Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-26660

SELinux prevents chronyd from writing into /var/run/timemaster/chrony.SOCK0 [rhel-9]

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • rhel-9.4
    • rhel-9.4
    • selinux-policy
    • None
    • selinux-policy-38.1.35-2.el9_4
    • None
    • Medium
    • sst_security_selinux
    • ssg_security
    • 30
    • None
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Approved Exception
    • Release Note Not Required
    • All
    • None

      What were you trying to do that didn't work?

      Please provide the package NVR for which bug is seen:

      selinux-policy-38.1.33-1.el9.noarch
      selinux-policy-targeted-38.1.33-1.el9.noarch
      linuxptp-4.2-2.el9.x86_64

      How reproducible:

      always on aarch64 and x86_64

      Steps to reproduce

      1. get a RHEL-9.4 machine (targeted policy is active)
      2. run the following automated test: /CoreOS/selinux-policy/Regression/timemaster-and-similar
      3. search for SELinux denials

      Expected results

      no SELinux denials

      Actual results

      ----
type=PROCTITLE msg=audit(02/23/2024 15:43:36.343:511) : proctitle=/usr/sbin/chronyd -n -f /var/run/timemaster/chrony.conf 
type=PATH msg=audit(02/23/2024 15:43:36.343:511) : item=1 name=/var/run/timemaster/chrony.SOCK0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(02/23/2024 15:43:36.343:511) : item=0 name=/var/run/timemaster/ inode=1439 dev=00:1a mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:timemaster_var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/23/2024 15:43:36.343:511) : cwd=/ 
type=SOCKADDR msg=audit(02/23/2024 15:43:36.343:511) : saddr={ saddr_fam=local path=/var/run/timemaster/chrony.SOCK0 } 
type=SYSCALL msg=audit(02/23/2024 15:43:36.343:511) : arch=aarch64 syscall=bind success=no exit=EACCES(Permission denied) a0=0x4 a1=0xffffd263c1e8 a2=0x6e a3=0x2 items=2 ppid=46005 pid=46007 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chronyd exe=/usr/sbin/chronyd subj=system_u:system_r:chronyd_t:s0 key=(null) 
type=AVC msg=audit(02/23/2024 15:43:36.343:511) : avc:  denied  { write } for  pid=46007 comm=chronyd name=timemaster dev="tmpfs" ino=1439 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:timemaster_var_run_t:s0 tclass=dir permissive=0 
----

            rhn-support-zpytela Zdenek Pytela
            mmalik@redhat.com Milos Malik
            Zdenek Pytela Zdenek Pytela
            Milos Malik Milos Malik
            Votes:
            0 Vote for this issue
            Watchers:
            10 Start watching this issue

              Created:
              Updated:
              Resolved: