Bug 1883051 - SELinux is preventing chronyd from 'name_connect' accesses on the tcp_socket port 4460.
Summary: SELinux is preventing chronyd from 'name_connect' accesses on the tcp_socket ...
Keywords:
Status: CLOSED DUPLICATE of bug 1872624
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 33
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:0b6df1e288935158c59f3f79a45...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-09-27 22:53 UTC by Angie
Modified: 2020-09-29 04:39 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-09-29 04:39:01 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Angie 2020-09-27 22:53:42 UTC
Description of problem:
This is likely due to using Network Time Security (NTS) protocol that uses a TLS handshake to auth the NTP servers in the pool on a separate  port. Anaconda allows this during the internet time server configuration user interface but after SELinux is installed the ports are not allowed in the policy.
SELinux is preventing chronyd from 'name_connect' accesses on the tcp_socket port 4460.

*****  Plugin connect_ports (92.2 confidence) suggests   *********************

If you want to allow chronyd to connect to network port 4460
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 4460
    where PORT_TYPE is one of the following: dns_port_t, dnssec_port_t, kerberos_port_t, ocsp_port_t.

*****  Plugin catchall_boolean (7.83 confidence) suggests   ******************

If you want to allow nis to enabled
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.

Do
setsebool -P nis_enabled 1

*****  Plugin catchall (1.41 confidence) suggests   **************************

If you believe that chronyd should be allowed name_connect access on the port 4460 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'chronyd' --raw | audit2allow -M my-chronyd
# semodule -X 300 -i my-chronyd.pp

Additional Information:
Source Context                system_u:system_r:chronyd_t:s0
Target Context                system_u:object_r:unreserved_port_t:s0
Target Objects                port 4460 [ tcp_socket ]
Source                        chronyd
Source Path                   chronyd
Port                          4460
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.6-27.fc33.noarch
Local Policy RPM              selinux-policy-targeted-3.14.6-27.fc33.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.8.11-300.fc33.x86_64 #1 SMP Wed
                              Sep 23 14:34:25 UTC 2020 x86_64 x86_64
Alert Count                   48
First Seen                    2020-09-26 21:44:06 PDT
Last Seen                     2020-09-27 15:49:27 PDT
Local ID                      8b88ae83-02b2-433c-a1b8-a1a67d35c5d3

Raw Audit Messages
type=AVC msg=audit(1601246967.87:294): avc:  denied  { name_connect } for  pid=833 comm="chronyd" dest=4460 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0


Hash: chronyd,chronyd_t,unreserved_port_t,tcp_socket,name_connect

Version-Release number of selected component:
selinux-policy-targeted-3.14.6-27.fc33.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.14.0
hashmarkername: setroubleshoot
kernel:         5.8.11-300.fc33.x86_64
type:           libreport

Comment 1 Zdenek Pytela 2020-09-29 04:39:01 UTC

*** This bug has been marked as a duplicate of bug 1872624 ***


Note You need to log in before you can comment on or make changes to this bug.