Description of problem: This is likely due to using Network Time Security (NTS) protocol that uses a TLS handshake to auth the NTP servers in the pool on a separate port. Anaconda allows this during the internet time server configuration user interface but after SELinux is installed the ports are not allowed in the policy. SELinux is preventing chronyd from 'name_connect' accesses on the tcp_socket port 4460. ***** Plugin connect_ports (92.2 confidence) suggests ********************* If you want to allow chronyd to connect to network port 4460 Then you need to modify the port type. Do # semanage port -a -t PORT_TYPE -p tcp 4460 where PORT_TYPE is one of the following: dns_port_t, dnssec_port_t, kerberos_port_t, ocsp_port_t. ***** Plugin catchall_boolean (7.83 confidence) suggests ****************** If you want to allow nis to enabled Then you must tell SELinux about this by enabling the 'nis_enabled' boolean. Do setsebool -P nis_enabled 1 ***** Plugin catchall (1.41 confidence) suggests ************************** If you believe that chronyd should be allowed name_connect access on the port 4460 tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'chronyd' --raw | audit2allow -M my-chronyd # semodule -X 300 -i my-chronyd.pp Additional Information: Source Context system_u:system_r:chronyd_t:s0 Target Context system_u:object_r:unreserved_port_t:s0 Target Objects port 4460 [ tcp_socket ] Source chronyd Source Path chronyd Port 4460 Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.6-27.fc33.noarch Local Policy RPM selinux-policy-targeted-3.14.6-27.fc33.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.8.11-300.fc33.x86_64 #1 SMP Wed Sep 23 14:34:25 UTC 2020 x86_64 x86_64 Alert Count 48 First Seen 2020-09-26 21:44:06 PDT Last Seen 2020-09-27 15:49:27 PDT Local ID 8b88ae83-02b2-433c-a1b8-a1a67d35c5d3 Raw Audit Messages type=AVC msg=audit(1601246967.87:294): avc: denied { name_connect } for pid=833 comm="chronyd" dest=4460 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0 Hash: chronyd,chronyd_t,unreserved_port_t,tcp_socket,name_connect Version-Release number of selected component: selinux-policy-targeted-3.14.6-27.fc33.noarch Additional info: component: selinux-policy reporter: libreport-2.14.0 hashmarkername: setroubleshoot kernel: 5.8.11-300.fc33.x86_64 type: libreport
*** This bug has been marked as a duplicate of bug 1872624 ***