Bug 1872624 - selinux issues with latest chrony
Summary: selinux issues with latest chrony
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 33
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1883051 (view as bug list)
Depends On:
Blocks: 1834855
TreeView+ depends on / blocked
 
Reported: 2020-08-26 08:42 UTC by Miroslav Lichvar
Modified: 2020-10-02 06:59 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.14.6-28.fc33
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-10-02 00:35:09 UTC
Type: Bug


Attachments (Terms of Use)

Description Miroslav Lichvar 2020-08-26 08:42:22 UTC
Description of problem:
The latest chrony package supports NTS, which uses TCP port 4460 for the NTS key establishment (NTS-KE), and it also has reworked loading of NTP servers from DHCP using files in /run/chrony-dhcp.

I'm seeing the following in the audit log:

type=AVC msg=audit(1598430902.278:277): avc:  denied  { name_bind } for  pid=1380 comm="chronyd" src=4460 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(1598430902.278:278): avc:  denied  { listen } for  pid=1380 comm="chronyd" lport=4460 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(1598430902.278:279): avc:  denied  { read } for  pid=1380 comm="chronyd" name="enp0s3.sources" dev="tmpfs" ino=24100 scontext=system_u:system_r:chronyd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1598430902.278:280): avc:  denied  { open } for  pid=1380 comm="chronyd" path="/run/chrony-dhcp/enp0s3.sources" dev="tmpfs" ino=24100 scontext=system_u:system_r:chronyd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1598430902.278:281): avc:  denied  { getattr } for  pid=1380 comm="chronyd" path="/run/chrony-dhcp/enp0s3.sources" dev="tmpfs" ino=24100 scontext=system_u:system_r:chronyd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1598430903.170:283): avc:  denied  { name_connect } for  pid=1380 comm="chronyd" dest=4460 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=1


Version-Release number of selected component (if applicable):
chrony-4.0-0.8.pre3.fc33.x86_64                                                                     
selinux-policy-3.14.6-24.fc33.noarch

Comment 1 Zdenek Pytela 2020-09-21 11:31:47 UTC
I haven't found IANA port assignment so I suppose the name will be nts-ke. It also looks only tcp is used.
https://blog.apnic.net/2019/11/08/network-time-security-new-ntp-authentication-mechanism/


I've submitted a Fedora PR to create the new port label:
https://github.com/fedora-selinux/selinux-policy/pull/438

Comment 2 Miroslav Lichvar 2020-09-21 11:38:16 UTC
The service is called "ntske"

https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=ntske

I made some pull requests for the NTS-KE part:
https://github.com/fedora-selinux/selinux-policy/pull/437
https://github.com/fedora-selinux/selinux-policy-contrib/pull/335

Please feel free to ignore/close, or modify as needed.

Comment 3 Zdenek Pytela 2020-09-29 04:39:01 UTC
*** Bug 1883051 has been marked as a duplicate of this bug. ***

Comment 4 Fedora Update System 2020-09-30 13:52:27 UTC
FEDORA-2020-a1e9ff2c00 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-a1e9ff2c00

Comment 5 Fedora Update System 2020-10-01 01:18:41 UTC
FEDORA-2020-a1e9ff2c00 has been pushed to the Fedora 33 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-a1e9ff2c00`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-a1e9ff2c00

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Miroslav Lichvar 2020-10-01 11:18:30 UTC
The NTS-KE fixes seem to be good. Thanks.

The DHCP-related AVCs are still there:

type=AVC msg=audit(1601548430.312:130): avc:  denied  { read } for  pid=470 comm="chronyd" name="enp0s3.sources" dev="tmpfs" ino=22040 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1601548430.312:131): avc:  denied  { open } for  pid=470 comm="chronyd" path="/run/chrony-dhcp/enp0s3.sources" dev="tmpfs" ino=22040 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1601548430.312:132): avc:  denied  { getattr } for  pid=470 comm="chronyd" path="/run/chrony-dhcp/enp0s3.sources" dev="tmpfs" ino=22040 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1

Comment 7 Fedora Update System 2020-10-02 00:35:09 UTC
FEDORA-2020-a1e9ff2c00 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 8 Zdenek Pytela 2020-10-02 06:59:57 UTC
The remaining AVCs will be resolved in bz#1880948 - now the runtime files also have the initrc_var_run_t type, different to the original one reported.


Note You need to log in before you can comment on or make changes to this bug.