[DSE-Dev] Bug#962223: selinux-policy-default: SELinux is preventing chronyd from access on the chronyc's unix_dgram_socket

Maksim K. debian_bug at k-max.name
Thu Jun 4 18:49:22 BST 2020 

Package: selinux-policy-default
Version: 2:2.20161023.1-9
Severity: important

Description of problem:
SELinux is preventing chronyd from sendto access on the chronyc's unix_dgram_socket.
Chronyc cli is working slower in the Enforcing Selinux mode.
When you start chronyc cli it creates the socket there /var/run/chrony/chronyc.(chronyc_pid).sock.

-- Socket is here
root at vps:~# ls -la /var/run/chrony
total 0
drwxr-x---.  2 _chrony _chrony  80 Jun  4 18:17 .
drwxr-xr-x. 26 root    root    800 Jun  4 00:18 ..
srw-rw-rw-.  1 root    root      0 Jun  4 18:17 chronyc.8825.sock
srwxr-xr-x.  1 _chrony _chrony   0 Jun  3 23:20 chronyd.sock
root at vps:~# ps aux | grep 8825
root      8825  0.0  0.1  29972  1704 pts/1    S+   18:17   0:00 chronyc
root      8838  0.0  0.0  12780   944 pts/0    S+   18:18   0:00 grep --color=auto 8825
root at vps:~#

-- Time of chronyc execution is slower by ~36 times in Enforcing mode
root at vps:~# setenforce 0
root at vps:~# time (chronyc sources &> /dev/null )

real    0m0.012s
user    0m0.004s
sys     0m0.000s
root at vps:~# setenforce 1
root at vps:~# time (chronyc sources &> /dev/null )

real    0m7.022s
user    0m0.000s
sys     0m0.008s
root at vps:~#

-- There are AVC deny messages in the audit.log
type=AVC msg=audit(1591284101.289:7635): avc:  denied  { sendto } for  pid=1836 comm="chronyd" path="/run/chrony/chronyc.8865.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1591284102.293:7636): avc:  denied  { sendto } for  pid=1836 comm="chronyd" path="/run/chrony/chronyc.8865.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1591284104.293:7637): avc:  denied  { sendto } for  pid=1836 comm="chronyd" path="/run/chrony/chronyc.8865.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1591286013.714:7751): avc:  denied  { write } for  pid=1836 comm="chronyd" name="chronyc.9034.sock" dev="tmpfs" ino=372397 scontext=system_u:system_r:chronyd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file permissive=0
type=AVC msg=audit(1591286014.718:7752): avc:  denied  { write } for  pid=1836 comm="chronyd" name="chronyc.9034.sock" dev="tmpfs" ino=372397 scontext=system_u:system_r:chronyd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file permissive=0
type=AVC msg=audit(1591286016.718:7753): avc:  denied  { write } for  pid=1836 comm="chronyd" name="chronyc.9034.sock" dev="tmpfs" ino=372397 scontext=system_u:system_r:chronyd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file permissive=0


-- Workaround is to add new fcontext and module
root at vps:/tmp# semanage fcontext -a -t chronyd_exec_t -f f "/usr/bin/chronyc"
root at vps:/tmp# cat chronyd2.te

module chronyd2 1.0;

require {
        type chronyd_t;
        type var_run_t;
        type unconfined_t;
        class unix_dgram_socket sendto;
        class sock_file write;
}

#============= chronyd_t ==============
allow chronyd_t unconfined_t:unix_dgram_socket sendto;
allow chronyd_t var_run_t:sock_file write;




-- System Information:
Debian Release: 9.12
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-12-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages selinux-policy-default depends on:
ii  libselinux1      2.6-3+b3
ii  libsemanage1     2.6-2
ii  libsepol1        2.6-2
ii  policycoreutils  2.6-3
ii  selinux-utils    2.6-3+b3

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.6-2
ii  setools      4.0.1-6

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- no debconf information

More information about the SELinux-devel mailing list