Bug 1903145 - avc: denied { create } for pid=44744 comm="chronyc" name="chronyc.44744.sock"
Summary: avc: denied { create } for pid=44744 comm="chronyc" name="chronyc.44744.sock"
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 34
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-12-01 13:20 UTC by Ondrej Mejzlik
Modified: 2021-05-07 01:02 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-34.5-1.fc34
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-05-07 01:02:49 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Comment 1 Zdenek Pytela 2020-12-01 14:01:58 UTC 
This is the full list of denials in enforcing mode:
 
----
type=PROCTITLE msg=audit(12/01/2020 08:51:07.561:620) : proctitle=/usr/bin/chronyc -h /tmp/tmp.gWKuO39zNF/chrony-4.0/test/system/tmp/chronyd.sock -n -m allow 1.2.3.4 
type=PATH msg=audit(12/01/2020 08:51:07.561:620) : item=1 name=/tmp/tmp.gWKuO39zNF/chrony-4.0/test/system/tmp/chronyc.3661.sock nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(12/01/2020 08:51:07.561:620) : item=0 name=/tmp/tmp.gWKuO39zNF/chrony-4.0/test/system/tmp/ inode=1121 dev=00:23 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(12/01/2020 08:51:07.561:620) : cwd=/tmp/tmp.gWKuO39zNF/chrony-4.0/test/system 
type=SOCKADDR msg=audit(12/01/2020 08:51:07.561:620) : saddr={ saddr_fam=local path=/tmp/tmp.gWKuO39zNF/chrony-4.0/test/system/tmp/chronyc.3661.sock } 
type=SYSCALL msg=audit(12/01/2020 08:51:07.561:620) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0x3 a1=0x7ffed7e4c880 a2=0x6e a3=0x7f6efa982fc0 items=2 ppid=3622 pid=3661 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=3 comm=chronyc exe=/usr/bin/chronyc subj=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/01/2020 08:51:07.561:620) : avc:  denied  { create } for  pid=3661 comm=chronyc name=chronyc.3661.sock scontext=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=0 
---- 

type=PROCTITLE msg=audit(12/01/2020 08:55:39.691:758) : proctitle=/usr/bin/chronyc -h /tmp/tmp.LzyANvCJ4U/chrony-4.0/test/system/tmp/chronyd.sock -n -m allow 1.2.3.4 
type=PATH msg=audit(12/01/2020 08:55:39.691:758) : item=0 name=/tmp/tmp.LzyANvCJ4U/chrony-4.0/test/system/tmp/chronyc.5235.sock inode=1704 dev=00:23 mode=socket,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(12/01/2020 08:55:39.691:758) : cwd=/tmp/tmp.LzyANvCJ4U/chrony-4.0/test/system 
type=SYSCALL msg=audit(12/01/2020 08:55:39.691:758) : arch=x86_64 syscall=chmod success=no exit=EACCES(Permission denied) a0=0x55a8c1765fe0 a1=0666 a2=0x6e a3=0x7f08322befc0 items=1 ppid=5196 pid=5235 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=3 comm=chronyc exe=/usr/bin/chronyc subj=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/01/2020 08:55:39.691:758) : avc:  denied  { setattr } for  pid=5235 comm=chronyc name=chronyc.5235.sock dev="tmpfs" ino=1704 scontext=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=0 
----
type=PROCTITLE msg=audit(12/01/2020 08:55:39.692:759) : proctitle=/usr/bin/chronyc -h /tmp/tmp.LzyANvCJ4U/chrony-4.0/test/system/tmp/chronyd.sock -n -m allow 1.2.3.4 
type=PATH msg=audit(12/01/2020 08:55:39.692:759) : item=1 name=/tmp/tmp.LzyANvCJ4U/chrony-4.0/test/system/tmp/chronyc.5235.sock inode=1704 dev=00:23 mode=socket,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(12/01/2020 08:55:39.692:759) : item=0 name=/tmp/tmp.LzyANvCJ4U/chrony-4.0/test/system/tmp/ inode=1691 dev=00:23 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(12/01/2020 08:55:39.692:759) : cwd=/tmp/tmp.LzyANvCJ4U/chrony-4.0/test/system 
type=SYSCALL msg=audit(12/01/2020 08:55:39.692:759) : arch=x86_64 syscall=unlink success=no exit=EACCES(Permission denied) a0=0x7ffd507a7a62 a1=0x7ffd507a7a60 a2=0x7ffd507a7a5c a3=0x7f08322befc0 items=2 ppid=5196 pid=5235 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=3 comm=chronyc exe=/usr/bin/chronyc subj=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/01/2020 08:55:39.692:759) : avc:  denied  { unlink } for  pid=5235 comm=chronyc name=chronyc.5235.sock dev="tmpfs" ino=1704 scontext=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=0 
----
type=PROCTITLE msg=audit(12/01/2020 08:58:07.763:897) : proctitle=/usr/bin/chronyc -h /tmp/tmp.dhx8ZkIXkd/chrony-4.0/test/system/tmp/chronyd.sock -n -m allow 1.2.3.4 
type=PATH msg=audit(12/01/2020 08:58:07.763:897) : item=0 name=/tmp/tmp.dhx8ZkIXkd/chrony-4.0/test/system/tmp/chronyd.sock inode=2274 dev=00:23 mode=socket,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(12/01/2020 08:58:07.763:897) : cwd=/tmp/tmp.dhx8ZkIXkd/chrony-4.0/test/system 
type=SOCKADDR msg=audit(12/01/2020 08:58:07.763:897) : saddr={ saddr_fam=local path=/tmp/tmp.dhx8ZkIXkd/chrony-4.0/test/system/tmp/chronyd.sock } 
type=SYSCALL msg=audit(12/01/2020 08:58:07.763:897) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x3 a1=0x7ffcda14bea0 a2=0x6e a3=0x7fa116415fc0 items=1 ppid=6752 pid=6791 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=3 comm=chronyc exe=/usr/bin/chronyc subj=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/01/2020 08:58:07.763:897) : avc:  denied  { write } for  pid=6791 comm=chronyc name=chronyd.sock dev="tmpfs" ino=2274 scontext=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=0 
----
Comment 2 Ben Cotton 2021-02-09 16:24:27 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 34 development cycle.
Changing version to 34.
Comment 3 Zdenek Pytela 2021-04-27 13:06:02 UTC 
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/704
Comment 4 Fedora Update System 2021-05-05 14:47:54 UTC 
FEDORA-2021-b9564e597a has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-b9564e597a
Comment 5 Fedora Update System 2021-05-06 01:58:03 UTC 
FEDORA-2021-b9564e597a has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-b9564e597a`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-b9564e597a

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Fedora Update System 2021-05-07 01:02:49 UTC 
FEDORA-2021-b9564e597a has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.