Description of problem: The latest chrony package supports NTS, which uses TCP port 4460 for the NTS key establishment (NTS-KE), and it also has reworked loading of NTP servers from DHCP using files in /run/chrony-dhcp. I'm seeing the following in the audit log: type=AVC msg=audit(1598430902.278:277): avc: denied { name_bind } for pid=1380 comm="chronyd" src=4460 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=1 type=AVC msg=audit(1598430902.278:278): avc: denied { listen } for pid=1380 comm="chronyd" lport=4460 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=tcp_socket permissive=1 type=AVC msg=audit(1598430902.278:279): avc: denied { read } for pid=1380 comm="chronyd" name="enp0s3.sources" dev="tmpfs" ino=24100 scontext=system_u:system_r:chronyd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1598430902.278:280): avc: denied { open } for pid=1380 comm="chronyd" path="/run/chrony-dhcp/enp0s3.sources" dev="tmpfs" ino=24100 scontext=system_u:system_r:chronyd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1598430902.278:281): avc: denied { getattr } for pid=1380 comm="chronyd" path="/run/chrony-dhcp/enp0s3.sources" dev="tmpfs" ino=24100 scontext=system_u:system_r:chronyd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1598430903.170:283): avc: denied { name_connect } for pid=1380 comm="chronyd" dest=4460 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=1 Version-Release number of selected component (if applicable): chrony-4.0-0.8.pre3.fc33.x86_64 selinux-policy-3.14.6-24.fc33.noarch
I haven't found IANA port assignment so I suppose the name will be nts-ke. It also looks only tcp is used. https://blog.apnic.net/2019/11/08/network-time-security-new-ntp-authentication-mechanism/ I've submitted a Fedora PR to create the new port label: https://github.com/fedora-selinux/selinux-policy/pull/438
The service is called "ntske" https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=ntske I made some pull requests for the NTS-KE part: https://github.com/fedora-selinux/selinux-policy/pull/437 https://github.com/fedora-selinux/selinux-policy-contrib/pull/335 Please feel free to ignore/close, or modify as needed.
*** Bug 1883051 has been marked as a duplicate of this bug. ***
FEDORA-2020-a1e9ff2c00 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-a1e9ff2c00
FEDORA-2020-a1e9ff2c00 has been pushed to the Fedora 33 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-a1e9ff2c00` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-a1e9ff2c00 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
The NTS-KE fixes seem to be good. Thanks. The DHCP-related AVCs are still there: type=AVC msg=audit(1601548430.312:130): avc: denied { read } for pid=470 comm="chronyd" name="enp0s3.sources" dev="tmpfs" ino=22040 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1601548430.312:131): avc: denied { open } for pid=470 comm="chronyd" path="/run/chrony-dhcp/enp0s3.sources" dev="tmpfs" ino=22040 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1601548430.312:132): avc: denied { getattr } for pid=470 comm="chronyd" path="/run/chrony-dhcp/enp0s3.sources" dev="tmpfs" ino=22040 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1
FEDORA-2020-a1e9ff2c00 has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.
The remaining AVCs will be resolved in bz#1880948 - now the runtime files also have the initrc_var_run_t type, different to the original one reported.