chrony-dhcp not labelled correctly #1079
Description
Hi,
We're using refpolicy 2.20250213 and systemd 257.4 from Yocto walnascar. Our policy type is mcs. The issue is reproducible when using qemux86_64 as MACHINE.
chrony ships with an NetworkManager dispatcher script (deployed into /etc/NetworkManager/dispatcher.d/hrony.nm-dispatcher.dhcp) that by default writes files into /var/run/chrony-dhcp/<interface>.sources: https://gitlab.com/chrony/chrony/-/blob/master/examples/chrony.nm-dispatcher.dhcp#L13
The directory gets the label initrc_runtime_t (as opposed to e.g. chronyd_runtime_t):
drwxrwx---. 2 chronyd chronyd system_u:object_r:chronyd_runtime_t:s0 80 Feb 5 12:35 chrony
drwxr-xr-x. 2 root root system_u:object_r:initrc_runtime_t:s0 60 Feb 5 12:35 chrony-dhcp
With enforcement turned on, this makes it impossible for chronyd to read the file. We currently ship the following workaround in a chrony-nmdispatcher.te file:
policy_module(chrony-nmdispatcher,1.0.0)
require {
type chronyd_runtime_t;
}
init_daemon_runtime_file(chronyd_runtime_t, dir, "chrony-dhcp")
With that, the directory gets labelled chronyd_runtime_t, and chronyd is able to pick up NTP servers by reading the file generated by the dispatcher script.
But presumably, there's room for a more sophisticated solution. The Fedore project, for example, has a complex setup of rules for NetworkManager dispatcher scripts that apply to chrony, e.g. in:
- https://github.com/fedora-selinux/selinux-policy/blob/7d9232c9c1f5b3385db0f82337f22b4221b017ab/policy/modules/contrib/chronyd.fc#L17
- https://github.com/fedora-selinux/selinux-policy/blob/7d9232c9c1f5b3385db0f82337f22b4221b017ab/policy/modules/contrib/networkmanager.te#L53
Maybe some of that might be applicable?
Thanks for looking into the issue and best regards
Andi