Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-27418

[RHEL-8] SELinux prevents chronyd from writing into /var/run/timemaster/chrony.SOCK0

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Minor Minor
    • rhel-8.10.z
    • rhel-8.10
    • selinux-policy
    • None
    • None
    • Medium
    • sst_security_selinux
    • ssg_security
    • None
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • All
    • None

      What were you trying to do that didn't work?

      Please provide the package NVR for which bug is seen:

      selinux-policy-38.1.33-1.el9.noarch
      selinux-policy-targeted-38.1.33-1.el9.noarch
      linuxptp-4.2-2.el9.x86_64

      How reproducible:

      always on aarch64 and x86_64

      Steps to reproduce

      1. get a RHEL-9.4 machine (targeted policy is active)
      2. run the following automated test: /CoreOS/selinux-policy/Regression/timemaster-and-similar
      3. search for SELinux denials

      Expected results

      no SELinux denials

      Actual results

      ----
type=PROCTITLE msg=audit(02/23/2024 15:43:36.343:511) : proctitle=/usr/sbin/chronyd -n -f /var/run/timemaster/chrony.conf 
type=PATH msg=audit(02/23/2024 15:43:36.343:511) : item=1 name=/var/run/timemaster/chrony.SOCK0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(02/23/2024 15:43:36.343:511) : item=0 name=/var/run/timemaster/ inode=1439 dev=00:1a mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:timemaster_var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/23/2024 15:43:36.343:511) : cwd=/ 
type=SOCKADDR msg=audit(02/23/2024 15:43:36.343:511) : saddr={ saddr_fam=local path=/var/run/timemaster/chrony.SOCK0 } 
type=SYSCALL msg=audit(02/23/2024 15:43:36.343:511) : arch=aarch64 syscall=bind success=no exit=EACCES(Permission denied) a0=0x4 a1=0xffffd263c1e8 a2=0x6e a3=0x2 items=2 ppid=46005 pid=46007 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chronyd exe=/usr/sbin/chronyd subj=system_u:system_r:chronyd_t:s0 key=(null) 
type=AVC msg=audit(02/23/2024 15:43:36.343:511) : avc:  denied  { write } for  pid=46007 comm=chronyd name=timemaster dev="tmpfs" ino=1439 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:timemaster_var_run_t:s0 tclass=dir permissive=0 
----

      Also:

      Some of the timesync system role tests are failing with the latest 8.10 due
      to an AVC:

      type=AVC msg=audit(1709149397.578:633): avc: denied

      { write } for
      pid=15781 comm="chronyd" name="timemaster" dev="tmpfs" ino=48191
      scontext=system_u:system_r:chronyd_t:s0
      tcontext=system_u:object_r:timemaster_var_run_t:s0 tclass=dir permissive=0
      type=AVC msg=audit(1709149398.467:667): avc: denied { write }

      for
      pid=15888 comm="chronyd" name="timemaster" dev="tmpfs" ino=48191
      scontext=system_u:system_r:chronyd_t:s0
      tcontext=system_u:object_r:timemaster_var_run_t:s0 tclass=dir permissive=0

            rhn-support-zpytela Zdenek Pytela
            mmalik@redhat.com Milos Malik
            Zdenek Pytela Zdenek Pytela
            Milos Malik Milos Malik
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: