Description of problem: chronyc command is confined to chronyc_t, as such we need to make sure Zabbix scripts get a transition when executing chronyc. For now, there is no transition, causing *chronyd* to pop an AVC when it tries to answer the chronyc client: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- type=PROCTITLE msg=audit(1673453345.225:434): proctitle="/usr/sbin/chronyd" type=SYSCALL msg=audit(1673453345.225:434): arch=c000003e syscall=46 success=no exit=-13 a0=7 a1=7fffcd41c070 a2=0 a3=0 items=0 ppid=1 pid=1233 auid=4294967295 uid=988 gid=984 euid=988 suid=988 fsuid=988 egid=984 sgid=984 fsgid=984 tty=(none) ses=4294967295 comm="chronyd" exe="/usr/sbin/chronyd" subj=system_u:system_r:chronyd_t:s0 key=(null) type=AVC msg=audit(1673453345.225:434): avc: denied { sendto } for pid=1233 comm="chronyd" path="/run/chrony/chronyc.7495.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:zabbix_script_t:s0 tclass=unix_dgram_socket permissive=0 -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- The solution consists in adding a transition: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- domtrans_pattern(zabbix_script_t, chronyc_exec_t, chronyc_t) -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Version-Release number of selected component (if applicable): selinux-policy-3.14.3-108.el8.noarch and Fedora Upstream How reproducible: Always Steps to Reproduce: 1. Create a fake Zabbix agent and Zabbix script executing chronyc /usr/local/bin/zabbix_agent: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- #!/bin/sh echo "$0 executing as `id -Z`" exec /usr/local/bin/zabbix_script -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- /usr/local/bin/zabbix_script: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- #!/bin/sh echo "$0 executing as `id -Z`" exec chronyc dump -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- 2. Label the scripts accordingly -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- # chmod +x /usr/local/bin/zabbix_agent /usr/local/bin/zabbix_script # chcon -t zabbix_agent_exec_t /usr/local/bin/zabbix_agent # chcon -t zabbix_script_exec_t /usr/local/bin/zabbix_script -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- 3. Execute the fake agent as a systemd service (to have the transitions occur) -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- # systemd-run /usr/local/bin/zabbix_agent -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Actual results: AVC on chronyd -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- time->Wed Jan 11 17:09:05 2023 type=PROCTITLE msg=audit(1673453345.225:434): proctitle="/usr/sbin/chronyd" type=SYSCALL msg=audit(1673453345.225:434): arch=c000003e syscall=46 success=no exit=-13 a0=7 a1=7fffcd41c070 a2=0 a3=0 items=0 ppid=1 pid=1233 auid=4294967295 uid=988 gid=984 euid=988 suid=988 fsuid=988 egid=984 sgid=984 fsgid=984 tty=(none) ses=4294967295 comm="chronyd" exe="/usr/sbin/chronyd" subj=system_u:system_r:chronyd_t:s0 key=(null) type=AVC msg=audit(1673453345.225:434): avc: denied { sendto } for pid=1233 comm="chronyd" path="/run/chrony/chronyc.7495.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:zabbix_script_t:s0 tclass=unix_dgram_socket permissive=0 -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Expected results: No AVC
Switching the component as zabbix ships its own policy module.
FEDORA-EPEL-2023-05285498ec has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-05285498ec
FEDORA-EPEL-2023-05285498ec has been pushed to the Fedora EPEL 8 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-05285498ec See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2023-05285498ec has been pushed to the Fedora EPEL 8 stable repository. If problem still persists, please make note of it in this bug report.