Description of problem: The latest chrony package includes a chronyd-restricted service, which starts chronyd without root privileges. It fails to start when selinux is enabled. type=AVC msg=audit(1676448867.811:153): avc: denied { nnp_transition } for pid=825 comm="(chronyd)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=process2 permissive=0 Version-Release number of selected component (if applicable): selinux-policy-38.7-1.fc38.noarch chrony-4.3-3.fc38.x86_64 How reproducible: always Steps to Reproduce: 1. systemctl start chronyd-restricted Actual results: fails to start Expected results: starts and no AVC reported Additional info:
Mirku, Is the permissions set for chronyd-restricted expected be any different to chronyd or can we let it share the policy with chrony?
The restricted service is expected to work only as an NTP and possibly NTS client. It shouldn't open reference clocks, shared memory segments, set realtime priority, create directories, etc. I think it could have its own trimmed-down policy, but I'm not sure if it's worth the trouble of maintaining two policies.
Caught in enforcing mode: ---- type=PROCTITLE msg=audit(02/15/2023 07:00:20.830:462) : proctitle=/usr/sbin/chronyd -U -F 2 type=PATH msg=audit(02/15/2023 07:00:20.830:462) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=139866 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(02/15/2023 07:00:20.830:462) : item=0 name=/usr/sbin/chronyd inode=161293 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:chronyd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(02/15/2023 07:00:20.830:462) : cwd=/ type=EXECVE msg=audit(02/15/2023 07:00:20.830:462) : argc=4 a0=/usr/sbin/chronyd a1=-U a2=-F a3=2 type=SYSCALL msg=audit(02/15/2023 07:00:20.830:462) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x564d8a312420 a1=0x564d8a3f5110 a2=0x564d8a29c520 a3=0x1 items=2 ppid=1 pid=1346 auid=unset uid=chrony gid=chrony euid=chrony suid=chrony fsuid=chrony egid=chrony sgid=chrony fsgid=chrony tty=(none) ses=unset comm=chronyd exe=/usr/sbin/chronyd subj=system_u:system_r:init_t:s0 key=(null) type=SELINUX_ERR msg=audit(02/15/2023 07:00:20.830:462) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:chronyd_t:s0 type=AVC msg=audit(02/15/2023 07:00:20.830:462) : avc: denied { nnp_transition } for pid=1346 comm=(chronyd) scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=process2 permissive=0 ---- type=PROCTITLE msg=audit(02/15/2023 07:00:20.838:463) : proctitle=/usr/sbin/chronyd -U -F 2 type=PATH msg=audit(02/15/2023 07:00:20.838:463) : item=0 name=/run/chrony/ inode=911 dev=00:18 mode=dir,750 ouid=chrony ogid=chrony rdev=00:00 obj=system_u:object_r:chronyd_var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(02/15/2023 07:00:20.838:463) : cwd=/ type=SYSCALL msg=audit(02/15/2023 07:00:20.838:463) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ffd57e74770 a2=O_WRONLY|O_CREAT|O_EXCL a3=0x1a4 items=1 ppid=1 pid=1348 auid=unset uid=chrony gid=chrony euid=chrony suid=chrony fsuid=chrony egid=chrony sgid=chrony fsgid=chrony tty=(none) ses=unset comm=chronyd exe=/usr/sbin/chronyd subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(02/15/2023 07:00:20.838:463) : avc: denied { create } for pid=1348 comm=chronyd name=chronyd.pid scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=file permissive=0 ---- Caught in permissive mode: ---- type=PROCTITLE msg=audit(02/15/2023 07:01:18.491:469) : proctitle=/usr/sbin/chronyd -U -F 2 type=PATH msg=audit(02/15/2023 07:01:18.491:469) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=139866 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(02/15/2023 07:01:18.491:469) : item=0 name=/usr/sbin/chronyd inode=161293 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:chronyd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(02/15/2023 07:01:18.491:469) : cwd=/ type=EXECVE msg=audit(02/15/2023 07:01:18.491:469) : argc=4 a0=/usr/sbin/chronyd a1=-U a2=-F a3=2 type=SYSCALL msg=audit(02/15/2023 07:01:18.491:469) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x564d8a390d90 a1=0x564d8a3a78f0 a2=0x564d8a29c520 a3=0x1 items=2 ppid=1 pid=1368 auid=unset uid=chrony gid=chrony euid=chrony suid=chrony fsuid=chrony egid=chrony sgid=chrony fsgid=chrony tty=(none) ses=unset comm=chronyd exe=/usr/sbin/chronyd subj=system_u:system_r:chronyd_t:s0 key=(null) type=AVC msg=audit(02/15/2023 07:01:18.491:469) : avc: denied { nnp_transition } for pid=1368 comm=(chronyd) scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=process2 permissive=1 ---- I stopped the chronyd service before starting the chronyd-restricted service.
Mirku, The service keep failing even after allowing the nnp transition: # cat local_chrony.cil (allow init_t chronyd_t (process2 (nnp_transition))) # semodule -i local_chrony.cil # systemctl restart chronyd-restricted # systemctl status chronyd-restricted --full ● chronyd-restricted.service - NTP client (restricted) Loaded: loaded (/usr/lib/systemd/system/chronyd-restricted.service; disabled; preset: disabled) Drop-In: /usr/lib/systemd/system/service.d └─10-timeout-abort.conf Active: active (running) since Mon 2023-06-19 10:13:38 EDT; 47s ago Docs: man:chronyd(8) man:chrony.conf(5) Process: 767 ExecStart=/usr/sbin/chronyd -U $OPTIONS (code=exited, status=0/SUCCESS) Main PID: 769 (chronyd) Tasks: 1 (limit: 2311) Memory: 1.1M CPU: 36ms CGroup: /system.slice/chronyd-restricted.service └─769 /usr/sbin/chronyd -U -F 2 Jun 19 10:13:37 ci-vm-10-0-139-173.hosted.upshift.rdu2.redhat.com systemd[1]: Starting chronyd-restricted.service - NTP client (restricted)... Jun 19 10:13:38 ci-vm-10-0-139-173.hosted.upshift.rdu2.redhat.com chronyd[769]: chronyd version 4.4-pre1 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 +DEBUG) Jun 19 10:13:38 ci-vm-10-0-139-173.hosted.upshift.rdu2.redhat.com chronyd[769]: Could not open command socket on 127.0.0.1:323 Jun 19 10:13:38 ci-vm-10-0-139-173.hosted.upshift.rdu2.redhat.com chronyd[769]: Could not open command socket on [::1]:323 Jun 19 10:13:38 ci-vm-10-0-139-173.hosted.upshift.rdu2.redhat.com chronyd[769]: Frequency 0.000 +/- 1000000.000 ppm read from /var/lib/chrony/drift Jun 19 10:13:38 ci-vm-10-0-139-173.hosted.upshift.rdu2.redhat.com chronyd[769]: Using right/UTC timezone to obtain leap second data Jun 19 10:13:38 ci-vm-10-0-139-173.hosted.upshift.rdu2.redhat.com chronyd[769]: Loaded seccomp filter (level 2) Jun 19 10:13:38 ci-vm-10-0-139-173.hosted.upshift.rdu2.redhat.com systemd[1]: Started chronyd-restricted.service - NTP client (restricted). Is this expected in the current development status, perhaps too restrictive unit settings? $ rpm -q chrony selinux-policy chrony-4.4-0.1.pre1.fc39.x86_64 selinux-policy-38.17-1.fc39.noarch FYI: What I plan now is to create a new domain and start the service with SELinuxContext=system_u:system_r:chronyd_restricted_t:s0
The service seems to be running. The two "Could not open command socket" messages are expected. The "code=exited, status=0/SUCCESS" line is for the process which forked the daemon. Main PID is still running.
I have a policy update, the service starts without any AVC denial. Please use the following scratchbuild: https://github.com/fedora-selinux/selinux-policy/pull/1751 Checks -> Artifacts -> rpms.zip and try other scenarios which possibly apply to the service or some interactions with other ones.
The service doesn't start for me with default config: type=AVC msg=audit(1687273041.989:206): avc: denied { nnp_transition } for pid=984 comm="(chronyd)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=process2 permissive=0 type=AVC msg=audit(1687273041.991:208): avc: denied { create } for pid=986 comm="chronyd" name="chronyd.pid" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=file permissive=0 # rpm -qa | grep selinux-policy selinux-policy-38.17-1.20230620_142328.cbe4213.fc39.noarch selinux-policy-targeted-38.17-1.20230620_142328.cbe4213.fc39.noarch
This is needed to add to the unit file: [Service] SELinuxContext=system_u:system_r:chronyd_restricted_t:s0
With that change it works nicely. I tested it as an NTP and NTS client. No issues observed. Thanks.
If this solution which includes the service unit modification is fine with you, I'll include it in the next F38 and F39 builds. I believe it was commented on enough. No need for a side tag, there is one-way dependency.
Yes, that's fine with me. I'll modify the service file in the next chrony update. Thanks.
A few more permissions were added comparing to the previous version as a result of our internal testing.
FEDORA-2023-ba070ee6ba has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-ba070ee6ba
FEDORA-2023-ba070ee6ba has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-ba070ee6ba` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-ba070ee6ba See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-ba070ee6ba has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report.