Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Normal
Fix Version/s: rhel-9.4
Affects Version/s: rhel-9.4
Component/s: selinux-policy
Labels:
None

Fixed in Build:
selinux-policy-38.1.35-2.el9_4
Regression:
None
Severity:
Moderate

Pool Team:

rhel-sst-security-selinux
Sub-System Group:

ssg_security

Internal Target Milestone:
30
Story Points:
None
ACKs Check:

QE ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
None
Release Blocker:
Approved Exception

Acceptance Criteria:

Hide

The automated test does not trigger any SELinux denials.

Show
The automated test does not trigger any SELinux denials.
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/121166
Test Coverage:

Automated

Release Note Type:
Release Note Not Required

Experience:
Architecture:

All

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

Please provide the package NVR for which bug is seen:

selinux-policy-38.1.33-1.el9.noarch
selinux-policy-targeted-38.1.33-1.el9.noarch
linuxptp-4.2-2.el9.x86_64

How reproducible:

always on aarch64 and x86_64

Steps to reproduce

get a RHEL-9.4 machine (targeted policy is active)
run the following automated test: /CoreOS/selinux-policy/Regression/timemaster-and-similar
search for SELinux denials

Expected results

no SELinux denials

Actual results

----
type=PROCTITLE msg=audit(02/23/2024 15:43:36.343:511) : proctitle=/usr/sbin/chronyd -n -f /var/run/timemaster/chrony.conf 
type=PATH msg=audit(02/23/2024 15:43:36.343:511) : item=1 name=/var/run/timemaster/chrony.SOCK0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(02/23/2024 15:43:36.343:511) : item=0 name=/var/run/timemaster/ inode=1439 dev=00:1a mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:timemaster_var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/23/2024 15:43:36.343:511) : cwd=/ 
type=SOCKADDR msg=audit(02/23/2024 15:43:36.343:511) : saddr={ saddr_fam=local path=/var/run/timemaster/chrony.SOCK0 } 
type=SYSCALL msg=audit(02/23/2024 15:43:36.343:511) : arch=aarch64 syscall=bind success=no exit=EACCES(Permission denied) a0=0x4 a1=0xffffd263c1e8 a2=0x6e a3=0x2 items=2 ppid=46005 pid=46007 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chronyd exe=/usr/sbin/chronyd subj=system_u:system_r:chronyd_t:s0 key=(null) 
type=AVC msg=audit(02/23/2024 15:43:36.343:511) : avc:  denied  { write } for  pid=46007 comm=chronyd name=timemaster dev="tmpfs" ino=1439 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:timemaster_var_run_t:s0 tclass=dir permissive=0 
----

is cloned by

RHEL-27418 [RHEL-8] SELinux prevents chronyd from writing into /var/run/timemaster/chrony.SOCK0

Closed

is related to

RHEL-25978 Selinux prevents systemd_timedated from checking timemaster status

Closed

links to

Allow linuxptp configure phc2sys and chronyd

RHBA-2023:121166 selinux-policy bug fix and enhancement update

TCMS Test Case 448500

Assignee:: Zdenek Pytela

Reporter:: Milos Malik

Developer:: Zdenek Pytela

QA Contact:: Milos Malik

Votes:: 0 Vote for this issue

Watchers:: 10 Start watching this issue

Created:: 2024/02/26 1:59 PM

Updated:: 2024/09/23 5:05 PM

Resolved:: 2024/04/30 10:13 AM

Target end:: 2024/03/25

Release Date:: 2024/04/30

Details

Description

What were you trying to do that didn't work?

Please provide the package NVR for which bug is seen:

How reproducible:

Steps to reproduce

Expected results

Actual results

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates