Closed zpytela closed 4 months ago
zpytela
commented
4 months ago @mlichvar I'd appreciate if you could take a look and tried the rpm-build:fedora-rawhide-x86_64 build to ensure the fix is complete. It, for instance, expects /run/timemaster already exists.
mlichvar
commented
4 months ago I'm still getting some AVCs with that rawhide package. I'm testing on Fedora 38. It seems ptp4l and phc2sys are not allowed to write to the new socket. Also timemaster is not allowed to write to /sys to configure virtual clocks. I think that is a separate issue, not sure if you want to address it here.
type=AVC msg=audit(1709827813.860:9651): avc: denied { read } for pid=541188 comm="timemaster" name="ptp4" dev="sysfs" ino=31036 scontext=system_u:system_r:timemaster_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1709827813.860:9652): avc: denied { write } for pid=541188 comm="timemaster" name="n_vclocks" dev="sysfs" ino=31045 scontext=system_u:system_r:timemaster_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1709827813.860:9653): avc: denied { open } for pid=541188 comm="timemaster" path="/sys/devices/pci0000:00/0000:00:1c.0/0000:03:00.0/ptp/ptp4/n_vclocks" dev="sysfs" ino=31045 scontext=system_u:system_r:timemaster_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1709827813.860:9654): avc: denied { getattr } for pid=541188 comm="timemaster" path="/sys/devices/pci0000:00/0000:00:1c.0/0000:03:00.0/ptp/ptp4/n_vclocks" dev="sysfs" ino=31045 scontext=system_u:system_r:timemaster_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1709827813.894:9655): avc: denied { read } for pid=541188 comm="timemaster" name="ptp4" dev="sysfs" ino=31032 scontext=system_u:system_r:timemaster_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1709827813.895:9656): avc: denied { create } for pid=541196 comm="ptp4l" scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:system_r:ptp4l_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1709827813.895:9657): avc: denied { bind } for pid=541196 comm="ptp4l" scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:system_r:ptp4l_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1709827823.899:9658): avc: denied { sendto } for pid=541201 comm="phc2sys" path="/run/timemaster/chrony.SOCK2" scontext=system_u:system_r:phc2sys_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=unix_dgram_socket permissive=1
type=AVC msg=audit(1709828008.039:9661): avc: denied { sendto } for pid=541271 comm="ptp4l" path="/run/timemaster/chrony.SOCK1" scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=unix_dgram_socket permissive=1
All of them are new and did not appear previously even in permissive mode, e.g. ptp4l and phc2sys were not even involved anyhow as active services.
I will try to address all of them, I just find writing to /sys troublesome and postpone it if it does not trigger in the main use case.
mlichvar
commented
4 months ago ptp4l and phc2sys would be writing to the socket only if the synchronization is actually working. Not easy to do on a single machine. A NIC with hardware timestamping is required for phc2sys to be involved.
mlichvar
commented
4 months ago The vclock thing requires multiple domains to be configured on a single interface. That's even less common configuration I think.
zpytela
commented
4 months ago The denials look addressed from my PoV and our test reports less error; it is quite difficult to sort denials out as some rules should actually be added to linuxptp-selinux package. If there is no other comment, I'll merge this PR to proceed further.
If you have any other use case, please report it as a bug and attach AVC denials with full auditing enabled, we will resolve it for F40+ and RHEL 10.
For phc2sys and chronyd configuration, linuxptp since v4.2 uses unix domain socket instead of shared memory segment with predictable address. This requires to be backed by appropriate SELinux policy changes.
The commit addresses the following AVC denial example: type=PROCTITLE msg=audit(02/29/2024 13:33:47.174:396) : proctitle=/usr/sbin/chronyd -n -f /var/run/timemaster/chrony.conf type=PATH msg=audit(02/29/2024 13:33:47.174:396) : item=1 name=/var/run/timemaster/chrony.SOCK0 inode=125930 dev=00:18 mode=socket,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:timemaster_var_run_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(02/29/2024 13:33:47.174:396) : item=0 name=/var/run/timemaster/ inode=71605 dev=00:18 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:timemaster_var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=SOCKADDR msg=audit(02/29/2024 13:33:47.174:396) : saddr={ saddr_fam=local path=/var/run/timemaster/chrony.SOCK0 } type=SYSCALL msg=audit(02/29/2024 13:33:47.174:396) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x4 a1=0x7ffdb7fdb0f0 a2=0x6e a3=0x55630dab7640 items=2 ppid=96180 pid=96181 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chronyd exe=/usr/sbin/chronyd subj=system_u:system_r:chronyd_t:s0 key=(null) type=AVC msg=audit(02/29/2024 13:33:47.174:396) : avc: denied { create } for pid=96181 comm=chronyd name=chrony.SOCK0 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:timemaster_var_run_t:s0 tclass=sock_file permissive=1 type=AVC msg=audit(02/29/2024 13:33:47.174:396) : avc: denied { add_name } for pid=96181 comm=chronyd name=chrony.SOCK0 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:timemaster_var_run_t:s0 tclass=dir permissive=1 type=AVC msg=audit(02/29/2024 13:33:47.174:396) : avc: denied { write } for pid=96181 comm=chronyd name=timemaster dev="tmpfs" ino=71605 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:timemaster_var_run_t:s0 tclass=dir permissive=1
Resolves: RHEL-26660