Your message dated Sun, 18 Sep 2022 08:38:14 +0000 with message-id <[email protected]> and subject line Bug#962223: fixed in refpolicy 2:2.20220520-4 has caused the Debian Bug report #962223, regarding selinux-policy-default: SELinux is preventing chronyd from access on the chronyc's unix_dgram_socket to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 962223: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962223 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: selinux-policy-default Version: 2:2.20161023.1-9 Severity: important Description of problem: SELinux is preventing chronyd from sendto access on the chronyc's unix_dgram_socket. Chronyc cli is working slower in the Enforcing Selinux mode. When you start chronyc cli it creates the socket there /var/run/chrony/chronyc.(chronyc_pid).sock. -- Socket is here root@vps:~# ls -la /var/run/chrony total 0 drwxr-x---. 2 _chrony _chrony 80 Jun 4 18:17 . drwxr-xr-x. 26 root root 800 Jun 4 00:18 .. srw-rw-rw-. 1 root root 0 Jun 4 18:17 chronyc.8825.sock srwxr-xr-x. 1 _chrony _chrony 0 Jun 3 23:20 chronyd.sock root@vps:~# ps aux | grep 8825 root 8825 0.0 0.1 29972 1704 pts/1 S+ 18:17 0:00 chronyc root 8838 0.0 0.0 12780 944 pts/0 S+ 18:18 0:00 grep --color=auto 8825 root@vps:~# -- Time of chronyc execution is slower by ~36 times in Enforcing mode root@vps:~# setenforce 0 root@vps:~# time (chronyc sources &> /dev/null ) real 0m0.012s user 0m0.004s sys 0m0.000s root@vps:~# setenforce 1 root@vps:~# time (chronyc sources &> /dev/null ) real 0m7.022s user 0m0.000s sys 0m0.008s root@vps:~# -- There are AVC deny messages in the audit.log type=AVC msg=audit(1591284101.289:7635): avc: denied { sendto } for pid=1836 comm="chronyd" path="/run/chrony/chronyc.8865.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1591284102.293:7636): avc: denied { sendto } for pid=1836 comm="chronyd" path="/run/chrony/chronyc.8865.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1591284104.293:7637): avc: denied { sendto } for pid=1836 comm="chronyd" path="/run/chrony/chronyc.8865.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1591286013.714:7751): avc: denied { write } for pid=1836 comm="chronyd" name="chronyc.9034.sock" dev="tmpfs" ino=372397 scontext=system_u:system_r:chronyd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file permissive=0 type=AVC msg=audit(1591286014.718:7752): avc: denied { write } for pid=1836 comm="chronyd" name="chronyc.9034.sock" dev="tmpfs" ino=372397 scontext=system_u:system_r:chronyd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file permissive=0 type=AVC msg=audit(1591286016.718:7753): avc: denied { write } for pid=1836 comm="chronyd" name="chronyc.9034.sock" dev="tmpfs" ino=372397 scontext=system_u:system_r:chronyd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file permissive=0 -- Workaround is to add new fcontext and module root@vps:/tmp# semanage fcontext -a -t chronyd_exec_t -f f "/usr/bin/chronyc" root@vps:/tmp# cat chronyd2.te module chronyd2 1.0; require { type chronyd_t; type var_run_t; type unconfined_t; class unix_dgram_socket sendto; class sock_file write; } #============= chronyd_t ============== allow chronyd_t unconfined_t:unix_dgram_socket sendto; allow chronyd_t var_run_t:sock_file write; -- System Information: Debian Release: 9.12 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-12-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages selinux-policy-default depends on: ii libselinux1 2.6-3+b3 ii libsemanage1 2.6-2 ii libsepol1 2.6-2 ii policycoreutils 2.6-3 ii selinux-utils 2.6-3+b3 Versions of packages selinux-policy-default recommends: ii checkpolicy 2.6-2 ii setools 4.0.1-6 Versions of packages selinux-policy-default suggests: pn logcheck <none> pn syslog-summary <none> -- no debconf information
--- End Message ---
--- Begin Message ---Source: refpolicy Source-Version: 2:2.20220520-4 Done: Russell Coker <[email protected]> We believe that the bug you reported is fixed in the latest version of refpolicy, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Russell Coker <[email protected]> (supplier of updated refpolicy package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 18 Sep 2022 12:48:43 +1000 Source: refpolicy Architecture: source Version: 2:2.20220520-4 Distribution: unstable Urgency: medium Maintainer: Debian SELinux maintainers <[email protected]> Changed-By: Russell Coker <[email protected]> Closes: 900188 962223 Changes: refpolicy (2:2.20220520-4) unstable; urgency=medium . * Add label for /etc/dkimkeys Closes: #900188 * Allow chronyd_t to send unix datagrams to unconfined_t and gave it dac_read_search Closes: #962223 * Allow firewalld_t to do netlink_netfilter_socket access, watch firewalld_etc_rw_t dirs, and read generic certs * Allow init_t to watch for reads on console_device_t for autorelabel processing. Checksums-Sha1: cbe4344edd7a2580401f7830667def4f6b6127f1 2445 refpolicy_2.20220520-4.dsc 8edc76dadcca94e78d17e6e43fffc24f30496031 94484 refpolicy_2.20220520-4.debian.tar.xz 6b51b0c66bd841251d8bf9b9dc6c322d7f31ec8c 8494 refpolicy_2.20220520-4_amd64.buildinfo Checksums-Sha256: 37179caeb327bc6d3682c31c7254eaec0be81d231012701146d2e4f0370abbd5 2445 refpolicy_2.20220520-4.dsc d5f0805d251de5b0e3ff27cc6d6dd2a7a6a2b61f18f00eefaaf4c749b1643034 94484 refpolicy_2.20220520-4.debian.tar.xz 56eb98426b90aa4d05cf8d147eb4f9558a57c244f9d9a7626278cfd0d1fb7e7c 8494 refpolicy_2.20220520-4_amd64.buildinfo Files: c82c9e225b9800c93914fe294c4f1a67 2445 admin optional refpolicy_2.20220520-4.dsc fb7e10f56c05d3cb3af24074d2408e0b 94484 admin optional refpolicy_2.20220520-4.debian.tar.xz 45f49157fffac4e5d4223beb9f20f7b9 8494 admin optional refpolicy_2.20220520-4_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEn31hncwG9XwCqmbH0UHNMPxLj3kFAmMm03sACgkQ0UHNMPxL j3mB1RAA03KfhiqbRTXozjxcaa1QBiDz5pRCJer3EpBha+0LNcARm7VXGyE5HNUI 3jC81ZSi0NOlE0NfMJNyFvpqRA8w7pPnGvtzsvxbbL/FFXWaFKrccMAwZtPaxYFd TxRNqacjOmjGspTZCIt2vTlc3SuwS7CISg6Pk55IGf5X92gI0BZX8Md8bwBLDrwA ozeWXH8o/k5iKl9aj/iZhPrtUlMhjNdO/ICpR90O/iZbTrHjfdtvf7mkgmHnywF3 +tb7CtJIJGoXyWiGZry/Go/nZltnGDVZKXBDFLWxAROrl1JAcQp5BRINhamGYbSp KBS91Y4+daJRr+3hy71cH9Yiev3yjlt3nFUOr4n98GdO42sMA+824xeiYQuuPHhh QEYI/XQMopmFrZrAlLj05gjRlhheW+HgGatA24EZWaW7SEtubtGnluIpmN/wU4N5 LhIZK1N0dhcY8GSmkowr4yqgBzOsF8iX08sN0ub70BFQ68FZYtKqQIYsiMslI7uA W671vT573ddpXaDmLJH4a7ia5CPrmsegtSNA8t7QQqmeoc0KHH4RwcPRYR78QitI q+UjyQ/ESpjdSYqCIrJN61VSSOSWSYhdatutSkr3RYrSc3pVbr1FdT94At69XmvH s8Q8NoMVDBOFeQZ0fByzDdFgS6nAEV8hiWAmAmHpwvVtxK9wbYM= =6Yhc -----END PGP SIGNATURE-----
--- End Message ---
