Re: [chrony-users] chronyd failing on bootstrap of CIS-hardened AMI, Elastic Beanstalk

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]

Thanks, this was really helpful. From /var/log/audit/audit..log:

type=AVC msg=audit(1666221117.868:118): avc:  denied  { sendto } for  pid=1694 comm="chronyd" path="/run/chrony/chronyc.5240.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=unix_dgram_socket permissive=0
type=SYSCALL msg=audit(1666221117.868:118): arch=c000003e syscall=46 success=no exit=-13 a0=8 a1=7ffedddcf8f0 a2=0 a3=7f9380df1800 items=0 ppid=1 pid=1694 auid=4294967295 uid=996 gid=994 euid=996 suid=996 fsuid=996 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="chronyd" exe="/usr/sbin/chronyd" subj=system_u:system_r:chronyd_t:s0 key=(null)

And piped through audit2allow:

============= chronyd_t ==============

#!!!! The file '/run/chrony/chronyc.2442.sock' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /run/chrony/chronyc.2442.sock
allow chronyd_t cloud_init_t:unix_dgram_socket sendto;



I was able to work around it by adding the following to the User Data of the launch template:

% semanage permissive -a chronyd_t

Onto the next oddness.

On Tue, Oct 18, 2022 at 11:46 PM Miroslav Lichvar <mlichvar@xxxxxxxxxx> wrote:
On Tue, Oct 18, 2022 at 11:23:26AM -0700, Tom Holub wrote:
> Obviously, this isn't chrony's fault, but I'm looking for advice on how to
> troubleshoot or work around the situation. If I put a User Data directive
> to run chronyd on instance boot, it creates chronyd.pid and chronyd.sock in
> /run/chrony, and the daemon seems to be syncing time, but all of the
> command line commands (like "chronyc sources") return nothing.

Try running "netstate -aenp | grep chronyd" or "ss -anp | grep
chronyd" to see which sockets the process has open. If it's missing a
UDP or Unix domain socket, there should be an error message in the
log. If no socket is missing, it might be a permission problem on the
directory or socket. It could be also be a SELinux/AppArmor issue if
it's enabled on the system. Check /var/log/audit/audit.log if present.

--
Miroslav Lichvar


--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.



--
Tom Holub, Founder and Principal
Totally Doable Consulting, http://totallydoable.com 
Practical strategic consulting for non-profits and the public sector


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/