Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-9.6
Affects Version/s: rhel-9.5
Component/s: selinux-policy
Labels:
- dependent-component
- safety-anomaly

Fixed in Build:
selinux-policy-38.1.46-1.el9
Regression:
No
Severity:
Moderate
Epic Link:
SELINUX-3594
sprint_count:
1

Pool Team:

rhel-sst-security-selinux
Sub-System Group:

ssg_security

Internal Target Milestone:
14
Story Points:
1
ACKs Check:

QE ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Products:

Red Hat Enterprise Linux
Sprint:
SELINUX 240925 - 241016

Preliminary Testing:
Fail
Errata Link:
https://errata.engineering.redhat.com/advisory/139849
Test Coverage:
None

Release Note Type:
Unspecified Release Note Type - Unknown

Experience:
Architecture:

All

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

Trying to use the timesync system role to manage chrony/timemaster on a rhel 9.5 bare metal beaker machine. The test tests_ntp_ptp.yml fails with the following AVCs:

type=AVC msg=audit(1723567978.288:35395): avc:  denied  { read write } for  pid=1804889 comm="ptp4l" name="ptp8" dev="devtmpfs" ino=55379 scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1723567978.288:35396): avc:  denied  { read write } for  pid=1804891 comm="ptp4l" name="ptp9" dev="devtmpfs" ino=55380 scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1723567979.794:35399): avc:  denied  { sys_admin } for  pid=1804918 comm="ptp4l" capability=21  scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:system_r:ptp4l_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1723567979.794:35400): avc:  denied  { sys_admin } for  pid=1804920 comm="ptp4l" capability=21  scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:system_r:ptp4l_t:s0 tclass=capability permissive=0

The error only happens on bare metal machines - I cannot reproduce on VMs.

Please provide the package NVR for which bug is seen:

selinux-policy-38.1.44-1.el9.noarch

How reproducible:

every time

Steps to reproduce

I use the following `wow` command:

wow rhel-9.5 --ignore-panic --arch x86_64 --taskparam=VERSIONLOCK=true --ks-meta redhat_ca_cert --brew-build rhel-system-roles-1.86.0-0.1.el9 --taskparam=ANSIBLE_VER=2 --taskparam=SYSTEM_ROLES_ONLY_TESTS=timesync --taskparam=GIT_SSL_NO_VERIFY=true --task "! echo '10.2.129.217 pkgs.devel.redhat.com' >> /etc/hosts" --brew-method=multi --task https://pkgs.devel.redhat.com/git/tests/rhel-system-roles/snapshot/rhel-system-roles-master.tar.gz#Sanity/basic-smoke-test --bare --keyvalue=HVM=1 --reservesys-if-warn --whiteboard 'System Roles testing rhel-9.5 arch x86_64 build rhel-system-roles-1.86.0-0.1.el9 ansible 2 include tests timesync legacy role'

This will provision a rhel-9.5 bare metal beaker machine, workaround the DNS issue we are currently having, and run the timesync test that triggers the issue.

Expected results

no selinux denials

Actual results

split to

RHEL-57040 timemaster starts ptp4l before vclock has correct selinux context

In Progress

links to

github pr

RHBA-2024:139849 selinux-policy update

Assignee:: Zdenek Pytela

Reporter:: Richard Megginson

Developer:: Zdenek Pytela

QA Contact:: Milos Malik

Votes:: 0 Vote for this issue

Watchers:: 10 Start watching this issue

Created:: 2024/08/19 4:26 PM

Updated:: 2024/11/18 10:19 AM

Target end:: 2024/11/25

Details

Description

What were you trying to do that didn't work?

Please provide the package NVR for which bug is seen:

How reproducible:

Steps to reproduce

Expected results

Actual results

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates