Bug 2035117 - SELinux is preventing dhclient-script from 'write' accesses on the directory chrony-dhcp.
Summary: SELinux is preventing dhclient-script from 'write' accesses on the directory ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 35
Hardware: x86_64
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:a031282ccb449cb77e9686ea89f...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-12-22 23:12 UTC by Mai Ling
Modified: 2022-06-28 08:50 UTC (History)
9 users (show)

Fixed In Version: selinux-policy-35.18-1.fc35
Clone Of:
Environment:
Last Closed: 2022-06-23 03:13:58 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 1149 0 None open Update chronyd_pid_filetrans() to allow create dirs 2022-04-14 07:41:16 UTC

Description Mai Ling 2021-12-22 23:12:14 UTC
Description of problem:
SELinux is preventing dhclient-script from 'write' accesses on the directory chrony-dhcp.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that dhclient-script should be allowed write access on the chrony-dhcp directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'dhclient-script' --raw | audit2allow -M my-dhclientscript
# semodule -X 300 -i my-dhclientscript.pp

Additional Information:
Source Context                unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
Target Context                system_u:object_r:chronyd_var_run_t:s0
Target Objects                chrony-dhcp [ dir ]
Source                        dhclient-script
Source Path                   dhclient-script
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-34.22-1.fc34.noarch
Local Policy RPM              selinux-policy-targeted-34.22-1.fc34.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.14.16-201.fc34.x86_64 #1 SMP Wed
                              Nov 3 13:57:29 UTC 2021 x86_64 x86_64
Alert Count                   1
First Seen                    2021-12-23 00:19:05 EET
Last Seen                     2021-12-23 00:19:05 EET
Local ID                      a17f5a70-01da-4cfe-ae54-6cbc1b425e7e

Raw Audit Messages
type=AVC msg=audit(1640211545.449:2339): avc:  denied  { write } for  pid=194668 comm="dhclient-script" name="chrony-dhcp" dev="tmpfs" ino=1975 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=dir permissive=0


Hash: dhclient-script,dhcpc_t,chronyd_var_run_t,dir,write

Version-Release number of selected component:
selinux-policy-targeted-34.22-1.fc34.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.15.2
hashmarkername: setroubleshoot
kernel:         5.15.10-100.fc34.x86_64
type:           libreport

Comment 1 Thomas Köller 2022-04-13 23:08:56 UTC
I am getting a similar, possibly related error:

SELinux is preventing mkdir from create access on the directory chrony-dhcp.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that mkdir should be allowed create access on the chrony-dhcp directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'mkdir' --raw | audit2allow -M my-mkdir
# semodule -X 300 -i my-mkdir.pp

Additional Information:
Source Context                system_u:system_r:dhcpc_t:s0
Target Context                system_u:object_r:chronyd_var_run_t:s0
Target Objects                chrony-dhcp [ dir ]
Source                        mkdir
Source Path                   mkdir
Port                          <Unknown>
Host                          sarkovy
Source RPM Packages           Target RPM Packages           SELinux Policy RPM            selinux-policy-targeted-35.16-1.fc35.noarch
Local Policy RPM              selinux-policy-targeted-35.16-1.fc35.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     sarkovy
Platform                      Linux sarkovy 5.16.18-200.fc35.x86_64 #1 SMP
                              PREEMPT Mon Mar 28 14:10:07 UTC 2022 x86_64 x86_64
Alert Count                   6
First Seen                    2022-04-13 22:24:49 CEST
Last Seen                     2022-04-14 00:58:24 CEST
Local ID                      8eb1815b-a511-437a-a0a4-748d37e6bf27

Raw Audit Messages
type=AVC msg=audit(1649890704.238:2102): avc:  denied  { create } for  pid=21094 comm="mkdir" name="chrony-dhcp" scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=dir permissive=0


Hash: mkdir,dhcpc_t,chronyd_var_run_t,dir,create

Comment 2 Zdenek Pytela 2022-04-14 07:41:16 UTC
Fixed in rawhide, so I'll backport it to F35.

Comment 3 Fedora Update System 2022-06-07 09:25:34 UTC
FEDORA-2022-9e53cb5027 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-9e53cb5027

Comment 4 Fedora Update System 2022-06-08 01:20:24 UTC
FEDORA-2022-9e53cb5027 has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-9e53cb5027`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-9e53cb5027

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 5 Fedora Update System 2022-06-23 03:13:58 UTC
FEDORA-2022-9e53cb5027 has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.