Description of problem: Calling 'chronyc sources' from a cron script gives unusual selinux context errors Version-Release number of selected component (if applicable): selinux-policy.noarch 37.19-1.fc37 selinux-policy-targeted.noarch 37.19-1.fc37 chrony.x86_64 4.3-1.fc37 cronie.x86_64 1.6.1-3.fc37 cronie-anacron.x86_64 1.6.1-3.fc37 crontabs.noarch 1.11-28.20190603git.fc37 How reproducible: Always Steps to Reproduce: 1. run chronyc sources within a cron script gives... type=AVC msg=audit(25/02/23 03:47:56.609:1976) : avc: denied { sendto } for pid=936 comm=chronyd path=/run/chrony/chronyc.486558.sock scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(25/02/23 03:47:57.611:1977) : avc: denied { sendto } for pid=936 comm=chronyd path=/run/chrony/chronyc.486558.sock scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(25/02/23 03:47:59.620:1980) : avc: denied { sendto } for pid=936 comm=chronyd path=/run/chrony/chronyc.486558.sock scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 2. A work around is to use sudo to an ornery user, but that gives a pam/sudo & secure-log entry for each event which is less than desirable. 3. Actual results: See selinux errors above. Expected results: No selinux errors or at least not one that says the script is rpm_script_t which it seems everything run by cron is/inherits. At least chronyc/d "reads" should not generate an selinux error. But then I'm not sure that is able to be diferrentiated by the selinux "machine". I bow to greater knowledge... Additional info:
Thank you John for the report, this needs to be fixed asap.
FEDORA-2023-13093d1386 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-13093d1386
FEDORA-2023-13093d1386 has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-13093d1386` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-13093d1386 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-13093d1386 has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report.
Sadly I now get a new selinux problem with the new policy where sendmail is initiated by cron job completions... (one step forward 2 back?) Source Context system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 Target Context system_u:object_r:sysctl_net_t:s0 Target Objects net [ dir ] Source sendmail Source Path sendmail type=AVC msg=audit(11/05/23 04:51:03.183:4430) : avc: denied { search } for pid=2148974 comm=sendmail name=net dev="proc" ino=17407 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0