Bug 1924926
| Summary: | SELinux denials when trying to talk to chronyd socket on GCP | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Micah Abbott <miabbott> |
| Component: | RHCOS | Assignee: | Timothée Ravier <travier> |
| Status: | CLOSED DUPLICATE | QA Contact: | Michael Nguyen <mnguyen> |
| Severity: | low | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.7 | CC: | bbreard, imcleod, jligon, miabbott, nstielau |
| Target Milestone: | --- | ||
| Target Release: | 4.8.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-03-02 10:22:15 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Micah Abbott
2021-02-03 22:16:38 UTC
Needs additional investigation on vanilla RHEL 8 Hmm, not reproducing on vanilla RHEL 8 ``` [miabbott@miabbott-rhel-8a ~]$ cat /etc/os-release NAME="Red Hat Enterprise Linux" VERSION="8.3 (Ootpa)" ID="rhel" ID_LIKE="fedora" VERSION_ID="8.3" PLATFORM_ID="platform:el8" PRETTY_NAME="Red Hat Enterprise Linux 8.3 (Ootpa)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:redhat:enterprise_linux:8.3:GA" HOME_URL="https://www.redhat.com/" BUG_REPORT_URL="https://bugzilla.redhat.com/" REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8" REDHAT_BUGZILLA_PRODUCT_VERSION=8.3 REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux" REDHAT_SUPPORT_PRODUCT_VERSION="8.3" [miabbott@miabbott-rhel-8a ~]$ rpm -q chrony selinux-policy chrony-3.5-1.el8.x86_64 selinux-policy-3.14.3-54.el8_3.2.noarch [miabbott@miabbott-rhel-8a ~]$ systemctl status chronyd ● chronyd.service - NTP client/server Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2021-02-25 16:34:32 UTC; 9min ago Docs: man:chronyd(8) man:chrony.conf(5) Process: 773 ExecStartPost=/usr/libexec/chrony-helper update-daemon (code=exited, status=0/SUCCESS) Process: 722 ExecStart=/usr/sbin/chronyd $OPTIONS (code=exited, status=0/SUCCESS) Main PID: 745 (chronyd) Tasks: 1 (limit: 23399) Memory: 1.9M CGroup: /system.slice/chronyd.service └─745 /usr/sbin/chronyd Feb 25 16:34:32 localhost systemd[1]: Starting NTP client/server... Feb 25 16:34:32 localhost chronyd[745]: chronyd version 3.5 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +SECHASH +IPV6 +DEBUG) Feb 25 16:34:32 localhost chronyd[745]: Using right/UTC timezone to obtain leap second data Feb 25 16:34:32 localhost systemd[1]: Started NTP client/server. Feb 25 16:34:42 miabbott-rhel-8a chronyd[745]: Selected source 169.254.169.254 Feb 25 16:34:42 miabbott-rhel-8a chronyd[745]: System clock TAI offset set to 37 seconds [miabbott@miabbott-rhel-8a ~]$ time chronyc sources 210 Number of sources = 1 MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^* metadata.google.internal 2 6 377 44 +25us[ +18us] +/- 737us real 0m0.003s user 0m0.001s sys 0m0.002s [miabbott@miabbott-rhel-8a ~]$ cat /etc/chrony.conf # These servers were defined in the installation: server metadata.google.internal iburst # Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html). # Record the rate at which the system clock gains/losses time. driftfile /var/lib/chrony/drift # Allow the system clock to be stepped in the first three updates # if its offset is larger than 1 second. makestep 1.0 3 # Enable kernel synchronization of the real-time clock (RTC). rtcsync # Enable hardware timestamping on all interfaces that support it. #hwtimestamp * # Increase the minimum number of selectable sources required to adjust # the system clock. #minsources 2 # Allow NTP client access from local network. #allow 192.168.0.0/16 # Serve time even if not synchronized to a time source. #local stratum 10 # Specify file containing keys for NTP authentication. keyfile /etc/chrony.keys # Get TAI-UTC offset and leap seconds from the system tz database. leapsectz right/UTC # Specify directory for log files. logdir /var/log/chrony # Select which information is logged. #log measurements statistics tracking [miabbott@miabbott-rhel-8a ~]$ sudo ausearch -m avc <no matches> ``` From initial review, this looks like a failure from running as spc_t (privileged container) vs unconfined_t on the node that can be worked around using systemd-run. I remember another bug about that but have not found it yet. This is a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1896369 which is marked as duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1839065 for which I filed https://github.com/openshift/oc/issues/641. We can decide to work on that if needed. *** This bug has been marked as a duplicate of bug 1896369 *** |