Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-55133

selinux denials for chrony/timemaster

    • selinux-policy-38.1.46-1.el9
    • No
    • Moderate
    • 1
    • sst_security_selinux
    • ssg_security
    • 12
    • 1
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • No
    • Red Hat Enterprise Linux
    • SELINUX 240925 - 241016
    • Unspecified Release Note Type - Unknown
    • All
    • None

      What were you trying to do that didn't work?

      Trying to use the timesync system role to manage chrony/timemaster on a rhel 9.5 bare metal beaker machine. The test tests_ntp_ptp.yml fails with the following AVCs:

      type=AVC msg=audit(1723567978.288:35395): avc:  denied  { read write } for  pid=1804889 comm="ptp4l" name="ptp8" dev="devtmpfs" ino=55379 scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=0
      type=AVC msg=audit(1723567978.288:35396): avc:  denied  { read write } for  pid=1804891 comm="ptp4l" name="ptp9" dev="devtmpfs" ino=55380 scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=0
      type=AVC msg=audit(1723567979.794:35399): avc:  denied  { sys_admin } for  pid=1804918 comm="ptp4l" capability=21  scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:system_r:ptp4l_t:s0 tclass=capability permissive=0
      type=AVC msg=audit(1723567979.794:35400): avc:  denied  { sys_admin } for  pid=1804920 comm="ptp4l" capability=21  scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:system_r:ptp4l_t:s0 tclass=capability permissive=0
      

      The error only happens on bare metal machines - I cannot reproduce on VMs.

      Please provide the package NVR for which bug is seen:

      selinux-policy-38.1.44-1.el9.noarch

      How reproducible:

      every time

      Steps to reproduce

      I use the following `wow` command:

      wow rhel-9.5 --ignore-panic --arch x86_64 --taskparam=VERSIONLOCK=true --ks-meta redhat_ca_cert --brew-build rhel-system-roles-1.86.0-0.1.el9 --taskparam=ANSIBLE_VER=2 --taskparam=SYSTEM_ROLES_ONLY_TESTS=timesync --taskparam=GIT_SSL_NO_VERIFY=true --task "! echo '10.2.129.217 pkgs.devel.redhat.com' >> /etc/hosts" --brew-method=multi --task https://pkgs.devel.redhat.com/git/tests/rhel-system-roles/snapshot/rhel-system-roles-master.tar.gz#Sanity/basic-smoke-test --bare --keyvalue=HVM=1 --reservesys-if-warn --whiteboard 'System Roles testing rhel-9.5 arch x86_64 build rhel-system-roles-1.86.0-0.1.el9 ansible 2 include tests timesync legacy role'
      

      This will provision a rhel-9.5 bare metal beaker machine, workaround the DNS issue we are currently having, and run the timesync test that triggers the issue.

      Expected results

      no selinux denials

      Actual results

            rhn-support-zpytela Zdenek Pytela
            rmeggins@redhat.com Richard Megginson
            Zdenek Pytela Zdenek Pytela
            Milos Malik Milos Malik
            Votes:
            0 Vote for this issue
            Watchers:
            10 Start watching this issue

              Created:
              Updated: