chrony-dhcp not labelled correctly

[Longhanks]

Hi,

We're using refpolicy 2.20250213 and systemd 257.4 from Yocto walnascar. Our policy type is mcs. The issue is reproducible when using qemux86_64 as MACHINE.

chrony ships with an NetworkManager dispatcher script (deployed into /etc/NetworkManager/dispatcher.d/hrony.nm-dispatcher.dhcp) that by default writes files into /var/run/chrony-dhcp/<interface>.sources: https://gitlab.com/chrony/chrony/-/blob/master/examples/chrony.nm-dispatcher.dhcp#L13

The directory gets the label initrc_runtime_t (as opposed to e.g. chronyd_runtime_t):

drwxrwx---.  2 chronyd  chronyd  system_u:object_r:chronyd_runtime_t:s0              80 Feb  5 12:35 chrony
drwxr-xr-x.  2 root     root     system_u:object_r:initrc_runtime_t:s0               60 Feb  5 12:35 chrony-dhcp

With enforcement turned on, this makes it impossible for chronyd to read the file. We currently ship the following workaround in a chrony-nmdispatcher.te file:

policy_module(chrony-nmdispatcher,1.0.0)

require {
	type chronyd_runtime_t;
}

init_daemon_runtime_file(chronyd_runtime_t, dir, "chrony-dhcp")

With that, the directory gets labelled chronyd_runtime_t, and chronyd is able to pick up NTP servers by reading the file generated by the dispatcher script.

But presumably, there's room for a more sophisticated solution. The Fedore project, for example, has a complex setup of rules for NetworkManager dispatcher scripts that apply to chrony, e.g. in:

• https://github.com/fedora-selinux/selinux-policy/blob/7d9232c9c1f5b3385db0f82337f22b4221b017ab/policy/modules/contrib/chronyd.fc#L17
• https://github.com/fedora-selinux/selinux-policy/blob/7d9232c9c1f5b3385db0f82337f22b4221b017ab/policy/modules/contrib/networkmanager.te#L53

Maybe some of that might be applicable?

Thanks for looking into the issue and best regards
Andi

[pebenito]

@yizhao1 can you look?