Description of problem: Setting DynamicUser=yes in chrony-wait.service in an attempt to reduce the "exposure" reported by systemd-analyze security causes the service to fail to start with the following AVC: type=AVC msg=audit(1632915483.991:3583): avc: denied { nnp_transition } for pid=8135 comm="(chronyc)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process2 permissive=1 Version-Release number of selected component (if applicable): selinux-policy-34.20-1.fc35.noarch Steps to Reproduce: 1. mkdir /run/systemd/system/chrony-wait.service.d 2. echo -e "[Service]\nDynamicUser=yes" > /run/systemd/system/chrony-wait.service.d/override.conf 3. systemctl daemon-reload 4. systemctl restart chrony-wait.service
Following SELinux denial appeared in enforcing mode: ---- type=SELINUX_ERR msg=audit(10/08/2021 07:06:21.051:515) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:chronyc_t:s0 type=AVC msg=audit(10/08/2021 07:06:21.051:515) : avc: denied { nnp_transition } for pid=1277 comm=(chronyc) scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process2 permissive=0 ---- Following SELinux denial appeared in permissive mode: ---- type=PROCTITLE msg=audit(10/08/2021 07:07:51.387:534) : proctitle=/usr/bin/chronyc -h 127.0.0.1,::1 waitsync 0 0.1 0.0 1 type=PATH msg=audit(10/08/2021 07:07:51.387:534) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=6991 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(10/08/2021 07:07:51.387:534) : item=0 name=/usr/bin/chronyc inode=43819 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:chronyc_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(10/08/2021 07:07:51.387:534) : cwd=/ type=EXECVE msg=audit(10/08/2021 07:07:51.387:534) : argc=8 a0=/usr/bin/chronyc a1=-h a2=127.0.0.1,::1 a3=waitsync a4=0 a5=0.1 a6=0.0 a7=1 type=SYSCALL msg=audit(10/08/2021 07:07:51.387:534) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x5626f7feb800 a1=0x5626f7ea4710 a2=0x5626f7ea2c70 a3=0x0 items=2 ppid=1 pid=1340 auid=unset uid=chrony-wait gid=chrony-wait euid=chrony-wait suid=chrony-wait fsuid=chrony-wait egid=chrony-wait sgid=chrony-wait fsgid=chrony-wait tty=(none) ses=unset comm=chronyc exe=/usr/bin/chronyc subj=system_u:system_r:chronyc_t:s0 key=(null) type=AVC msg=audit(10/08/2021 07:07:51.387:534) : avc: denied { nnp_transition } for pid=1340 comm=(chronyc) scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process2 permissive=1 ----
I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/913
FEDORA-2021-7dd082a675 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2021-7dd082a675
FEDORA-2021-7dd082a675 has been pushed to the Fedora 35 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-7dd082a675` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-7dd082a675 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
The update fixes the issue for me. Thanks!
FEDORA-2021-d3cb1609c8 has been pushed to the Fedora 35 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-d3cb1609c8` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-d3cb1609c8 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-d3cb1609c8 has been pushed to the Fedora 35 stable repository. If problem still persists, please make note of it in this bug report.