Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Debian GNU/Linux, Fedora Project and OpenSUSE LINUX
Posts: 22
Rep:
[FEDORA/SELinux] chronyd chronyd.pid
Hi,
on a fresh Fedora 2.6.35.9-64.fc14.x86_64 installation I have little trouble with chrony. I love that tool for synchronyzing my clock.
SELinux complains, that /usr/sbin/chronyd like to read/write to chronyd.pid.
Further I find entries in /var/log/messages, that /var/lib/chrony/drift could not be opened.
As I'm completely new to SELinux - I'd like to get some help setting the Security Rules.
Thanks in advance
Basti
PS: Should the rules be quite fine from the FC-Repo?
If Chrony *is* in the official Fedora repo then it should already have sufficient rules. If it doesn't creating them shouldn't be hard.
Quote:
Originally Posted by Barry1
SELinux complains, that /usr/sbin/chronyd like to read/write to chronyd.pid.
Further I find entries in /var/log/messages, that /var/lib/chrony/drift could not be opened.
If the /var/log/messages entries for both the drift file and chronyd.pid ends in "For complete SELinux messages. run sealert -l [VALUE]" then run that as root like: '(sealert -l [VALUE];sealert -l [VALUE])|audit2allow' and post the complete output here so we can review it with you. Else, if you're certain nothing untoward can happen run 'mkdir /tmp/semodule_chrony; cd /tmp/semodule_chrony; (sealert -l [VALUE];sealert -l [VALUE])|audit2allow -M localchrony'. This should return a line telling you to 'semodule -i localchrony.pp' which would load the local rules for both drift file and chronyd.pid access.
Distribution: Debian GNU/Linux, Fedora Project and OpenSUSE LINUX
Posts: 22
Original Poster
Rep:
Hi,
thank you for your answeg.
Quote:
Originally Posted by unSpawn
If Chrony *is* in the official Fedora repo then it should already have sufficient rules. If it doesn't creating them shouldn't be hard.
I installed the official Fedora repo version with yum - and it seems the rulesets are not there.
I forget another detail: chronyd ist running fine now (found with ps aux|grep chrony) - but there are no files in /var/log/chrony. Sag again.
I just looked for further entries in /var/log/messages - I'll post them here:
Code:
[root@Fedo chrony]# grep -i chronyd /var/log/messages |grep setroubleshoot
Dec 21 09:45:31 Fedo setroubleshoot: SELinux verhindert /usr/sbin/chronyd "read" Zugriff on chronyd.pid. For complete SELinux messages. run sealert -l 4603fb1c-dd7a-4827-8c80-880ad2d58085
Dec 21 09:45:31 Fedo setroubleshoot: SELinux verhindert /usr/sbin/chronyd "write" Zugriff on chronyd.pid. For complete SELinux messages. run sealert -l 2d8b459d-32c2-4d59-8d5b-fd55e7f4b1f1
Dec 21 09:49:31 Fedo setroubleshoot: SELinux verhindert /usr/sbin/chronyd "read" Zugriff on chronyd.pid. For complete SELinux messages. run sealert -l 63e121b1-76de-41b3-be74-881e1710e110
Dec 21 09:49:31 Fedo setroubleshoot: SELinux verhindert /usr/sbin/chronyd "write" Zugriff on chronyd.pid. For complete SELinux messages. run sealert -l 968741ce-5e0b-406c-af76-6e529af66f06
Dec 21 09:49:58 Fedo setroubleshoot: SELinux verhindert /usr/sbin/chronyd "read" Zugriff on chronyd.pid. For complete SELinux messages. run sealert -l 63e121b1-76de-41b3-be74-881e1710e110
Dec 21 09:49:58 Fedo setroubleshoot: SELinux verhindert /usr/sbin/chronyd "write" Zugriff on chronyd.pid. For complete SELinux messages. run sealert -l 968741ce-5e0b-406c-af76-6e529af66f06
Dec 21 09:50:15 Fedo setroubleshoot: SELinux verhindert /usr/sbin/chronyd "read" Zugriff on chronyd.pid. For complete SELinux messages. run sealert -l 63e121b1-76de-41b3-be74-881e1710e110
Dec 21 09:50:15 Fedo setroubleshoot: SELinux verhindert /usr/sbin/chronyd "write" Zugriff on chronyd.pid. For complete SELinux messages. run sealert -l 968741ce-5e0b-406c-af76-6e529af66f06
I'm wondering, why there are no entries from yesterday or today???
Running sealert returns "Queary_alerts error (1003): id not found...
#============= chronyd_t ==============
#!!!! This avc can be allowed using the boolean 'allow_daemons_use_tty'
allow chronyd_t user_devpts_t:chr_file { read write };
allow chronyd_t var_run_t:file { read write };
Apparently the 'allow chronyd_t user_devpts_t:chr_file { read write };' rule has a boolean companion in case you need to allow daemons to interact with the terminal with 'setsebool -P allow_daemons_use_tty=1'. However that will work for ALL daemons and I'm not sure you should seek to weaken your SELinux policy that way. The .te file you posted can be loaded as a module running it as: 'grep chronyd /var/log/audit/audit*|audit2allow -M localchronydrules' and following the output.
Do submit these local rules to the Fedora bug tracker or the Chrony developers please.
Distribution: Debian GNU/Linux, Fedora Project and OpenSUSE LINUX
Posts: 22
Original Poster
Rep:
Quote:
Originally Posted by unSpawn
Apparently the 'allow chronyd_t user_devpts_t:chr_file { read write };' rule has a boolean companion in case you need to allow daemons to interact with the terminal with 'setsebool -P allow_daemons_use_tty=1'. However that will work for ALL daemons and I'm not sure you should seek to weaken your SELinux policy that way. The .te file you posted can be loaded as a module running it as: 'grep chronyd /var/log/audit/audit*|audit2allow -M localchronydrules' and following the output.
Do submit these local rules to the Fedora bug tracker or the Chrony developers please.
Hi unSpawn,
thank you for your explanations and help.
It now seems to be fine - but still no files in /var/log/chrony got created.
As mentioned above, I created a bug: https://bugzilla.redhat.com/show_bug.cgi?id=667301
That's IMHO by far the easiest way to help make Fedora better. Thanks!
Quote:
Originally Posted by Barry1
still no files in /var/log/chrony got created.
Bummer. Could you post your chrony configuration file, the command line (just 'pgrep -lf chrony' as root) and /etc/*syslog* if you made any changes there?
Distribution: Debian GNU/Linux, Fedora Project and OpenSUSE LINUX
Posts: 22
Original Poster
Rep:
Quote:
Originally Posted by unSpawn
Bummer. Could you post your chrony configuration file, the command line (just 'pgrep -lf chrony' as root) and /etc/*syslog* if you made any changes there?
The only change to the chrony.conf has been the new line for our corporate time-server. Nothing special - so I don not post this here.
The command line pgrep -lf chrony results in
Code:
2421 /usr/sbin/chronyd -u chrony
- thus it is running fine!
The only matching file to /etc/*syslog* is rsyslog.conf - which I did not change...
I don't run chronyd so I would have to install it in an instance of Fedora 14 to get a view of 'grep -v ^# conf|grep ^log' statements, thanks.
What does 'stat /var/log/chrony' say?
What happens if you touch the log file names in /var/log/chrony/ and restart the daemon?
Does '/usr/sbin/lsof -Pwlnp `pgrep chronyd`' show it has log files open?
Does syslog show any Chrony warnings or informational messages?
Distribution: Debian GNU/Linux, Fedora Project and OpenSUSE LINUX
Posts: 22
Original Poster
Rep:
Solved
Quote:
Originally Posted by unSpawn
I don't run chronyd so I would have to install it in an instance of Fedora 14 to get a view of 'grep -v ^# conf|grep ^log' statements, thanks.
What does 'stat /var/log/chrony' say?
What happens if you touch the log file names in /var/log/chrony/ and restart the daemon?
Does '/usr/sbin/lsof -Pwlnp `pgrep chronyd`' show it has log files open?
Does syslog show any Chrony warnings or informational messages?
Hi,
okay - I fixed one error:
In the config-file /etc/chrony.conf there is the log-dir set - and in the following line, the instances which should be logged have been marked as comment... Sorry I should have seen that before.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.