-
Bug
-
Resolution: Unresolved
-
Normal
-
rhel-9.5
-
selinux-policy-38.1.46-1.el9
-
No
-
Moderate
-
1
-
rhel-sst-security-selinux
-
ssg_security
-
14
-
1
-
QE ack
-
False
-
-
No
-
Red Hat Enterprise Linux
-
SELINUX 240925 - 241016
-
Unspecified Release Note Type - Unknown
-
-
All
-
None
What were you trying to do that didn't work?
Trying to use the timesync system role to manage chrony/timemaster on a rhel 9.5 bare metal beaker machine. The test tests_ntp_ptp.yml fails with the following AVCs:
type=AVC msg=audit(1723567978.288:35395): avc: denied { read write } for pid=1804889 comm="ptp4l" name="ptp8" dev="devtmpfs" ino=55379 scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1723567978.288:35396): avc: denied { read write } for pid=1804891 comm="ptp4l" name="ptp9" dev="devtmpfs" ino=55380 scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1723567979.794:35399): avc: denied { sys_admin } for pid=1804918 comm="ptp4l" capability=21 scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:system_r:ptp4l_t:s0 tclass=capability permissive=0 type=AVC msg=audit(1723567979.794:35400): avc: denied { sys_admin } for pid=1804920 comm="ptp4l" capability=21 scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:system_r:ptp4l_t:s0 tclass=capability permissive=0
The error only happens on bare metal machines - I cannot reproduce on VMs.
Please provide the package NVR for which bug is seen:
selinux-policy-38.1.44-1.el9.noarch
How reproducible:
every time
Steps to reproduce
I use the following `wow` command:
wow rhel-9.5 --ignore-panic --arch x86_64 --taskparam=VERSIONLOCK=true --ks-meta redhat_ca_cert --brew-build rhel-system-roles-1.86.0-0.1.el9 --taskparam=ANSIBLE_VER=2 --taskparam=SYSTEM_ROLES_ONLY_TESTS=timesync --taskparam=GIT_SSL_NO_VERIFY=true --task "! echo '10.2.129.217 pkgs.devel.redhat.com' >> /etc/hosts" --brew-method=multi --task https://pkgs.devel.redhat.com/git/tests/rhel-system-roles/snapshot/rhel-system-roles-master.tar.gz#Sanity/basic-smoke-test --bare --keyvalue=HVM=1 --reservesys-if-warn --whiteboard 'System Roles testing rhel-9.5 arch x86_64 build rhel-system-roles-1.86.0-0.1.el9 ansible 2 include tests timesync legacy role'
This will provision a rhel-9.5 bare metal beaker machine, workaround the DNS issue we are currently having, and run the timesync test that triggers the issue.
Expected results
no selinux denials
Actual results
- split to
-
RHEL-57040 timemaster starts ptp4l before vclock has correct selinux context
- In Progress
- links to
-
RHBA-2024:139849 selinux-policy update