Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-76786

linuxptp selinux denials

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • rhel-10.0
    • rhel-10.0
    • linuxptp
    • None
    • linuxptp-4.4-2.el10
    • No
    • Moderate
    • rhel-stacks-services-scripting
    • ssg_core_services
    • 1
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None

      There are multiple issues with the selinux policy.

      • It doesn't allow ptp4l to use a generic netlink socket, which is needed to handle virtual PTP clocks
      • It doesn't allow timemaster to read and write /sys, which is needed to support virtual clocks

      Reproducer:

      • start ptp4l/timemaster on a HW-timestamping capable network interface
      • observe audit.log
      type=AVC msg=audit(1738157658.065:421): avc:  denied  { sys_admin } for  pid=3902 comm="ptp4l" capability=21  scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:system_r:ptp4l_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1738235953.712:5077): avc:  denied  { write } for  pid=37137 comm="timemaster" name="ptp0" dev="sysfs" ino=27774 scontext=system_u:system_r:timemaster_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=0

              rhn-support-mlichvar Miroslav Lichvar
              rhn-support-mlichvar Miroslav Lichvar
              Miroslav Lichvar Miroslav Lichvar
              Yalin Li Yalin Li
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: