Bug 2008894 - chrony-wait service does not start with DynamicUser=yes
Summary: chrony-wait service does not start with DynamicUser=yes
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 35
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-09-29 12:47 UTC by Miroslav Lichvar
Modified: 2021-11-02 12:20 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-35.3-1.20211019git94970fc.fc35
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-21 23:17:37 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Miroslav Lichvar 2021-09-29 12:47:20 UTC
Description of problem:
Setting DynamicUser=yes in chrony-wait.service in an attempt to reduce the "exposure" reported by systemd-analyze security causes the service to fail to start with the following AVC:

type=AVC msg=audit(1632915483.991:3583): avc:  denied  { nnp_transition } for  pid=8135 comm="(chronyc)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process2 permissive=1

Version-Release number of selected component (if applicable):
selinux-policy-34.20-1.fc35.noarch

Steps to Reproduce:
1. mkdir /run/systemd/system/chrony-wait.service.d
2. echo -e "[Service]\nDynamicUser=yes" > /run/systemd/system/chrony-wait.service.d/override.conf
3. systemctl daemon-reload
4. systemctl restart chrony-wait.service

Comment 1 Milos Malik 2021-10-08 11:09:21 UTC
Following SELinux denial appeared in enforcing mode:
----
type=SELINUX_ERR msg=audit(10/08/2021 07:06:21.051:515) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:chronyc_t:s0 
type=AVC msg=audit(10/08/2021 07:06:21.051:515) : avc:  denied  { nnp_transition } for  pid=1277 comm=(chronyc) scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process2 permissive=0 
----

Following SELinux denial appeared in permissive mode:
----
type=PROCTITLE msg=audit(10/08/2021 07:07:51.387:534) : proctitle=/usr/bin/chronyc -h 127.0.0.1,::1 waitsync 0 0.1 0.0 1 
type=PATH msg=audit(10/08/2021 07:07:51.387:534) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=6991 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(10/08/2021 07:07:51.387:534) : item=0 name=/usr/bin/chronyc inode=43819 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:chronyc_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(10/08/2021 07:07:51.387:534) : cwd=/ 
type=EXECVE msg=audit(10/08/2021 07:07:51.387:534) : argc=8 a0=/usr/bin/chronyc a1=-h a2=127.0.0.1,::1 a3=waitsync a4=0 a5=0.1 a6=0.0 a7=1 
type=SYSCALL msg=audit(10/08/2021 07:07:51.387:534) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x5626f7feb800 a1=0x5626f7ea4710 a2=0x5626f7ea2c70 a3=0x0 items=2 ppid=1 pid=1340 auid=unset uid=chrony-wait gid=chrony-wait euid=chrony-wait suid=chrony-wait fsuid=chrony-wait egid=chrony-wait sgid=chrony-wait fsgid=chrony-wait tty=(none) ses=unset comm=chronyc exe=/usr/bin/chronyc subj=system_u:system_r:chronyc_t:s0 key=(null) 
type=AVC msg=audit(10/08/2021 07:07:51.387:534) : avc:  denied  { nnp_transition } for  pid=1340 comm=(chronyc) scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process2 permissive=1 
----

Comment 4 Zdenek Pytela 2021-10-13 13:02:56 UTC
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/913

Comment 5 Fedora Update System 2021-10-18 12:29:24 UTC
FEDORA-2021-7dd082a675 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2021-7dd082a675

Comment 6 Fedora Update System 2021-10-18 15:56:33 UTC
FEDORA-2021-7dd082a675 has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-7dd082a675`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-7dd082a675

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Miroslav Lichvar 2021-10-19 07:47:13 UTC
The update fixes the issue for me. Thanks!

Comment 8 Fedora Update System 2021-10-21 02:21:19 UTC
FEDORA-2021-d3cb1609c8 has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-d3cb1609c8`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-d3cb1609c8

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 9 Fedora Update System 2021-10-21 23:17:37 UTC
FEDORA-2021-d3cb1609c8 has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.