhclient path=/usr/libexec/chrony-helper dev="dm-0" ino=25664864 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file permissive=1 
type=AVC msg=audit(10/23/2019 08:59:17.473:601) : avc:  denied  { read open } for  pid=32954 comm=11-dhclient path=/usr/libexec/chrony-helper dev="dm-0" ino=25664864 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file permissive=1 
type=AVC msg=audit(10/23/2019 08:59:17.473:601) : avc:  denied  { execute } for  pid=32954 comm=11-dhclient name=chrony-helper dev="dm-0" ino=25664864 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(10/23/2019 08:59:17.487:602) : proctitle=/usr/bin/bash /usr/libexec/chrony-helper update-daemon 
type=PATH msg=audit(10/23/2019 08:59:17.487:602) : item=0 name=/usr/libexec/chrony-helper inode=25664864 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:chronyd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(10/23/2019 08:59:17.487:602) : cwd=/ 
type=SYSCALL msg=audit(10/23/2019 08:59:17.487:602) : arch=x86_64 syscall=stat success=yes exit=0 a0=0x558b5c41c350 a1=0x7ffffd7b16c0 a2=0x7ffffd7b16c0 a3=0x30 items=1 ppid=32952 pid=32954 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chrony-helper exe=/usr/bin/bash subj=system_u:system_r:NetworkManager_t:s0 key=(null) 
type=AVC msg=audit(10/23/2019 08:59:17.487:602) : avc:  denied  { getattr } for  pid=32954 comm=chrony-helper path=/usr/libexec/chrony-helper dev="dm-0" ino=25664864 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(10/23/2019 08:59:17.488:603) : proctitle=/usr/bin/bash /usr/libexec/chrony-helper update-daemon 
type=SYSCALL msg=audit(10/23/2019 08:59:17.488:603) : arch=x86_64 syscall=ioctl success=no exit=ENOTTY(Inappropriate ioctl for device) a0=0x5 a1=TCGETS a2=0x7ffffd7b16d0 a3=0x30 items=0 ppid=32952 pid=32954 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chrony-helper exe=/usr/bin/bash subj=system_u:system_r:NetworkManager_t:s0 key=(null) 
type=AVC msg=audit(10/23/2019 08:59:17.488:603) : avc:  denied  { ioctl } for  pid=32954 comm=chrony-helper path=/usr/libexec/chrony-helper dev="dm-0" ino=25664864 ioctlcmd=TCGETS scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file permissive=1

Comment 3 Lukas Slebodnik 2019-10-23 07:03:56 UTC
It seems to be caused by dhcp-client-4.4.1-17.fc32
But some commits were reverted in dist-git
https://src.fedoraproject.org/rpms/dhcp/c/6f96789cfe4177cc5d6cc8ff23f3edd41350fe3a?branch=master
https://src.fedoraproject.org/rpms/dhcp/c/9c49c9e94d25898850cc98ae8afe6ebb2ec5bdb3?branch=master

Moving to dhcp for investigation.

Comment 4 Lukas Slebodnik 2019-10-23 07:04:53 UTC
Move back to selinux-policy if it has to be allowed.

Comment 5 Lukas Slebodnik 2019-10-23 07:08:20 UTC
I can confirm AVCs are gone with dhcp-client-12:4.4.1-15.fc31.x86_64

Comment 6 Pavel Zhukov 2019-10-23 08:38:38 UTC
(In reply to Lukas Slebodnik from comment #5)
> I can confirm AVCs are gone with dhcp-client-12:4.4.1-15.fc31.x86_64

Disabling of the NM scripts just hid this AVC error. Nothing has been changed on dhcp side

Comment 7 Lukas Slebodnik 2019-10-23 11:01:48 UTC
(In reply to Pavel Zhukov from comment #6)
> (In reply to Lukas Slebodnik from comment #5)
> > I can confirm AVCs are gone with dhcp-client-12:4.4.1-15.fc31.x86_64
> 
> Disabling of the NM scripts just hid this AVC error. Nothing has been
> changed on dhcp side

Does it mean it shall be allowed?
If yes  could you change component?

Comment 8 Pavel Zhukov 2019-10-23 11:11:06 UTC
(In reply to Lukas Slebodnik from comment #7)
> (In reply to Pavel Zhukov from comment #6)
> > (In reply to Lukas Slebodnik from comment #5)
> > > I can confirm AVCs are gone with dhcp-client-12:4.4.1-15.fc31.x86_64
> > 
> > Disabling of the NM scripts just hid this AVC error. Nothing has been
> > changed on dhcp side
> 
> Does it mean it shall be allowed?
> If yes  could you change component?

Now I got confused by your comments #3 and #4...

Comment 9 Lukas Slebodnik 2019-10-23 12:16:23 UTC
(In reply to Lukas Slebodnik from comment #3)
> It seems to be caused by dhcp-client-4.4.1-17.fc32
> But some commits were reverted in dist-git
> https://src.fedoraproject.org/rpms/dhcp/c/
> 6f96789cfe4177cc5d6cc8ff23f3edd41350fe3a?branch=master
> https://src.fedoraproject.org/rpms/dhcp/c/
> 9c49c9e94d25898850cc98ae8afe6ebb2ec5bdb3?branch=master
> 
> Moving to dhcp for investigation.

I forgot to check in koji whether these commits were part of dhcp-client-12:4.4.1-17
I checked only dist-git.

Sorry for confusion.

Comment 10 Lukas Slebodnik 2019-10-24 11:27:35 UTC
Actually there are more AVCs in permissive mode. One set when restarting NetworkManager and another one when restarting chrony

selinux-policy-3.14.5-10.fc32.noarch
----
time->Thu Oct 24 06:50:49 2019
type=AVC msg=audit(1571914249.818:92): avc:  denied  { add_name } for  pid=704 comm="11-dhclient" name="chrony.servers.ens3" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=dir permissive=1
----
time->Thu Oct 24 06:50:49 2019
type=AVC msg=audit(1571914249.818:93): avc:  denied  { create } for  pid=704 comm="11-dhclient" name="chrony.servers.ens3" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=file permissive=1
----
time->Thu Oct 24 06:50:49 2019
type=AVC msg=audit(1571914249.818:94): avc:  denied  { append } for  pid=704 comm="11-dhclient" path="/var/lib/dhclient/chrony.servers.ens3" dev="dm-0" ino=2230992 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=file permissive=1
----
time->Thu Oct 24 06:50:49 2019
type=AVC msg=audit(1571914249.820:95): avc:  denied  { execute } for  pid=706 comm="11-dhclient" name="chrony-helper" dev="dm-0" ino=1325082 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file permissive=1
----
time->Thu Oct 24 06:50:49 2019
type=AVC msg=audit(1571914249.820:96): avc:  denied  { read open } for  pid=706 comm="11-dhclient" path="/usr/libexec/chrony-helper" dev="dm-0" ino=1325082 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file permissive=1
----
time->Thu Oct 24 06:50:49 2019
type=AVC msg=audit(1571914249.821:97): avc:  denied  { execute_no_trans } for  pid=706 comm="11-dhclient" path="/usr/libexec/chrony-helper" dev="dm-0" ino=1325082 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file permissive=1
----
time->Thu Oct 24 06:50:49 2019
type=AVC msg=audit(1571914249.825:98): avc:  denied  { getattr } for  pid=706 comm="chrony-helper" path="/usr/libexec/chrony-helper" dev="dm-0" ino=1325082 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file permissive=1
----
time->Thu Oct 24 06:50:49 2019
type=AVC msg=audit(1571914249.825:99): avc:  denied  { ioctl } for  pid=706 comm="chrony-helper" path="/usr/libexec/chrony-helper" dev="dm-0" ino=1325082 ioctlcmd=0x5401 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file permissive=1


time->Thu Oct 24 02:58:03 2019
type=AVC msg=audit(1571900283.535:256): avc:  denied  { read } for  pid=24312 comm="chrony-helper" name="chrony-helper" dev="tmpfs" ino=20422 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=dir permissive=1
----
time->Thu Oct 24 02:58:03 2019
type=AVC msg=audit(1571900283.539:257): avc:  denied  { write } for  pid=24312 comm="chrony-helper" name="lock" dev="tmpfs" ino=20423 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=file permissive=1
----
time->Thu Oct 24 02:58:03 2019
type=AVC msg=audit(1571900283.539:258): avc:  denied  { open } for  pid=24312 comm="chrony-helper" path="/run/chrony-helper/lock" dev="tmpfs" ino=20423 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=file permissive=1
----
time->Thu Oct 24 02:58:03 2019
type=AVC msg=audit(1571900283.541:259): avc:  denied  { lock } for  pid=24315 comm="flock" path="/run/chrony-helper/lock" dev="tmpfs" ino=20423 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=file permissive=1
----
time->Thu Oct 24 02:58:03 2019
type=AVC msg=audit(1571900283.560:260): avc:  denied  { read } for  pid=24327 comm="cat" name="added_servers" dev="tmpfs" ino=20450 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=file permissive=1
----
time->Thu Oct 24 02:58:03 2019
type=AVC msg=audit(1571900283.561:261): avc:  denied  { getattr } for  pid=24327 comm="cat" path="/run/chrony-helper/added_servers" dev="tmpfs" ino=20450 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=file permissive=1

Comment 11 Lukas Vrabec 2019-10-24 14:30:19 UTC
*** Bug 1764912 has been marked as a duplicate of this bug. ***

Comment 12 Lukas Slebodnik 2019-11-11 12:09:59 UTC
I can see the same problem on f31 now.

Comment 13 Cenk Kulacoglu 2019-11-21 18:15:15 UTC
Similar issue in https://bugzilla.redhat.com/show_bug.cgi?id=1770698

When dhcpclient gets a NTP server information in DHCP options, it runs /etc/dhcp/dhclient.d/chrony.sh which tries to create the file /usr/lib/dhclient/chrony.servers.$interface with the new NTP server information and then SELinux prevents it from doing so.

If you set PEERNTP=NO in /etc/sysconfig/networks and restart NetworkManager, the issue goes away (but then you do not have automated update of NTP server information in chrony)

Comment 14 Zdenek Pytela 2019-11-25 08:26:45 UTC
*** Bug 1775881 has been marked as a duplicate of this bug. ***

Comment 15 Zdenek Pytela 2019-11-25 08:45:32 UTC
*** Bug 1775895 has been marked as a duplicate of this bug. ***

Comment 16 Lukas Vrabec 2019-11-25 17:29:03 UTC
commit 11a7e057817f2945bd5302370e3dd3f9866a0bd4 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Nikola Knazekova <nknazeko>
Date:   Fri Nov 22 23:14:46 2019 +0100

    Label /usr/lib/NetworkManager/dispatcher as NetworkManager_initrc_exec_t
    
    With NetworkManager 1.20 the dispatcher scripts are moved out of /etc to /usr/lib.
    https://src.fedoraproject.org/rpms/dhcp/c/b25b19a69ea76e9d11b188a153b4d7214e36b017?branch=master
    
    Fixed Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1764485

Comment 17 Fedora Update System 2020-01-14 01:43:22 UTC
selinux-policy-3.14.4-44.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-397eea28b7

Comment 18 Fedora Update System 2020-01-21 01:38:31 UTC
selinux-policy-3.14.4-44.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.