LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-21-2010, 06:12 AM   #1
Barry1
LQ Newbie
 
Registered: Dec 2010
Location: Germany
Distribution: Debian GNU/Linux, Fedora Project and OpenSUSE LINUX
Posts: 22

Rep: Reputation: 1
Question [FEDORA/SELinux] chronyd chronyd.pid


Hi,

on a fresh Fedora 2.6.35.9-64.fc14.x86_64 installation I have little trouble with chrony. I love that tool for synchronyzing my clock.
SELinux complains, that /usr/sbin/chronyd like to read/write to chronyd.pid.
Further I find entries in /var/log/messages, that /var/lib/chrony/drift could not be opened.
As I'm completely new to SELinux - I'd like to get some help setting the Security Rules.
Thanks in advance

Basti

PS: Should the rules be quite fine from the FC-Repo?
 
Old 12-22-2010, 12:25 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,457
Blog Entries: 54

Rep: Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897
Quote:
Originally Posted by Barry1 View Post
Should the rules be quite fine from the FC-Repo?
If Chrony *is* in the official Fedora repo then it should already have sufficient rules. If it doesn't creating them shouldn't be hard.


Quote:
Originally Posted by Barry1 View Post
SELinux complains, that /usr/sbin/chronyd like to read/write to chronyd.pid.
Further I find entries in /var/log/messages, that /var/lib/chrony/drift could not be opened.
If the /var/log/messages entries for both the drift file and chronyd.pid ends in "For complete SELinux messages. run sealert -l [VALUE]" then run that as root like: '(sealert -l [VALUE];sealert -l [VALUE])|audit2allow' and post the complete output here so we can review it with you. Else, if you're certain nothing untoward can happen run 'mkdir /tmp/semodule_chrony; cd /tmp/semodule_chrony; (sealert -l [VALUE];sealert -l [VALUE])|audit2allow -M localchrony'. This should return a line telling you to 'semodule -i localchrony.pp' which would load the local rules for both drift file and chronyd.pid access.
 
1 members found this post helpful.
Old 12-23-2010, 04:50 AM   #3
Barry1
LQ Newbie
 
Registered: Dec 2010
Location: Germany
Distribution: Debian GNU/Linux, Fedora Project and OpenSUSE LINUX
Posts: 22

Original Poster
Rep: Reputation: 1
Hi,
thank you for your answeg.
Quote:
Originally Posted by unSpawn View Post
If Chrony *is* in the official Fedora repo then it should already have sufficient rules. If it doesn't creating them shouldn't be hard.
I installed the official Fedora repo version with yum - and it seems the rulesets are not there.
I forget another detail: chronyd ist running fine now (found with ps aux|grep chrony) - but there are no files in /var/log/chrony. Sag again.
I just looked for further entries in /var/log/messages - I'll post them here:

Code:
[root@Fedo chrony]# grep -i chronyd /var/log/messages |grep setroubleshoot
Dec 21 09:45:31 Fedo setroubleshoot: SELinux verhindert /usr/sbin/chronyd "read" Zugriff on chronyd.pid. For complete SELinux messages. run sealert -l 4603fb1c-dd7a-4827-8c80-880ad2d58085
Dec 21 09:45:31 Fedo setroubleshoot: SELinux verhindert /usr/sbin/chronyd "write" Zugriff on chronyd.pid. For complete SELinux messages. run sealert -l 2d8b459d-32c2-4d59-8d5b-fd55e7f4b1f1
Dec 21 09:49:31 Fedo setroubleshoot: SELinux verhindert /usr/sbin/chronyd "read" Zugriff on chronyd.pid. For complete SELinux messages. run sealert -l 63e121b1-76de-41b3-be74-881e1710e110
Dec 21 09:49:31 Fedo setroubleshoot: SELinux verhindert /usr/sbin/chronyd "write" Zugriff on chronyd.pid. For complete SELinux messages. run sealert -l 968741ce-5e0b-406c-af76-6e529af66f06
Dec 21 09:49:58 Fedo setroubleshoot: SELinux verhindert /usr/sbin/chronyd "read" Zugriff on chronyd.pid. For complete SELinux messages. run sealert -l 63e121b1-76de-41b3-be74-881e1710e110
Dec 21 09:49:58 Fedo setroubleshoot: SELinux verhindert /usr/sbin/chronyd "write" Zugriff on chronyd.pid. For complete SELinux messages. run sealert -l 968741ce-5e0b-406c-af76-6e529af66f06
Dec 21 09:50:15 Fedo setroubleshoot: SELinux verhindert /usr/sbin/chronyd "read" Zugriff on chronyd.pid. For complete SELinux messages. run sealert -l 63e121b1-76de-41b3-be74-881e1710e110
Dec 21 09:50:15 Fedo setroubleshoot: SELinux verhindert /usr/sbin/chronyd "write" Zugriff on chronyd.pid. For complete SELinux messages. run sealert -l 968741ce-5e0b-406c-af76-6e529af66f06
I'm wondering, why there are no entries from yesterday or today???

Running sealert returns "Queary_alerts error (1003): id not found...

Any further ideas?

Merry christmas

Greets

Bastian
 
Old 12-23-2010, 10:45 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,457
Blog Entries: 54

Rep: Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897
What does this return: 'grep chronyd /var/log/audit/audit*|audit2allow' ?
 
Old 01-03-2011, 01:10 AM   #5
Barry1
LQ Newbie
 
Registered: Dec 2010
Location: Germany
Distribution: Debian GNU/Linux, Fedora Project and OpenSUSE LINUX
Posts: 22

Original Poster
Rep: Reputation: 1
Cool

Hi unSpawn,

happy new year!
Sorry for the late answer - I was not able to connect to the machine remote.

Here is the output:

Quote:
Originally Posted by unSpawn View Post
What does this return: 'grep chronyd /var/log/audit/audit*|audit2allow' ?
Code:
grep chronyd /var/log/audit/audit*|audit2allow


#============= chronyd_t ==============
#!!!! This avc can be allowed using the boolean 'allow_daemons_use_tty'

allow chronyd_t user_devpts_t:chr_file { read write };
allow chronyd_t var_run_t:file { read write };
I hope that might help.

Greets

Bastian
 
Old 01-04-2011, 06:52 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,457
Blog Entries: 54

Rep: Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897
Quote:
Originally Posted by Barry1 View Post
happy new year!
You too.


Quote:
Originally Posted by Barry1 View Post
Code:
#============= chronyd_t ==============
#!!!! This avc can be allowed using the boolean 'allow_daemons_use_tty'

allow chronyd_t user_devpts_t:chr_file { read write };
allow chronyd_t var_run_t:file { read write };
Apparently the 'allow chronyd_t user_devpts_t:chr_file { read write };' rule has a boolean companion in case you need to allow daemons to interact with the terminal with 'setsebool -P allow_daemons_use_tty=1'. However that will work for ALL daemons and I'm not sure you should seek to weaken your SELinux policy that way. The .te file you posted can be loaded as a module running it as: 'grep chronyd /var/log/audit/audit*|audit2allow -M localchronydrules' and following the output.

Do submit these local rules to the Fedora bug tracker or the Chrony developers please.
 
1 members found this post helpful.
Old 01-05-2011, 01:02 AM   #7
Barry1
LQ Newbie
 
Registered: Dec 2010
Location: Germany
Distribution: Debian GNU/Linux, Fedora Project and OpenSUSE LINUX
Posts: 22

Original Poster
Rep: Reputation: 1
Thumbs up

Quote:
Originally Posted by unSpawn View Post
Apparently the 'allow chronyd_t user_devpts_t:chr_file { read write };' rule has a boolean companion in case you need to allow daemons to interact with the terminal with 'setsebool -P allow_daemons_use_tty=1'. However that will work for ALL daemons and I'm not sure you should seek to weaken your SELinux policy that way. The .te file you posted can be loaded as a module running it as: 'grep chronyd /var/log/audit/audit*|audit2allow -M localchronydrules' and following the output.

Do submit these local rules to the Fedora bug tracker or the Chrony developers please.
Hi unSpawn,

thank you for your explanations and help.
It now seems to be fine - but still no files in /var/log/chrony got created.
As mentioned above, I created a bug: https://bugzilla.redhat.com/show_bug.cgi?id=667301

Thanks again

Bastian
 
1 members found this post helpful.
Old 01-05-2011, 05:11 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,457
Blog Entries: 54

Rep: Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897
Quote:
Originally Posted by Barry1 View Post
That's IMHO by far the easiest way to help make Fedora better. Thanks!


Quote:
Originally Posted by Barry1 View Post
still no files in /var/log/chrony got created.
Bummer. Could you post your chrony configuration file, the command line (just 'pgrep -lf chrony' as root) and /etc/*syslog* if you made any changes there?
 
Old 01-06-2011, 03:33 AM   #9
Barry1
LQ Newbie
 
Registered: Dec 2010
Location: Germany
Distribution: Debian GNU/Linux, Fedora Project and OpenSUSE LINUX
Posts: 22

Original Poster
Rep: Reputation: 1
Post

Quote:
Originally Posted by unSpawn View Post
Bummer. Could you post your chrony configuration file, the command line (just 'pgrep -lf chrony' as root) and /etc/*syslog* if you made any changes there?
The only change to the chrony.conf has been the new line for our corporate time-server. Nothing special - so I don not post this here.
The command line pgrep -lf chrony results in
Code:
2421 /usr/sbin/chronyd -u chrony
- thus it is running fine!

The only matching file to /etc/*syslog* is rsyslog.conf - which I did not change...

Thanks for your help.

Greets

Bastian
 
Old 01-06-2011, 05:15 AM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,457
Blog Entries: 54

Rep: Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897
Quote:
Originally Posted by Barry1 View Post
Nothing special - so I don not post this here.
I don't run chronyd so I would have to install it in an instance of Fedora 14 to get a view of 'grep -v ^# conf|grep ^log' statements, thanks.
What does 'stat /var/log/chrony' say?
What happens if you touch the log file names in /var/log/chrony/ and restart the daemon?
Does '/usr/sbin/lsof -Pwlnp `pgrep chronyd`' show it has log files open?
Does syslog show any Chrony warnings or informational messages?
 
Old 01-06-2011, 06:38 AM   #11
Barry1
LQ Newbie
 
Registered: Dec 2010
Location: Germany
Distribution: Debian GNU/Linux, Fedora Project and OpenSUSE LINUX
Posts: 22

Original Poster
Rep: Reputation: 1
Cool Solved

Quote:
Originally Posted by unSpawn View Post
I don't run chronyd so I would have to install it in an instance of Fedora 14 to get a view of 'grep -v ^# conf|grep ^log' statements, thanks.
What does 'stat /var/log/chrony' say?
What happens if you touch the log file names in /var/log/chrony/ and restart the daemon?
Does '/usr/sbin/lsof -Pwlnp `pgrep chronyd`' show it has log files open?
Does syslog show any Chrony warnings or informational messages?
Hi,

okay - I fixed one error:
In the config-file /etc/chrony.conf there is the log-dir set - and in the following line, the instances which should be logged have been marked as comment... Sorry I should have seen that before.

Thanks again for all your help!
 
Old 01-06-2011, 09:28 AM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,457
Blog Entries: 54

Rep: Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897
NP, you're welcome.
 
  


Reply

Tags
fedora 14, messages, selinux


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Can WEP function even with PID wpa_supplicant running in Fedora 8 asaraf Linux - Wireless Networking 1 12-28-2008 03:36 PM
What is the more easier way to check the pid and kill the pid cmx08 Linux - General 5 09-09-2008 10:57 PM
reading pid from pid file in C language shifter Programming 1 05-14-2008 10:49 AM
kill pid.... won't work with 'pid' variable given.. sachitha Programming 6 03-06-2006 07:48 PM
/var/run/[XXX].pid - Tcl pid code liguorir Linux - Software 1 05-20-2004 10:32 PM


All times are GMT -5. The time now is 04:31 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration