-
Bug
-
Resolution: Done-Errata
-
Normal
-
rhel-9.4.z, rhel-9.5
-
selinux-policy-38.1.40-1.el9
-
None
-
Moderate
-
rhel-sst-security-selinux
-
ssg_security
-
17
-
None
-
False
-
-
No
-
None
-
Unspecified Release Note Type - Unknown
-
-
x86_64
-
None
What were you trying to do that didn't work?
start ptp4l service and got avc error log under selinux enforce mode.
Please provide the package NVR for which bug is seen:
kernel version: 5.14.0-452.el9/ 5.14.0-427.20.1.el9_4
linuxptp: linuxptp-4.2-2.el9.x86_64
How reproducible: 100%
Steps to reproduce
- configure /etc/ptp4l.conf as belo
cat /etc/ptp4l.conf
# For more information about this file, see the ptp4l(8) man page.
# Examples are available in /usr/share/doc/linuxptp/configs.
[global]
domainNumber 0
slaveOnly 1
time_stamping hardware
tx_timestamp_timeout 1
logging_level 6
summary_interval 0
[eth0]
network_transport UDPv4
hybrid_e2e 0
2. configure /etc/sysconfig/ptp4l as below
cat /etc/sysconfig/ptp4l
OPTIONS="-f /etc/ptp4l.conf -i ens7f0"
3. start ptp4l service
systemctl start ptp4l systemctl status ptp4l -l --no-pager
● ptp4l.service - Precision Time Protocol (PTP) service Loaded: loaded (/usr/lib/systemd/system/ptp4l.service; disabled; preset: disabled) Active: active (running) since Mon 2024-05-27 22:38:51 EDT; 7min ago Main PID: 10691 (ptp4l) Tasks: 1 (limit: 405873) Memory: 688.0K CPU: 13ms CGroup: /system.slice/ptp4l.service └─10691 /usr/sbin/ptp4l -f /etc/ptp4l.conf -i ens7f0 May 27 22:46:05 dell-per750-09.rhts.eng.pek2.redhat.com ptp4l[10691]: [613.391] port 2 (eth0): defaultDS.priority1 probably misconfigured May 27 22:46:13 dell-per750-09.rhts.eng.pek2.redhat.com ptp4l[10691]: [621.390] port 2 (eth0): assuming the grand master role May 27 22:46:13 dell-per750-09.rhts.eng.pek2.redhat.com ptp4l[10691]: [621.390] port 2 (eth0): master state recommended in slave only mode May 27 22:46:13 dell-per750-09.rhts.eng.pek2.redhat.com ptp4l[10691]: [621.390] port 2 (eth0): defaultDS.priority1 probably misconfigured May 27 22:46:19 dell-per750-09.rhts.eng.pek2.redhat.com ptp4l[10691]: [627.958] port 2 (eth0): assuming the grand master role May 27 22:46:19 dell-per750-09.rhts.eng.pek2.redhat.com ptp4l[10691]: [627.958] port 2 (eth0): master state recommended in slave only mode May 27 22:46:19 dell-per750-09.rhts.eng.pek2.redhat.com ptp4l[10691]: [627.958] port 2 (eth0): defaultDS.priority1 probably misconfigured May 27 22:46:26 dell-per750-09.rhts.eng.pek2.redhat.com ptp4l[10691]: [634.405] port 2 (eth0): assuming the grand master role May 27 22:46:26 dell-per750-09.rhts.eng.pek2.redhat.com ptp4l[10691]: [634.405] port 2 (eth0): master state recommended in slave only mode May 27 22:46:26 dell-per750-09.rhts.eng.pek2.redhat.com ptp4l[10691]: [634.405] port 2 (eth0): defaultDS.priority1 probably misconfigured
Expected results
Actual results
[root@dell-per750-09 ~]# sealert -a /var/log/audit/audit.log 100% done found 1 alerts in /var/log/audit/audit.log --------------------------------------------------------------------------------SELinux is preventing /usr/sbin/ptp4l from module_request access on the system labeled kernel_t.***** Plugin catchall_boolean (89.3 confidence) suggests ******************If you want to allow domain to kernel load modules Then you must tell SELinux about this by enabling the 'domain_kernel_load_modules' boolean.Do setsebool -P domain_kernel_load_modules 1***** Plugin catchall (11.6 confidence) suggests **************************If you believe that ptp4l should be allowed module_request access on system labeled kernel_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'ptp4l' --raw | audit2allow -M my-ptp4l # semodule -X 300 -i my-ptp4l.pp Additional Information: Source Context system_u:system_r:ptp4l_t:s0 Target Context system_u:system_r:kernel_t:s0 Target Objects Unknown [ system ] Source ptp4l Source Path /usr/sbin/ptp4l Port <Unknown> Host <Unknown> Source RPM Packages linuxptp-4.2-2.el9.x86_64 Target RPM Packages SELinux Policy RPM selinux-policy-targeted-38.1.38-1.el9.noarch Local Policy RPM selinux-policy-targeted-38.1.38-1.el9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name dell-per750-09.rhts.eng.pek2.redhat.com Platform Linux dell-per750-09.rhts.eng.pek2.redhat.com 5.14.0-452.el9.x86_64 #1 SMP PREEMPT_RT Sat May 18 19:04:07 EDT 2024 x86_64 x86_64 Alert Count 6 First Seen 2024-05-27 22:13:38 EDT Last Seen 2024-05-27 22:13:38 EDT Local ID dfb5908a-971e-4c7a-b953-9efa5839dd2cRaw Audit Messages type=AVC msg=audit(1716862418.381:226): avc: denied { module_request } for pid=13694 comm="ptp4l" kmod="netdev-eth0" scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 type=SYSCALL msg=audit(1716862418.381:226): arch=x86_64 syscall=ioctl success=no exit=ENODEV a0=1a a1=8933 a2=7fff83c07cb0 a3=7f73dfb5cac0 items=0 ppid=1 pid=13694 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ptp4l exe=/usr/sbin/ptp4l subj=system_u:system_r:ptp4l_t:s0 key=(null)ARCH=x86_64 SYSCALL=ioctl AUID=unset UID=root GID=root EUID=root SUID=root FSUID=root EGID=root SGID=root FSGID=rootHash: ptp4l,ptp4l_t,kernel_t,system,module_request
- links to
-
RHBA-2024:130707
selinux-policy bug fix and enhancement update