LinuxQuestions.org - [SOLVED] [FEDORA/SELinux] chronyd chronyd.pid

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - [FEDORA/SELinux] chronyd chronyd.pid (https://www.linuxquestions.org/questions/linux-security-4/%5Bfedora-selinux%5D-chronyd-chronyd-pid-851573/)

[FEDORA/SELinux] chronyd chronyd.pid

Hi,

on a fresh Fedora 2.6.35.9-64.fc14.x86_64 installation I have little trouble with chrony. I love that tool for synchronyzing my clock.
SELinux complains, that /usr/sbin/chronyd like to read/write to chronyd.pid.
Further I find entries in /var/log/messages, that /var/lib/chrony/drift could not be opened.
As I'm completely new to SELinux - I'd like to get some help setting the Security Rules.
Thanks in advance

Basti

PS: Should the rules be quite fine from the FC-Repo?

Quote:

Originally Posted by Barry1 (Post 4198791)

Should the rules be quite fine from the FC-Repo?

If Chrony *is* in the official Fedora repo then it should already have sufficient rules. If it doesn't creating them shouldn't be hard.

Quote:

Originally Posted by Barry1 (Post 4198791)

SELinux complains, that /usr/sbin/chronyd like to read/write to chronyd.pid.
Further I find entries in /var/log/messages, that /var/lib/chrony/drift could not be opened.

If the /var/log/messages entries for both the drift file and chronyd.pid ends in "For complete SELinux messages. run sealert -l [VALUE]" then run that as root like: '(sealert -l [VALUE];sealert -l [VALUE])|audit2allow' and post the complete output here so we can review it with you. Else, if you're certain nothing untoward can happen run 'mkdir /tmp/semodule_chrony; cd /tmp/semodule_chrony; (sealert -l [VALUE];sealert -l [VALUE])|audit2allow -M localchrony'. This should return a line telling you to 'semodule -i localchrony.pp' which would load the local rules for both drift file and chronyd.pid access.

Hi,
thank you for your answeg.

Quote:

Originally Posted by unSpawn (Post 4200318)

If Chrony *is* in the official Fedora repo then it should already have sufficient rules. If it doesn't creating them shouldn't be hard.

I installed the official Fedora repo version with yum - and it seems the rulesets are not there.
I forget another detail: chronyd ist running fine now (found with ps aux|grep chrony) - but there are no files in /var/log/chrony. Sag again.
I just looked for further entries in /var/log/messages - I'll post them here:

Code:

[root@Fedo chrony]# grep -i chronyd /var/log/messages |grep setroubleshoot

Dec 21 09:45:31 Fedo setroubleshoot: SELinux verhindert /usr/sbin/chronyd "read" Zugriff on chronyd.pid. For complete SELinux messages. run sealert -l 4603fb1c-dd7a-4827-8c80-880ad2d58085

Dec 21 09:45:31 Fedo setroubleshoot: SELinux verhindert /usr/sbin/chronyd "write" Zugriff on chronyd.pid. For complete SELinux messages. run sealert -l 2d8b459d-32c2-4d59-8d5b-fd55e7f4b1f1

Dec 21 09:49:31 Fedo setroubleshoot: SELinux verhindert /usr/sbin/chronyd "read" Zugriff on chronyd.pid. For complete SELinux messages. run sealert -l 63e121b1-76de-41b3-be74-881e1710e110

Dec 21 09:49:31 Fedo setroubleshoot: SELinux verhindert /usr/sbin/chronyd "write" Zugriff on chronyd.pid. For complete SELinux messages. run sealert -l 968741ce-5e0b-406c-af76-6e529af66f06

Dec 21 09:49:58 Fedo setroubleshoot: SELinux verhindert /usr/sbin/chronyd "read" Zugriff on chronyd.pid. For complete SELinux messages. run sealert -l 63e121b1-76de-41b3-be74-881e1710e110

Dec 21 09:49:58 Fedo setroubleshoot: SELinux verhindert /usr/sbin/chronyd "write" Zugriff on chronyd.pid. For complete SELinux messages. run sealert -l 968741ce-5e0b-406c-af76-6e529af66f06

Dec 21 09:50:15 Fedo setroubleshoot: SELinux verhindert /usr/sbin/chronyd "read" Zugriff on chronyd.pid. For complete SELinux messages. run sealert -l 63e121b1-76de-41b3-be74-881e1710e110

Dec 21 09:50:15 Fedo setroubleshoot: SELinux verhindert /usr/sbin/chronyd "write" Zugriff on chronyd.pid. For complete SELinux messages. run sealert -l 968741ce-5e0b-406c-af76-6e529af66f06

I'm wondering, why there are no entries from yesterday or today???

Running sealert returns "Queary_alerts error (1003): id not found...

Any further ideas?

Merry christmas

Greets

Bastian

What does this return: 'grep chronyd /var/log/audit/audit*|audit2allow' ?

Hi unSpawn,

happy new year!
Sorry for the late answer - I was not able to connect to the machine remote.

Here is the output:

Quote:

Originally Posted by unSpawn (Post 4201243)

What does this return: 'grep chronyd /var/log/audit/audit*|audit2allow' ?

Code:

grep chronyd /var/log/audit/audit*|audit2allow





#============= chronyd_t ==============

#!!!! This avc can be allowed using the boolean 'allow_daemons_use_tty'



allow chronyd_t user_devpts_t:chr_file { read write };

allow chronyd_t var_run_t:file { read write };

I hope that might help.

Greets

Bastian

Quote:

Originally Posted by Barry1 (Post 4211095)

happy new year!

You too.

Quote:

Originally Posted by Barry1 (Post 4211095)

Code:

#============= chronyd_t ==============

#!!!! This avc can be allowed using the boolean 'allow_daemons_use_tty'



allow chronyd_t user_devpts_t:chr_file { read write };

allow chronyd_t var_run_t:file { read write };

Apparently the 'allow chronyd_t user_devpts_t:chr_file { read write };' rule has a boolean companion in case you need to allow daemons to interact with the terminal with 'setsebool -P allow_daemons_use_tty=1'. However that will work for ALL daemons and I'm not sure you should seek to weaken your SELinux policy that way. The .te file you posted can be loaded as a module running it as: 'grep chronyd /var/log/audit/audit*|audit2allow -M localchronydrules' and following the output.

Do submit these local rules to the Fedora bug tracker or the Chrony developers please.

Quote:

Originally Posted by unSpawn (Post 4212538)

Hi unSpawn,

thank you for your explanations and help.
It now seems to be fine - but still no files in /var/log/chrony got created.
As mentioned above, I created a bug: https://bugzilla.redhat.com/show_bug.cgi?id=667301

Thanks again

Bastian

Quote:

Originally Posted by Barry1 (Post 4213587)

I created a bug: https://bugzilla.redhat.com/show_bug.cgi?id=667301

That's IMHO by far the easiest way to help make Fedora better. Thanks!

Quote:

Originally Posted by Barry1 (Post 4213587)

still no files in /var/log/chrony got created.

Bummer. Could you post your chrony configuration file, the command line (just 'pgrep -lf chrony' as root) and /etc/*syslog* if you made any changes there?

Quote:

Originally Posted by unSpawn (Post 4213772)

Bummer. Could you post your chrony configuration file, the command line (just 'pgrep -lf chrony' as root) and /etc/*syslog* if you made any changes there?

The only change to the chrony.conf has been the new line for our corporate time-server. Nothing special - so I don not post this here.
The command line pgrep -lf chrony results in

Code:

2421 /usr/sbin/chronyd -u chrony

- thus it is running fine!

The only matching file to /etc/*syslog* is rsyslog.conf - which I did not change...

Thanks for your help.

Greets

Bastian

Quote:

Originally Posted by Barry1 (Post 4214958)

Nothing special - so I don not post this here.

I don't run chronyd so I would have to install it in an instance of Fedora 14 to get a view of 'grep -v ^# conf|grep ^log' statements, thanks.
What does 'stat /var/log/chrony' say?
What happens if you touch the log file names in /var/log/chrony/ and restart the daemon?
Does '/usr/sbin/lsof -Pwlnp `pgrep chronyd`' show it has log files open?
Does syslog show any Chrony warnings or informational messages?

Quote:

Originally Posted by unSpawn (Post 4215041)

Hi,

okay - I fixed one error:
In the config-file /etc/chrony.conf there is the log-dir set - and in the following line, the instances which should be logged have been marked as comment... Sorry I should have seen that before.

Thanks again for all your help!