Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-28777

selinux policy doesn't allow timemaster to write to /sys

XMLWordPrintable

    • selinux-policy-38.1.41-1.el9
    • None
    • None
    • 1
    • rhel-sst-security-selinux
    • ssg_security
    • 20
    • None
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • No
    • CY24Q2
    • Hide

      SELinux policy allows the timemaster processes to read/write from/to files (/sys/*/ptp/ptp0/n_vclocks) labeled sysfs_t.

      Show
      SELinux policy allows the timemaster processes to read/write from/to files (/sys/*/ptp/ptp0/n_vclocks) labeled sysfs_t.
    • Pass
    • None
    • Unspecified Release Note Type - Unknown
    • None

      What were you trying to do that didn't work?

      selinux policy doesn't allow timemaster to configure virtual clocks by writing to /sys. This functionality was added in RHEL9.1, but it seems nobody requested the selinux policy to cover it.

      Please provide the package NVR for which bug is seen:

      selinux-policy-38.1.35-1.el9_4.noarch

      How reproducible:

      Reproducible with a NIC which supports HW timestamping

      Steps to reproduce

      1. install linuxptp
      2. specify a PTP domain in /etc/timemaster.conf with an interface which has hardware timestamping (ethtool -T prints hardware-raw-clock capability). The PTP domain doesn't need to be provided in the network. For example: 
        [ptp_domain 0]
interfaces enp1s0
      3. start timemaster

      Expected results

      timemaster running and no reported AVCs

      Actual results

      timemaster gives up and reported AVCs

      type=AVC msg=audit(1710170769.424:453): avc:  denied  { read } for  pid=18663 comm="timemaster" name="ptp0" dev="sysfs" ino=30545 scontext=system_u:system_r:timemaster_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1710170769.424:453): avc:  denied  { write } for  pid=18663 comm="timemaster" name="n_vclocks" dev="sysfs" ino=30557 scontext=system_u:system_r:timemaster_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1710170769.424:453): avc:  denied  { open } for  pid=18663 comm="timemaster" path="/sys/devices/pci0000:00/0000:00:1c.0/0000:01:00.0/ptp/ptp0/n_vclocks" dev="sysfs" ino=30557 scontext=system_u:system_r:timemaster_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1710170769.424:454): avc:  denied  { getattr } for  pid=18663 comm="timemaster" path="/sys/devices/pci0000:00/0000:00:1c.0/0000:01:00.0/ptp/ptp0/n_vclocks" dev="sysfs" ino=30557 scontext=system_u:system_r:timemaster_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1710170769.441:457): avc:  denied  { read } for  pid=19357 comm="timemaster" name="ptp0" dev="sysfs" ino=30541 scontext=system_u:system_r:timemaster_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1

              rhn-support-zpytela Zdenek Pytela
              rhn-support-mlichvar Miroslav Lichvar
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: