how uncover what and why start chronyd? (chronyd SEalert)
Frantisek Hanzlik
franta at hanzlici.cz
Fri Jan 25 15:19:17 UTC 2013
Daniel J Walsh wrote:
...
>>>> Jan 23 07:12:41 pc setroubleshoot: SELinux is preventing /usr/sbin/chronyd from module_request access on the system . For complete SELinux messages. run sealert -l b7fea8ae-73b7-4588-aac7-36d4d5b69281
> No idea why this is starting up, but could you attach the output of.
>
> sealert -l b7fea8ae-73b7-4588-aac7-36d4d5b69281
In meantime this PC was rebooted and maybe therefore this alert isn't
found yet, it gives output:
query_alerts error (1003): id (b7fea8ae-73b7-4588-aac7-36d4d5b69281) not found
But perhaps same and newer alert:
sealert -l 268e2d9b-d891-47d5-8b44-07e0678871a8
SELinux is preventing /usr/sbin/chronyd from module_request access on the system .
***** Plugin disable_ipv6 (91.4 confidence) suggests ***********************
If you want to disable IPV6 on this machine
Then you need to set /proc/sys/net/ipv6/conf/all/disable_ipv6 to 1 and do not blacklist the module'
Do add
net.ipv6.conf.all.disable_ipv6 = 1
to /etc/sysctl.conf
***** Plugin catchall (9.59 confidence) suggests ***************************
If you believe that chronyd should be allowed module_request access on the system by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep chronyd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:chronyd_t:s0
Target Context system_u:system_r:kernel_t:s0
Target Objects [ system ]
Source chronyd
Source Path /usr/sbin/chronyd
Port <Neznámé>
Host pc.my.home
Source RPM Packages chrony-1.27-0.3.pre1.fc17.i686
Target RPM Packages
Policy RPM selinux-policy-3.10.0-166.fc17.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name pc.my.home
Platform Linux pc.my.home 3.6.11-5.fc17.i686.PAE #1
SMP Tue Jan 8 21:49:19 UTC 2013 i686 i686
Alert Count 2
First Seen 2013-01-24 11:49:10 CET
Last Seen 2013-01-24 11:49:39 CET
Local ID 268e2d9b-d891-47d5-8b44-07e0678871a8
Raw Audit Messages
type=AVC msg=audit(1359024579.623:91): avc: denied { module_request } for pid=753 comm="chronyd" kmod="net-pf-10" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=SYSCALL msg=audit(1359024579.623:91): arch=i386 syscall=socketcall success=no exit=EAFNOSUPPORT a0=1 a1=bf9065a0 a2=b76bbff4 a3=bf906694 items=0 ppid=1 pid=753 auid=4294967295 uid=983 gid=979 euid=983 suid=983 fsuid=983 egid=979
sgid=979 fsgid=979 tty=(none) ses=4294967295 comm=chronyd exe=/usr/sbin/chronyd subj=system_u:system_r:chronyd_t:s0 key=(null)
Hash: chronyd,chronyd_t,kernel_t,system,module_request
audit2allow
#============= chronyd_t ==============
#!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules'
allow chronyd_t kernel_t:system module_request;
audit2allow -R
#============= chronyd_t ==============
#!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules'
allow chronyd_t kernel_t:system module_request;
~~~~~~~~~
But sealert reccomendation isn't useful in this case, as I've IPv6 disabled
at kernel commandline (ipv6.disable=1) and directory /proc/sys/net/ipv6/
does not exist. Is there any better solution? (I maybe could disable SELinux
as this PC is in internal LAN and SELinux is even in permissive mode. But
I'm still in hope that someday will understand it this ;)
More information about the users
mailing list