1872624 – selinux issues with latest chrony

Bug 1872624 - selinux issues with latest chrony

Summary: selinux issues with latest chrony

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	33
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1883051 (view as bug list)
Depends On:
Blocks:	1834855
TreeView+	depends on / blocked

Reported:	2020-08-26 08:42 UTC by Miroslav Lichvar
Modified:	2020-10-02 06:59 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-3.14.6-28.fc33
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-10-02 00:35:09 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Miroslav Lichvar 2020-08-26 08:42:22 UTC

Description of problem:
The latest chrony package supports NTS, which uses TCP port 4460 for the NTS key establishment (NTS-KE), and it also has reworked loading of NTP servers from DHCP using files in /run/chrony-dhcp.

I'm seeing the following in the audit log:

type=AVC msg=audit(1598430902.278:277): avc:  denied  { name_bind } for  pid=1380 comm="chronyd" src=4460 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(1598430902.278:278): avc:  denied  { listen } for  pid=1380 comm="chronyd" lport=4460 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(1598430902.278:279): avc:  denied  { read } for  pid=1380 comm="chronyd" name="enp0s3.sources" dev="tmpfs" ino=24100 scontext=system_u:system_r:chronyd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1598430902.278:280): avc:  denied  { open } for  pid=1380 comm="chronyd" path="/run/chrony-dhcp/enp0s3.sources" dev="tmpfs" ino=24100 scontext=system_u:system_r:chronyd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1598430902.278:281): avc:  denied  { getattr } for  pid=1380 comm="chronyd" path="/run/chrony-dhcp/enp0s3.sources" dev="tmpfs" ino=24100 scontext=system_u:system_r:chronyd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1598430903.170:283): avc:  denied  { name_connect } for  pid=1380 comm="chronyd" dest=4460 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=1


Version-Release number of selected component (if applicable):
chrony-4.0-0.8.pre3.fc33.x86_64                                                                     
selinux-policy-3.14.6-24.fc33.noarch

Comment 1 Zdenek Pytela 2020-09-21 11:31:47 UTC

I haven't found IANA port assignment so I suppose the name will be nts-ke. It also looks only tcp is used.
https://blog.apnic.net/2019/11/08/network-time-security-new-ntp-authentication-mechanism/


I've submitted a Fedora PR to create the new port label:
https://github.com/fedora-selinux/selinux-policy/pull/438

Comment 2 Miroslav Lichvar 2020-09-21 11:38:16 UTC

The service is called "ntske"

https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=ntske

I made some pull requests for the NTS-KE part:
https://github.com/fedora-selinux/selinux-policy/pull/437
https://github.com/fedora-selinux/selinux-policy-contrib/pull/335

Please feel free to ignore/close, or modify as needed.

Comment 3 Zdenek Pytela 2020-09-29 04:39:01 UTC

*** Bug 1883051 has been marked as a duplicate of this bug. ***

Comment 4 Fedora Update System 2020-09-30 13:52:27 UTC

FEDORA-2020-a1e9ff2c00 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-a1e9ff2c00

Comment 5 Fedora Update System 2020-10-01 01:18:41 UTC

FEDORA-2020-a1e9ff2c00 has been pushed to the Fedora 33 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-a1e9ff2c00`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-a1e9ff2c00

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Miroslav Lichvar 2020-10-01 11:18:30 UTC

The NTS-KE fixes seem to be good. Thanks.

The DHCP-related AVCs are still there:

type=AVC msg=audit(1601548430.312:130): avc:  denied  { read } for  pid=470 comm="chronyd" name="enp0s3.sources" dev="tmpfs" ino=22040 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1601548430.312:131): avc:  denied  { open } for  pid=470 comm="chronyd" path="/run/chrony-dhcp/enp0s3.sources" dev="tmpfs" ino=22040 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1601548430.312:132): avc:  denied  { getattr } for  pid=470 comm="chronyd" path="/run/chrony-dhcp/enp0s3.sources" dev="tmpfs" ino=22040 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1

Comment 7 Fedora Update System 2020-10-02 00:35:09 UTC

FEDORA-2020-a1e9ff2c00 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 8 Zdenek Pytela 2020-10-02 06:59:57 UTC

The remaining AVCs will be resolved in bz#1880948 - now the runtime files also have the initrc_var_run_t type, different to the original one reported.

Note You need to log in before you can comment on or make changes to this bug.