Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-82299

[rhel-10] SELinux prevents chronyc from talking to chronyd-restricted via socket

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • selinux-policy-40.13.28-1.el10
    • No
    • Moderate
    • 1
    • rhel-security-selinux
    • ssg_security
    • 8
    • 2
    • QE ack
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • SELINUX 250423: 5
    • Release Note Not Required
    • Unspecified
    • Unspecified
    • Unspecified
    • x86_64
    • None

      What were you trying to do that didn't work?

      What is the impact of this issue to you?

      Please provide the package NVR for which the bug is seen:

      chrony-4.6.1-1.el10.x86_64
      selinux-policy-40.13.26-1.el10.noarch
      selinux-policy-devel-40.13.26-1.el10.noarch
      selinux-policy-targeted-40.13.26-1.el10.noarch

      How reproducible is this bug?

      always

      Steps to reproduce

      1. get a RHEL-10.0 machine (targeted policy is active)
      2. service chronyd stop
      3. service chronyd-restricted start
      4. chronyc reload sources
      5. ausearch -m avc -i -ts recent

      Expected results

      • no error messages
      • no SELinux denials

      Actual results (enforcing mode):

      506 Cannot talk to daemon

      ----
type=PROCTITLE msg=audit(03/05/2025 13:10:07.576:492) : proctitle=chronyc reload sources 
type=PATH msg=audit(03/05/2025 13:10:07.576:492) : item=0 name=/run/chrony/chronyd.sock inode=1985 dev=00:1a mode=socket,700 ouid=chrony ogid=chrony rdev=00:00 obj=system_u:object_r:chronyd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(03/05/2025 13:10:07.576:492) : cwd=/root 
type=SOCKADDR msg=audit(03/05/2025 13:10:07.576:492) : saddr={ saddr_fam=local path=/run/chrony/chronyd.sock } 
type=SYSCALL msg=audit(03/05/2025 13:10:07.576:492) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x3 a1=0x7fff594077b0 a2=0x6e a3=0x0 items=1 ppid=5018 pid=43070 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=chronyc exe=/usr/bin/chronyc subj=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(03/05/2025 13:10:07.576:492) : avc:  denied  { sendto } for  pid=43070 comm=chronyc path=/run/chrony/chronyd.sock scontext=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chronyd_restricted_t:s0 tclass=unix_dgram_socket permissive=0 
----

        1. test-output.txt
          110 kB

              rhn-support-zpytela Zdenek Pytela
              mmalik@redhat.com Milos Malik
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: