:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Setup :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 10:09:40 ] :: [ BEGIN ] :: Running 'rlImport 'selinux-policy/common'' :: [ 10:09:40 ] :: [ INFO ] :: rlImport: Found 'selinux-policy/common', version '43' during upwards traversal :: [ 10:09:40 ] :: [ INFO ] :: rlImport: Will try to import selinux-policy/common from /root/selinux/selinux-policy/Library/common/lib.sh :: [ 10:09:40 ] :: [ INFO ] :: found dependencies: 'distribution/epel ' :: [ 10:09:40 ] :: [ ERROR ] :: rlImport: Could not find library distribution/epel :: [ 10:09:40 ] :: [ INFO ] :: SELinux: using 'semodule -lfull' to list modules :: [ 10:09:40 ] :: [ INFO ] :: Running with policy located in /etc/selinux/targeted/policy/policy.33 :: [ 10:09:40 ] :: [ LOG ] :: enriched audit log format already enabled :: [ 10:09:40 ] :: [ LOG ] :: stop the audit daemon first :: [ 10:09:40 ] :: [ BEGIN ] :: Running 'service auditd stop' Stopping logging: :: [ 10:09:40 ] :: [ PASS ] :: Command 'service auditd stop' (Expected 0,2, got 0) :: [ 10:09:45 ] :: [ LOG ] :: audit daemon configuration file is updated, starting the audit service Redirecting to /bin/systemctl status auditd.service Redirecting to /bin/systemctl start auditd.service :: [ 10:09:45 ] :: [ LOG ] :: rlServiceStart: Service auditd started successfully :: [ 10:09:45 ] :: [ INFO ] :: SELinux related packages listing: :: [ 10:09:45 ] :: [ INFO ] :: checkpolicy-3.6-1.el9.x86_64 libselinux-3.6-3.el9.x86_64 libselinux-utils-3.6-3.el9.x86_64 libsemanage-3.6-5.el9_6.x86_64 libsepol-3.6-3.el9.x86_64 mcstrans-3.6-1.el9.x86_64 policycoreutils-3.6-2.1.el9.x86_64 policycoreutils-devel-3.6-2.1.el9.x86_64 policycoreutils-newrole-3.6-2.1.el9.x86_64 policycoreutils-python-utils-3.6-2.1.el9.noarch selinux-policy-38.1.55-1.el9.noarch selinux-policy-devel-38.1.55-1.el9.noarch selinux-policy-mls-38.1.55-1.el9.noarch selinux-policy-targeted-38.1.55-1.el9.noarch setools-console-4.4.4-1.el9.x86_64 :: [ 10:09:45 ] :: [ INFO ] :: listing took 0 second(s) :: [ 10:09:46 ] :: [ INFO ] :: package 'setools-console-4.4.4-1.el9.x86_64' covers required package 'setools-console' :: [ 10:09:46 ] :: [ INFO ] :: package 'expect-5.45.4-16.el9.x86_64' covers required package 'expect' :: [ 10:09:46 ] :: [ INFO ] :: package 'policycoreutils-python-utils-3.6-2.1.el9.noarch' covers required package 'policycoreutils-python-utils' :: [ 10:09:46 ] :: [ INFO ] :: package 'selinux-policy-devel-38.1.55-1.el9.noarch' covers required package 'selinux-policy-devel' :: [ 10:09:46 ] :: [ PASS ] :: Command 'rlImport 'selinux-policy/common'' (Expected 0,1, got 1) :: [ 10:09:46 ] :: [ BEGIN ] :: Running 'epelyum install -y --nobest --nogpgcheck --skip-broken audit libselinux libselinux-utils policycoreutils selinux-policy-mls selinux-policy-targeted setools-console chrony ksh nscd /usr/bin/certtool /usr/sbin/service socat linuxptp ' /usr/share/beakerlib/testing.sh: line 896: epelyum: command not found :: [ 10:09:46 ] :: [ FAIL ] :: Command 'epelyum install -y --nobest --nogpgcheck --skip-broken audit libselinux libselinux-utils policycoreutils selinux-policy-mls selinux-policy-targeted setools-console chrony ksh nscd /usr/bin/certtool /usr/sbin/service socat linuxptp ' (Expected 0,1, got 127) selinux-policy-38.1.55-1.el9.noarch :: [ 10:09:46 ] :: [ PASS ] :: Checking for the presence of selinux-policy rpm :: [ 10:09:46 ] :: [ LOG ] :: Package versions: :: [ 10:09:46 ] :: [ LOG ] :: selinux-policy-38.1.55-1.el9.noarch selinux-policy-targeted-38.1.55-1.el9.noarch :: [ 10:09:46 ] :: [ PASS ] :: Checking for the presence of selinux-policy-targeted rpm :: [ 10:09:46 ] :: [ LOG ] :: Package versions: :: [ 10:09:46 ] :: [ LOG ] :: selinux-policy-targeted-38.1.55-1.el9.noarch chrony-4.6.1-1.el9.x86_64 :: [ 10:09:46 ] :: [ PASS ] :: Checking for the presence of chrony rpm :: [ 10:09:46 ] :: [ LOG ] :: Package versions: :: [ 10:09:46 ] :: [ LOG ] :: chrony-4.6.1-1.el9.x86_64 Redirecting to /bin/systemctl status ntpd.service Unit ntpd.service could not be found. :: [ 10:09:46 ] :: [ WARNING ] :: rlServiceStop: service ntpd status returned 4 :: [ 10:09:46 ] :: [ WARNING ] :: rlServiceStop: Guessing that original state of ntpd is stopped Redirecting to /bin/systemctl stop ntpd.service Failed to stop ntpd.service: Unit ntpd.service not loaded. :: [ 10:09:46 ] :: [ ERROR ] :: rlServiceStop: Stopping service ntpd failed :: [ 10:09:46 ] :: [ ERROR ] :: Status of the failed service: :: [ 10:09:46 ] :: [ LOG ] :: Redirecting to /bin/systemctl status ntpd.service :: [ 10:09:46 ] :: [ LOG ] :: Unit ntpd.service could not be found. Redirecting to /bin/systemctl status chronyd.service Redirecting to /bin/systemctl stop chronyd.service :: [ 10:09:46 ] :: [ INFO ] :: using '/var/tmp/beakerlib-K3dmVhy/backup' as backup destination :: [ 10:09:46 ] :: [ INFO ] :: using '/var/tmp/beakerlib-K3dmVhy/backup' as backup destination :: [ 10:09:46 ] :: [ INFO ] :: using '/var/tmp/beakerlib-K3dmVhy/backup' as backup destination :: [ 10:09:46 ] :: [ BEGIN ] :: Running 'setenforce 1' :: [ 10:09:46 ] :: [ PASS ] :: Command 'setenforce 1' (Expected 0, got 0) :: [ 10:09:46 ] :: [ BEGIN ] :: Running 'id -Z' unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 :: [ 10:09:46 ] :: [ PASS ] :: Command 'id -Z' (Expected 0, got 0) :: [ 10:09:46 ] :: [ BEGIN ] :: Running 'sestatus' SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 :: [ 10:09:47 ] :: [ PASS ] :: Command 'sestatus' (Expected 0, got 0) :: [ 10:09:47 ] :: [ BEGIN ] :: Running 'semodule --list-modules=full | grep -i disabled' :: [ 10:09:47 ] :: [ PASS ] :: Command 'semodule --list-modules=full | grep -i disabled' (Expected 0,1, got 1) :: [ 10:09:47 ] :: [ LOG ] :: rlSESetTimestamp: Setting timestamp 'TIMESTAMP' [04/11/2025 10:09:47] :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 9s :: Assertions: 9 good, 1 bad :: RESULT: WARN (Setup) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#974992 + bz#978993 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /usr/sbin/chronyd system_u:object_r:chronyd_exec_t:s0 :: [ 10:09:49 ] :: [ PASS ] :: Result of matchpathcon /usr/sbin/chronyd should contain chronyd_exec_t (Assert: expected 0, got 0) :: [ 10:09:49 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t chronyd_t : capability { sys_nice } [ ]' FILTERED RULES allow chronyd_t chronyd_t:capability { chown dac_override dac_read_search fsetid ipc_lock net_admin net_bind_service setgid setuid sys_nice sys_resource sys_time }; :: [ 10:09:51 ] :: [ PASS ] :: check permission 'sys_nice' is present (Assert: '0' should equal '0') :: [ 10:09:51 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t chronyd_t : process { setsched } [ ]' FILTERED RULES allow chronyd_t chronyd_t:process { fork getcap getsched setcap setrlimit setsched sigchld sigkill signal signull sigstop }; :: [ 10:09:54 ] :: [ PASS ] :: check permission 'setsched' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 5s :: Assertions: 3 good, 0 bad :: RESULT: PASS (bz#974992 + bz#978993) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1243764 + bz#1243987 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /usr/libexec/chrony-helper system_u:object_r:chronyd_exec_t:s0 :: [ 10:09:54 ] :: [ PASS ] :: Result of matchpathcon /usr/libexec/chrony-helper should contain chronyd_exec_t (Assert: expected 0, got 0) /var/run/chrony-helper system_u:object_r:chronyd_var_run_t:s0 :: [ 10:09:55 ] :: [ PASS ] :: Result of matchpathcon /var/run/chrony-helper should contain chronyd_var_run_t (Assert: expected 0, got 0) /var/run/chrony-helper/added_servers system_u:object_r:chronyd_var_run_t:s0 :: [ 10:09:55 ] :: [ PASS ] :: Result of matchpathcon /var/run/chrony-helper/added_servers should contain chronyd_var_run_t (Assert: expected 0, got 0) /var/run/chrony-helper/lock system_u:object_r:chronyd_var_run_t:s0 :: [ 10:09:56 ] :: [ PASS ] :: Result of matchpathcon /var/run/chrony-helper/lock should contain chronyd_var_run_t (Assert: expected 0, got 0) /var/lib/dhclient system_u:object_r:dhcpc_state_t:s0 :: [ 10:09:57 ] :: [ PASS ] :: Result of matchpathcon /var/lib/dhclient should contain dhcpc_state_t (Assert: expected 0, got 0) /var/lib/dhclient/chrony.servers.eth0 system_u:object_r:dhcpc_state_t:s0 :: [ 10:09:57 ] :: [ PASS ] :: Result of matchpathcon /var/lib/dhclient/chrony.servers.eth0 should contain dhcpc_state_t (Assert: expected 0, got 0) /usr/bin/systemctl system_u:object_r:systemd_systemctl_exec_t:s0 :: [ 10:09:58 ] :: [ PASS ] :: Result of matchpathcon /usr/bin/systemctl should contain systemd_systemctl_exec_t (Assert: expected 0, got 0) :: [ 10:09:58 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow dhcpc_t chronyd_exec_t : file { getattr open read execute }' FILTERED RULES allow dhcpc_t chronyd_exec_t:file { execute execute_no_trans getattr ioctl map open read }; allow domain file_type:file map; [ domain_can_mmap_files ]:True :: [ 10:10:00 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 10:10:00 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 10:10:00 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :: [ 10:10:00 ] :: [ PASS ] :: check permission 'execute' is present (Assert: '0' should equal '0') :: [ 10:10:00 ] :: [ INFO ] :: rlSESearchRule: checking rule 'type_transition dhcpc_t chronyd_exec_t : process chronyd_t' FILTERED RULES type_transition dhcpc_t chronyd_exec_t:process chronyd_t; :: [ 10:10:02 ] :: [ PASS ] :: check permission 'chronyd_t' is present (Assert: '0' should equal '0') :: [ 10:10:02 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow dhcpc_t chronyd_t : process { transition }' FILTERED RULES allow dhcpc_t chronyd_t:process { getattr transition }; :: [ 10:10:05 ] :: [ PASS ] :: check permission 'transition' is present (Assert: '0' should equal '0') :: [ 10:10:05 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t var_run_t : dir { read write add_name remove_name search open getattr }' FILTERED RULES allow chronyd_t var_run_t:dir { add_name remove_name write }; allow domain base_file_type:dir { getattr open search }; allow domain var_run_t:dir { ioctl lock read }; allow nsswitch_domain pidfile:dir { getattr open search }; :: [ 10:10:07 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :: [ 10:10:07 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :: [ 10:10:07 ] :: [ PASS ] :: check permission 'add_name' is present (Assert: '0' should equal '0') :: [ 10:10:07 ] :: [ PASS ] :: check permission 'remove_name' is present (Assert: '0' should equal '0') :: [ 10:10:07 ] :: [ PASS ] :: check permission 'search' is present (Assert: '0' should equal '0') :: [ 10:10:07 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 10:10:07 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 10:10:07 ] :: [ INFO ] :: rlSESearchRule: checking rule 'type_transition chronyd_t var_run_t : dir chronyd_var_run_t' FILTERED RULES type_transition chronyd_t var_run_t:dir chronyd_var_run_t; :: [ 10:10:09 ] :: [ PASS ] :: check permission 'chronyd_var_run_t' is present (Assert: '0' should equal '0') :: [ 10:10:09 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t chronyd_var_run_t : dir { read write add_name remove_name search open getattr }' FILTERED RULES allow chronyd_t chronyd_var_run_t:dir { add_name create ioctl link lock read remove_name rename reparent rmdir setattr unlink watch watch_reads write }; allow nsswitch_domain pidfile:dir { getattr open search }; :: [ 10:10:12 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :: [ 10:10:12 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :: [ 10:10:12 ] :: [ PASS ] :: check permission 'add_name' is present (Assert: '0' should equal '0') :: [ 10:10:12 ] :: [ PASS ] :: check permission 'remove_name' is present (Assert: '0' should equal '0') :: [ 10:10:12 ] :: [ PASS ] :: check permission 'search' is present (Assert: '0' should equal '0') :: [ 10:10:12 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 10:10:12 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 10:10:12 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t chronyd_var_run_t : file { getattr open read write create unlink }' FILTERED RULES allow chronyd_t chronyd_var_run_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write }; allow domain file_type:file map; [ domain_can_mmap_files ]:True :: [ 10:10:14 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 10:10:14 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 10:10:14 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :: [ 10:10:14 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :: [ 10:10:14 ] :: [ PASS ] :: check permission 'create' is present (Assert: '0' should equal '0') :: [ 10:10:14 ] :: [ PASS ] :: check permission 'unlink' is present (Assert: '0' should equal '0') :: [ 10:10:14 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t dhcpc_state_t : dir { getattr open read search }' FILTERED RULES allow chronyd_t dhcpc_state_t:dir { getattr ioctl lock open read search }; :: [ 10:10:16 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 10:10:16 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 10:10:16 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :: [ 10:10:16 ] :: [ PASS ] :: check permission 'search' is present (Assert: '0' should equal '0') :: [ 10:10:16 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t dhcpc_state_t : file { getattr open read }' FILTERED RULES allow chronyd_t dhcpc_state_t:file { getattr ioctl lock open read }; allow domain file_type:file map; [ domain_can_mmap_files ]:True :: [ 10:10:18 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 10:10:18 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 10:10:18 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :: [ 10:10:18 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t bin_t : file { getattr open read execute_no_trans }' FILTERED RULES allow chronyd_t base_ro_file_type:file { execute execute_no_trans map }; allow domain base_ro_file_type:file { getattr ioctl lock open read }; allow domain file_type:file map; [ domain_can_mmap_files ]:True :: [ 10:10:20 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 10:10:20 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 10:10:20 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :: [ 10:10:20 ] :: [ PASS ] :: check permission 'execute_no_trans' is present (Assert: '0' should equal '0') :: [ 10:10:20 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t systemd_systemctl_exec_t : file { getattr open read execute_no_trans }' FILTERED RULES allow chronyd_t systemd_systemctl_exec_t:file { execute execute_no_trans getattr ioctl lock map open read }; allow domain file_type:file map; [ domain_can_mmap_files ]:True :: [ 10:10:22 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 10:10:22 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 10:10:23 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :: [ 10:10:23 ] :: [ PASS ] :: check permission 'execute_no_trans' is present (Assert: '0' should equal '0') :: [ 10:10:23 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow timemaster_t chronyd_t : process { signal }' FILTERED RULES allow timemaster_t chronyd_t:process { signal transition }; :: [ 10:10:25 ] :: [ PASS ] :: check permission 'signal' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 31s :: Assertions: 50 good, 0 bad :: RESULT: PASS (bz#1243764 + bz#1243987) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1350765 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 10:10:25 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t chronyd_t : capability2 { block_suspend } [ ]' FILTERED RULES allow chronyd_t chronyd_t:capability2 block_suspend; :: [ 10:10:27 ] :: [ PASS ] :: check permission 'block_suspend' is present (Assert: '0' should equal '0') :: [ 10:10:27 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t kernel_t : system { module_request } [ ]' FILTERED RULES allow chronyd_t kernel_t:system module_request; :: [ 10:10:29 ] :: [ PASS ] :: check permission 'module_request' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 4s :: Assertions: 2 good, 0 bad :: RESULT: PASS (bz#1350765) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1416015 + bz#1421248 + bz#1425408 + bz#1440791 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /usr/sbin/chronyd system_u:object_r:chronyd_exec_t:s0 :: [ 10:10:30 ] :: [ PASS ] :: Result of matchpathcon /usr/sbin/chronyd should contain chronyd_exec_t (Assert: expected 0, got 0) /etc/adjtime system_u:object_r:adjtime_t:s0 :: [ 10:10:30 ] :: [ PASS ] :: Result of matchpathcon /etc/adjtime should contain adjtime_t (Assert: expected 0, got 0) /var/run/chrony system_u:object_r:chronyd_var_run_t:s0 :: [ 10:10:31 ] :: [ PASS ] :: Result of matchpathcon /var/run/chrony should contain chronyd_var_run_t (Assert: expected 0, got 0) /var/run/chrony/chronyd.sock system_u:object_r:chronyd_var_run_t:s0 :: [ 10:10:31 ] :: [ PASS ] :: Result of matchpathcon /var/run/chrony/chronyd.sock should contain chronyd_var_run_t (Assert: expected 0, got 0) /var/run/chrony/chronyc.1117.sock system_u:object_r:chronyd_var_run_t:s0 :: [ 10:10:32 ] :: [ PASS ] :: Result of matchpathcon /var/run/chrony/chronyc.1117.sock should contain chronyd_var_run_t (Assert: expected 0, got 0) :: [ 10:10:32 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t adjtime_t : file { getattr open read }' FILTERED RULES allow chronyd_t adjtime_t:file { getattr ioctl lock open read }; allow domain file_type:file map; [ domain_can_mmap_files ]:True :: [ 10:10:34 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 10:10:34 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 10:10:34 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :: [ 10:10:34 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t chronyd_t : capability { chown }' FILTERED RULES allow chronyd_t chronyd_t:capability { chown dac_override dac_read_search fsetid ipc_lock net_admin net_bind_service setgid setuid sys_nice sys_resource sys_time }; :: [ 10:10:36 ] :: [ PASS ] :: check permission 'chown' is present (Assert: '0' should equal '0') :: [ 10:10:36 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t chronyd_t : unix_dgram_socket { sendto }' FILTERED RULES allow chronyd_t chronyd_t:unix_dgram_socket { append bind connect create getattr getopt ioctl lock read sendto setattr setopt shutdown write }; :: [ 10:10:38 ] :: [ PASS ] :: check permission 'sendto' is present (Assert: '0' should equal '0') :: [ 10:10:38 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t chronyd_t : capability { net_admin }' FILTERED RULES allow chronyd_t chronyd_t:capability { chown dac_override dac_read_search fsetid ipc_lock net_admin net_bind_service setgid setuid sys_nice sys_resource sys_time }; :: [ 10:10:41 ] :: [ PASS ] :: check permission 'net_admin' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 12s :: Assertions: 11 good, 0 bad :: RESULT: PASS (bz#1416015 + bz#1421248 + bz#1425408 + bz#1440791) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1508486 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /usr/libexec/chrony-helper system_u:object_r:chronyd_exec_t:s0 :: [ 10:10:41 ] :: [ PASS ] :: Result of matchpathcon /usr/libexec/chrony-helper should contain chronyd_exec_t (Assert: expected 0, got 0) /usr/bin/chronyc system_u:object_r:chronyc_exec_t:s0 :: [ 10:10:42 ] :: [ PASS ] :: Result of matchpathcon /usr/bin/chronyc should contain chronyc_exec_t (Assert: expected 0, got 0) :: [ 10:10:42 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t chronyc_exec_t : file { getattr open read execute_no_trans }' FILTERED RULES allow chronyd_t chronyc_exec_t:file { execute execute_no_trans getattr ioctl lock map open read }; allow domain file_type:file map; [ domain_can_mmap_files ]:True :: [ 10:10:44 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 10:10:44 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 10:10:44 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :: [ 10:10:44 ] :: [ PASS ] :: check permission 'execute_no_trans' is present (Assert: '0' should equal '0') :: [ 10:10:44 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t chronyc_t : process { transition }' FILTERED RULES :: [ 10:10:46 ] :: [ PASS ] :: check permission 'transition' is present (Assert: '1' should equal '1') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 5s :: Assertions: 7 good, 0 bad :: RESULT: PASS (bz#1508486) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1509379 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /usr/bin/chronyc system_u:object_r:chronyc_exec_t:s0 :: [ 10:10:47 ] :: [ PASS ] :: Result of matchpathcon /usr/bin/chronyc should contain chronyc_exec_t (Assert: expected 0, got 0) :: [ 10:10:47 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t chronyc_t : capability { dac_read_search } [ ]' FILTERED RULES allow chronyc_t chronyc_t:capability { dac_override dac_read_search }; :: [ 10:10:49 ] :: [ PASS ] :: check permission 'dac_read_search' is present (Assert: '0' should equal '0') :: [ 10:10:49 ] :: [ INFO ] :: rlSESearchRule: checking rule 'type_transition chronyd_t chronyc_exec_t : process chronyc_t' FILTERED RULES :: [ 10:10:52 ] :: [ PASS ] :: check permission 'chronyc_t' is present (Assert: '1' should equal '1') :: [ 10:10:52 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t chronyd_t : capability { dac_read_search } [ ]' FILTERED RULES allow chronyd_t chronyd_t:capability { chown dac_override dac_read_search fsetid ipc_lock net_admin net_bind_service setgid setuid sys_nice sys_resource sys_time }; :: [ 10:10:54 ] :: [ PASS ] :: check permission 'dac_read_search' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 8s :: Assertions: 4 good, 0 bad :: RESULT: PASS (bz#1509379) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1530525 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /usr/bin/chronyc system_u:object_r:chronyc_exec_t:s0 :: [ 10:10:54 ] :: [ PASS ] :: Result of matchpathcon /usr/bin/chronyc should contain chronyc_exec_t (Assert: expected 0, got 0) /etc system_u:object_r:etc_t:s0 :: [ 10:10:55 ] :: [ PASS ] :: Result of matchpathcon /etc should contain etc_t (Assert: expected 0, got 0) /etc/chrony.keys system_u:object_r:chronyd_keys_t:s0 :: [ 10:10:56 ] :: [ PASS ] :: Result of matchpathcon /etc/chrony.keys should contain chronyd_keys_t (Assert: expected 0, got 0) :: [ 10:10:56 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t chronyd_keys_t : file { getattr ioctl append write } [ ]' FILTERED RULES allow chronyc_t chronyd_keys_t:file { create link rename setattr unlink watch watch_reads }; allow chronyc_t non_security_file_type:file { append getattr ioctl lock open read write }; :: [ 10:10:58 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 10:10:58 ] :: [ PASS ] :: check permission 'ioctl' is present (Assert: '0' should equal '0') :: [ 10:10:58 ] :: [ PASS ] :: check permission 'append' is present (Assert: '0' should equal '0') :: [ 10:10:58 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 4s :: Assertions: 7 good, 0 bad :: RESULT: PASS (bz#1530525) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1470150 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /var/run/chrony system_u:object_r:chronyd_var_run_t:s0 :: [ 10:10:58 ] :: [ PASS ] :: Result of matchpathcon /var/run/chrony should contain chronyd_var_run_t (Assert: expected 0, got 0) /var/run/chrony/chronyc.3781.sock system_u:object_r:chronyd_var_run_t:s0 :: [ 10:10:59 ] :: [ PASS ] :: Result of matchpathcon /var/run/chrony/chronyc.3781.sock should contain chronyd_var_run_t (Assert: expected 0, got 0) :: [ 10:10:59 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t chronyc_t : unix_dgram_socket { sendto }' FILTERED RULES allow chronyd_t chronyc_t:unix_dgram_socket sendto; :: [ 10:11:01 ] :: [ PASS ] :: check permission 'sendto' is present (Assert: '0' should equal '0') :: [ 10:11:01 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t chronyd_t : unix_dgram_socket { sendto }' FILTERED RULES allow chronyc_t chronyd_t:unix_dgram_socket sendto; :: [ 10:11:03 ] :: [ PASS ] :: check permission 'sendto' is present (Assert: '0' should equal '0') :: [ 10:11:03 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow system_cronjob_t chronyc_exec_t : file { getattr open read execute } [ ]' FILTERED RULES allow files_unconfined_type file_type:file { append audit_access create execute execute_no_trans getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink watch watch_mount watch_reads watch_sb watch_with_perm write }; :: [ 10:11:05 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 10:11:05 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 10:11:05 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :: [ 10:11:05 ] :: [ PASS ] :: check permission 'execute' is present (Assert: '0' should equal '0') :: [ 10:11:06 ] :: [ INFO ] :: rlSESearchRule: checking rule 'type_transition system_cronjob_t chronyc_exec_t : process chronyc_t' FILTERED RULES type_transition system_cronjob_t chronyc_exec_t:process chronyc_t; :: [ 10:11:08 ] :: [ PASS ] :: check permission 'chronyc_t' is present (Assert: '0' should equal '0') :: [ 10:11:08 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow system_cronjob_t chronyc_t : process { transition } [ ]' FILTERED RULES allow system_cronjob_t chronyc_t:process transition; allow unconfined_domain_type domain:process { fork getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setcurrent setexec setfscreate setkeycreate setpgid setrlimit setsched setsockcreate share sigchld siginh sigkill signal signull sigstop }; :: [ 10:11:10 ] :: [ PASS ] :: check permission 'transition' is present (Assert: '0' should equal '0') :: [ 10:11:10 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow inetd_child_t chronyc_exec_t : file { getattr open read execute } [ ]' FILTERED RULES allow files_unconfined_type file_type:file { append audit_access create execute execute_no_trans getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink watch watch_mount watch_reads watch_sb watch_with_perm write }; :: [ 10:11:12 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 10:11:12 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 10:11:12 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :: [ 10:11:12 ] :: [ PASS ] :: check permission 'execute' is present (Assert: '0' should equal '0') :: [ 10:11:12 ] :: [ INFO ] :: rlSESearchRule: checking rule 'type_transition inetd_child_t chronyc_exec_t : process chronyc_t' FILTERED RULES type_transition inetd_child_t chronyc_exec_t:process chronyc_t; :: [ 10:11:15 ] :: [ PASS ] :: check permission 'chronyc_t' is present (Assert: '0' should equal '0') :: [ 10:11:15 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow inetd_child_t chronyc_t : process { transition } [ ]' FILTERED RULES allow inetd_child_t chronyc_t:process transition; allow unconfined_domain_type domain:process { fork getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setcurrent setexec setfscreate setkeycreate setpgid setrlimit setsched setsockcreate share sigchld siginh sigkill signal signull sigstop }; :: [ 10:11:17 ] :: [ PASS ] :: check permission 'transition' is present (Assert: '0' should equal '0') :: [ 10:11:17 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t chronyd_var_run_t : sock_file { create write unlink }' FILTERED RULES allow chronyc_t chronyd_var_run_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write }; :: [ 10:11:19 ] :: [ PASS ] :: check permission 'create' is present (Assert: '0' should equal '0') :: [ 10:11:19 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :: [ 10:11:19 ] :: [ PASS ] :: check permission 'unlink' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 21s :: Assertions: 19 good, 0 bad :: RESULT: PASS (bz#1470150) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1281473 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /usr/sbin/chronyd system_u:object_r:chronyd_exec_t:s0 :: [ 10:11:20 ] :: [ PASS ] :: Result of matchpathcon /usr/sbin/chronyd should contain chronyd_exec_t (Assert: expected 0, got 0) /etc/chrony.keys system_u:object_r:chronyd_keys_t:s0 :: [ 10:11:20 ] :: [ PASS ] :: Result of matchpathcon /etc/chrony.keys should contain chronyd_keys_t (Assert: expected 0, got 0) /var/run/timemaster/chrony.conf system_u:object_r:timemaster_var_run_t:s0 :: [ 10:11:21 ] :: [ PASS ] :: Result of matchpathcon /var/run/timemaster/chrony.conf should contain timemaster_var_run_t (Assert: expected 0, got 0) :: [ 10:11:21 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t chronyd_keys_t : file { append setattr }' FILTERED RULES allow chronyd_t chronyd_keys_t:file { append getattr ioctl lock open read setattr }; allow domain file_type:file map; [ domain_can_mmap_files ]:True :: [ 10:11:23 ] :: [ PASS ] :: check permission 'append' is present (Assert: '0' should equal '0') :: [ 10:11:23 ] :: [ PASS ] :: check permission 'setattr' is present (Assert: '0' should equal '0') :: [ 10:11:23 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t timemaster_var_run_t : file { getattr open read }' FILTERED RULES allow chronyd_t timemaster_var_run_t:file { getattr ioctl lock open read }; allow domain file_type:file map; [ domain_can_mmap_files ]:True :: [ 10:11:25 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 10:11:25 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 10:11:25 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 6s :: Assertions: 8 good, 0 bad :: RESULT: PASS (bz#1281473) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1290310 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /usr/sbin/chronyd system_u:object_r:chronyd_exec_t:s0 :: [ 10:11:26 ] :: [ PASS ] :: Result of matchpathcon /usr/sbin/chronyd should contain chronyd_exec_t (Assert: expected 0, got 0) /var/run system_u:object_r:var_run_t:s0 /run system_u:object_r:var_run_t:s0 :: [ 10:11:27 ] :: [ PASS ] :: Results of matchpathcon /var/run /run should contain var_run_t (Assert: expected 0, got 0) /var/run/chronyd.sock system_u:object_r:chronyd_var_run_t:s0 :: [ 10:11:27 ] :: [ PASS ] :: Result of matchpathcon /var/run/chronyd.sock should contain chronyd_var_run_t (Assert: expected 0, got 0) :: [ 10:11:27 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t var_run_t : dir { getattr open search read write add_name remove_name }' FILTERED RULES allow chronyd_t var_run_t:dir { add_name remove_name write }; allow domain base_file_type:dir { getattr open search }; allow domain var_run_t:dir { ioctl lock read }; allow nsswitch_domain pidfile:dir { getattr open search }; :: [ 10:11:29 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 10:11:29 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 10:11:29 ] :: [ PASS ] :: check permission 'search' is present (Assert: '0' should equal '0') :: [ 10:11:29 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :: [ 10:11:29 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :: [ 10:11:29 ] :: [ PASS ] :: check permission 'add_name' is present (Assert: '0' should equal '0') :: [ 10:11:29 ] :: [ PASS ] :: check permission 'remove_name' is present (Assert: '0' should equal '0') :: [ 10:11:29 ] :: [ INFO ] :: rlSESearchRule: checking rule 'type_transition chronyd_t var_run_t : sock_file chronyd_var_run_t' FILTERED RULES type_transition chronyd_t var_run_t:sock_file chronyd_var_run_t; :: [ 10:11:32 ] :: [ PASS ] :: check permission 'chronyd_var_run_t' is present (Assert: '0' should equal '0') :: [ 10:11:32 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t chronyd_var_run_t : sock_file { create }' FILTERED RULES allow chronyd_t chronyd_var_run_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write }; :: [ 10:11:34 ] :: [ PASS ] :: check permission 'create' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 9s :: Assertions: 12 good, 0 bad :: RESULT: PASS (bz#1290310) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1390657 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /etc/chrony.keys system_u:object_r:chronyd_keys_t:s0 :: [ 10:11:35 ] :: [ PASS ] :: Result of matchpathcon /etc/chrony.keys should contain chronyd_keys_t (Assert: expected 0, got 0) :: [ 10:11:35 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow logrotate_t chronyd_keys_t : file { getattr open read }' FILTERED RULES allow domain file_type:file map; [ domain_can_mmap_files ]:True allow logrotate_t chronyd_keys_t:file { getattr ioctl lock open read }; :: [ 10:11:37 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 10:11:37 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 10:11:37 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 3s :: Assertions: 4 good, 0 bad :: RESULT: PASS (bz#1390657) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1509927 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /usr/bin/chronyc system_u:object_r:chronyc_exec_t:s0 :: [ 10:11:38 ] :: [ PASS ] :: Result of matchpathcon /usr/bin/chronyc should contain chronyc_exec_t (Assert: expected 0, got 0) :: [ 10:11:38 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t user_devpts_t : chr_file { read write getattr append open } [ ]' FILTERED RULES allow chronyc_t user_devpts_t:chr_file { append getattr ioctl lock open read write }; :: [ 10:11:40 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :: [ 10:11:40 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :: [ 10:11:40 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 10:11:40 ] :: [ PASS ] :: check permission 'append' is present (Assert: '0' should equal '0') :: [ 10:11:40 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 3s :: Assertions: 6 good, 0 bad :: RESULT: PASS (bz#1509927) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1574418 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /usr/bin/chronyc system_u:object_r:chronyc_exec_t:s0 :: [ 10:11:41 ] :: [ PASS ] :: Result of matchpathcon /usr/bin/chronyc should contain chronyc_exec_t (Assert: expected 0, got 0) /tmp system_u:object_r:tmp_t:s0 :: [ 10:11:41 ] :: [ PASS ] :: Result of matchpathcon /tmp should contain tmp_t (Assert: expected 0, got 0) /var/lib system_u:object_r:var_lib_t:s0 :: [ 10:11:42 ] :: [ PASS ] :: Result of matchpathcon /var/lib should contain var_lib_t (Assert: expected 0, got 0) /var/lib/check_mk_agent system_u:object_r:var_lib_t:s0 :: [ 10:11:42 ] :: [ PASS ] :: Result of matchpathcon /var/lib/check_mk_agent should contain var_lib_t (Assert: expected 0, got 0) /var/lib/check_mk_agent/cache system_u:object_r:var_lib_t:s0 :: [ 10:11:43 ] :: [ PASS ] :: Result of matchpathcon /var/lib/check_mk_agent/cache should contain var_lib_t (Assert: expected 0, got 0) /var/lib/check_mk_agent/cache/chrony.cache.new system_u:object_r:var_lib_t:s0 :: [ 10:11:44 ] :: [ PASS ] :: Result of matchpathcon /var/lib/check_mk_agent/cache/chrony.cache.new should contain var_lib_t (Assert: expected 0, got 0) /var/log system_u:object_r:var_log_t:s0 :: [ 10:11:44 ] :: [ PASS ] :: Result of matchpathcon /var/log should contain var_log_t (Assert: expected 0, got 0) :: [ 10:11:44 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t tmp_t : dir { write add_name } [ ]' FILTERED RULES allow domain base_file_type:dir { getattr open search }; allow nsswitch_domain tmp_t:dir { add_name ioctl lock read remove_name write }; :: [ 10:11:46 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :: [ 10:11:46 ] :: [ PASS ] :: check permission 'add_name' is present (Assert: '0' should equal '0') :: [ 10:11:46 ] :: [ INFO ] :: rlSESearchRule: checking rule 'type_transition chronyc_t tmp_t : file chronyd_tmp_t' FILTERED RULES type_transition chronyc_t tmp_t:file chronyd_tmp_t; type_transition chronyc_t tmp_t:file krb5_host_rcache_t krb5_0.rcache2; type_transition chronyc_t tmp_t:file krb5_host_rcache_t krb5_23.rcache2; type_transition chronyc_t tmp_t:file krb5_host_rcache_t krb5_55.rcache2; :: [ 10:11:49 ] :: [ PASS ] :: check permission 'chronyd_tmp_t' is present (Assert: '0' should equal '0') :: [ 10:11:49 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t chronyd_tmp_t : file { create getattr open write } [ ]' FILTERED RULES allow chronyc_t chronyd_tmp_t:file { create link rename setattr unlink watch watch_reads }; allow chronyc_t non_security_file_type:file { append getattr ioctl lock open read write }; allow domain tmpfile:file { append getattr ioctl lock read }; :: [ 10:11:51 ] :: [ PASS ] :: check permission 'create' is present (Assert: '0' should equal '0') :: [ 10:11:51 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 10:11:51 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 10:11:51 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :: [ 10:11:51 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t var_log_t : dir { write add_name } [ ]' FILTERED RULES allow chronyc_t var_log_t:dir { add_name ioctl lock read remove_name write }; allow domain var_log_t:dir { getattr open search }; :: [ 10:11:53 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :: [ 10:11:53 ] :: [ PASS ] :: check permission 'add_name' is present (Assert: '0' should equal '0') :: [ 10:11:53 ] :: [ INFO ] :: rlSESearchRule: checking rule 'type_transition chronyc_t var_log_t : file chronyd_var_log_t' FILTERED RULES type_transition chronyc_t var_log_t:file chronyd_var_log_t; :: [ 10:11:56 ] :: [ PASS ] :: check permission 'chronyd_var_log_t' is present (Assert: '0' should equal '0') :: [ 10:11:56 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t chronyd_var_log_t : file { create getattr open write } [ ]' FILTERED RULES allow application_domain_type logfile:file { append getattr ioctl lock }; allow chronyc_t chronyd_var_log_t:file { create link rename setattr unlink watch watch_reads }; allow chronyc_t non_security_file_type:file { append getattr ioctl lock open read write }; :: [ 10:11:58 ] :: [ PASS ] :: check permission 'create' is present (Assert: '0' should equal '0') :: [ 10:11:58 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 10:11:58 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 10:11:58 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :: [ 10:11:58 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t var_lib_t : dir { write add_name } [ ]' FILTERED RULES allow chronyc_t var_lib_t:dir { add_name remove_name write }; allow domain base_file_type:dir { getattr open search }; allow nsswitch_domain var_lib_t:dir { ioctl lock read }; :: [ 10:12:00 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :: [ 10:12:00 ] :: [ PASS ] :: check permission 'add_name' is present (Assert: '0' should equal '0') :: [ 10:12:00 ] :: [ INFO ] :: rlSESearchRule: checking rule 'type_transition chronyc_t var_lib_t : file chronyd_var_lib_t' FILTERED RULES type_transition chronyc_t var_lib_t:file chronyd_var_lib_t; :: [ 10:12:03 ] :: [ PASS ] :: check permission 'chronyd_var_lib_t' is present (Assert: '0' should equal '0') :: [ 10:12:03 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t chronyd_var_lib_t : file { create getattr open write } [ ]' FILTERED RULES allow chronyc_t chronyd_var_lib_t:file { create link rename setattr unlink watch watch_reads }; allow chronyc_t non_security_file_type:file { append getattr ioctl lock open read write }; :: [ 10:12:05 ] :: [ PASS ] :: check permission 'create' is present (Assert: '0' should equal '0') :: [ 10:12:05 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 10:12:05 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 10:12:05 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 25s :: Assertions: 28 good, 0 bad :: RESULT: PASS (bz#1574418) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1575002 + bz#1577057 + bz#1593267 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /dev/tty1 system_u:object_r:tty_device_t:s0 :: [ 10:12:06 ] :: [ PASS ] :: Result of matchpathcon /dev/tty1 should contain tty_device_t (Assert: expected 0, got 0) :: [ 10:12:06 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow unconfined_t chronyc_exec_t : file { getattr open read execute }' FILTERED RULES allow domain file_type:file map; [ domain_can_mmap_files ]:True allow files_unconfined_type file_type:file execmod; [ selinuxuser_execmod ]:True allow files_unconfined_type file_type:file { append audit_access create execute execute_no_trans getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink watch watch_mount watch_reads watch_sb watch_with_perm write }; :: [ 10:12:08 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 10:12:08 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 10:12:08 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :: [ 10:12:08 ] :: [ PASS ] :: check permission 'execute' is present (Assert: '0' should equal '0') :: [ 10:12:08 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow unconfined_t chronyc_t : process { transition }' FILTERED RULES allow unconfined_domain_type domain:process ptrace; [ deny_ptrace ]:False allow unconfined_domain_type domain:process { fork getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setcurrent setexec setfscreate setkeycreate setpgid setrlimit setsched setsockcreate share sigchld siginh sigkill signal signull sigstop }; allow unconfined_t domain:process dyntransition; [ unconfined_dyntrans_all ]:True allow unconfined_t domain:process transition; :: [ 10:12:10 ] :: [ PASS ] :: check permission 'transition' is present (Assert: '0' should equal '0') :: [ 10:12:10 ] :: [ INFO ] :: rlSESearchRule: checking rule 'type_transition unconfined_t chronyc_exec_t : process chronyc_t' FILTERED RULES type_transition unconfined_t chronyc_exec_t:process chronyc_t; :: [ 10:12:13 ] :: [ PASS ] :: check permission 'chronyc_t' is present (Assert: '0' should equal '0') :: [ 10:12:13 ] :: [ INFO ] :: rlSESearchRule: checking rule 'type_change unconfined_t tty_device_t : chr_file user_tty_device_t' FILTERED RULES type_change unconfined_t tty_device_t:chr_file user_tty_device_t; :: [ 10:12:15 ] :: [ PASS ] :: check permission 'user_tty_device_t' is present (Assert: '0' should equal '0') :: [ 10:12:15 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t user_tty_device_t : chr_file { read write } [ ]' FILTERED RULES allow chronyc_t user_tty_device_t:chr_file { append getattr ioctl lock read write }; :: [ 10:12:17 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :: [ 10:12:17 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 12s :: Assertions: 10 good, 0 bad :: RESULT: PASS (bz#1575002 + bz#1577057 + bz#1593267) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1596563 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /usr/bin/chronyc system_u:object_r:chronyc_exec_t:s0 :: [ 10:12:17 ] :: [ PASS ] :: Result of matchpathcon /usr/bin/chronyc should contain chronyc_exec_t (Assert: expected 0, got 0) /var/run/nscd/socket system_u:object_r:nscd_var_run_t:s0 :: [ 10:12:18 ] :: [ PASS ] :: Result of matchpathcon /var/run/nscd/socket should contain nscd_var_run_t (Assert: expected 0, got 0) /var/db/nscd/passwd system_u:object_r:nscd_var_run_t:s0 :: [ 10:12:19 ] :: [ PASS ] :: Result of matchpathcon /var/db/nscd/passwd should contain nscd_var_run_t (Assert: expected 0, got 0) :: [ 10:12:19 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t nscd_t : unix_stream_socket { connectto }' FILTERED RULES allow nsswitch_domain nscd_t:unix_stream_socket { append bind connect connectto create getattr getopt ioctl lock read setattr setopt shutdown write }; :: [ 10:12:21 ] :: [ PASS ] :: check permission 'connectto' is present (Assert: '0' should equal '0') :: [ 10:12:21 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow system_dbusd_t nscd_var_run_t : file { map }' FILTERED RULES allow domain file_type:file map; [ domain_can_mmap_files ]:True allow nsswitch_domain nscd_var_run_t:file map; allow system_dbusd_t non_security_file_type:file { read write }; :: [ 10:12:23 ] :: [ PASS ] :: check permission 'map' is present (Assert: '0' should equal '0') :: [ 10:12:23 ] :: [ INFO ] :: rlSESearchRule: checking rule 'dontaudit chronyc_t nscd_var_run_t : file { getattr open read }' FILTERED RULES dontaudit nsswitch_domain nscd_var_run_t:file { getattr ioctl lock open read }; :: [ 10:12:25 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 10:12:25 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 10:12:25 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :: [ 10:12:25 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t chronyd_tmpfs_t : file { map }' FILTERED RULES allow chronyd_t chronyd_tmpfs_t:file { append create getattr ioctl link lock map open read rename setattr unlink watch watch_reads write }; allow domain file_type:file map; [ domain_can_mmap_files ]:True :: [ 10:12:27 ] :: [ PASS ] :: check permission 'map' is present (Assert: '0' should equal '0') :: [ 10:12:27 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t gpsd_tmpfs_t : file { map }' FILTERED RULES allow chronyd_t gpsd_tmpfs_t:file { append getattr ioctl lock map open read write }; allow domain file_type:file map; [ domain_can_mmap_files ]:True :: [ 10:12:29 ] :: [ PASS ] :: check permission 'map' is present (Assert: '0' should equal '0') :: [ 10:12:29 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t nscd_t : nscd { shmemhost gethost }' FILTERED RULES allow chronyc_t nscd_t:nscd { getnetgrp getserv shmemgrp shmemhost shmemnetgrp shmempwd shmemserv }; allow nsswitch_domain nscd_t:nscd { getgrp gethost getpwd }; allow nsswitch_domain nscd_t:nscd { getnetgrp getserv }; [ nscd_use_shm ]:True allow nsswitch_domain nscd_t:nscd { getnetgrp getserv }; [ nscd_use_shm ]:True allow nsswitch_domain nscd_t:nscd { shmemgrp shmemhost shmemnetgrp shmempwd shmemserv }; [ nscd_use_shm ]:True allow nsswitch_domain nscd_t:nscd { shmemgrp shmemhost shmemnetgrp shmempwd shmemserv }; [ nscd_use_shm ]:True :: [ 10:12:31 ] :: [ PASS ] :: check permission 'shmemhost' is present (Assert: '0' should equal '0') :: [ 10:12:31 ] :: [ PASS ] :: check permission 'gethost' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 14s :: Assertions: 12 good, 0 bad :: RESULT: PASS (bz#1596563) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1568281 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /usr/bin/chronyc system_u:object_r:chronyc_exec_t:s0 :: [ 10:12:32 ] :: [ PASS ] :: Result of matchpathcon /usr/bin/chronyc should contain chronyc_exec_t (Assert: expected 0, got 0) /run/chrony system_u:object_r:chronyd_var_run_t:s0 :: [ 10:12:33 ] :: [ PASS ] :: Result of matchpathcon /run/chrony should contain chronyd_var_run_t (Assert: expected 0, got 0) :: [ 10:12:33 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow logrotate_t chronyc_exec_t : file { getattr open read execute } [ ]' FILTERED RULES allow logrotate_t application_exec_type:file { execute execute_no_trans ioctl lock map open read }; allow logrotate_t exec_type:file getattr; :: [ 10:12:35 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 10:12:35 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 10:12:35 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :: [ 10:12:35 ] :: [ PASS ] :: check permission 'execute' is present (Assert: '0' should equal '0') :: [ 10:12:35 ] :: [ INFO ] :: rlSESearchRule: checking rule 'type_transition logrotate_t chronyc_exec_t : process chronyc_t' FILTERED RULES type_transition logrotate_t chronyc_exec_t:process chronyc_t; :: [ 10:12:38 ] :: [ PASS ] :: check permission 'chronyc_t' is present (Assert: '0' should equal '0') :: [ 10:12:38 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow logrotate_t chronyc_t : process { transition } [ ]' FILTERED RULES allow logrotate_t chronyc_t:process transition; allow logrotate_t domain:process signal; :: [ 10:12:40 ] :: [ PASS ] :: check permission 'transition' is present (Assert: '0' should equal '0') :: [ 10:12:40 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t chronyd_var_run_t : dir { write } [ ]' FILTERED RULES allow chronyc_t chronyd_var_run_t:dir { add_name create ioctl link lock read remove_name rename reparent rmdir setattr unlink watch watch_reads write }; allow nsswitch_domain pidfile:dir { getattr open search }; :: [ 10:12:42 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 10s :: Assertions: 9 good, 0 bad :: RESULT: PASS (bz#1568281) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1567753 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /usr/sbin/chronyd system_u:object_r:chronyd_exec_t:s0 :: [ 10:12:43 ] :: [ PASS ] :: Result of matchpathcon /usr/sbin/chronyd should contain chronyd_exec_t (Assert: expected 0, got 0) /var/lib/libvirt/dnsmasq system_u:object_r:virt_var_lib_t:s0 :: [ 10:12:43 ] :: [ PASS ] :: Result of matchpathcon /var/lib/libvirt/dnsmasq should contain virt_var_lib_t (Assert: expected 0, got 0) :: [ 10:12:43 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t virt_var_lib_t : dir { getattr open search read } [ ]' FILTERED RULES allow nsswitch_domain virt_var_lib_t:dir { getattr ioctl lock open read search }; :: [ 10:12:45 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 10:12:45 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 10:12:45 ] :: [ PASS ] :: check permission 'search' is present (Assert: '0' should equal '0') :: [ 10:12:45 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 3s :: Assertions: 6 good, 0 bad :: RESULT: PASS (bz#1567753) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1618757 + bz#1622499 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /usr/bin/chronyc system_u:object_r:chronyc_exec_t:s0 :: [ 10:12:46 ] :: [ PASS ] :: Result of matchpathcon /usr/bin/chronyc should contain chronyc_exec_t (Assert: expected 0, got 0) :: [ 10:12:46 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t unconfined_t : unix_stream_socket { read write ioctl getattr } [ ]' FILTERED RULES allow chronyc_t userdomain:unix_stream_socket { append bind connect getattr getopt ioctl lock read setattr setopt shutdown write }; :: [ 10:12:48 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :: [ 10:12:48 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :: [ 10:12:48 ] :: [ PASS ] :: check permission 'ioctl' is present (Assert: '0' should equal '0') :: [ 10:12:48 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 2s :: Assertions: 5 good, 0 bad :: RESULT: PASS (bz#1618757 + bz#1622499) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1652079 + bz#1696252 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /usr/bin/chronyc system_u:object_r:chronyc_exec_t:s0 :: [ 10:12:49 ] :: [ PASS ] :: Result of matchpathcon /usr/bin/chronyc should contain chronyc_exec_t (Assert: expected 0, got 0) /var/lib system_u:object_r:var_lib_t:s0 :: [ 10:12:50 ] :: [ PASS ] :: Result of matchpathcon /var/lib should contain var_lib_t (Assert: expected 0, got 0) /var/lib/test system_u:object_r:var_lib_t:s0 :: [ 10:12:50 ] :: [ PASS ] :: Result of matchpathcon /var/lib/test should contain var_lib_t (Assert: expected 0, got 0) /var/log system_u:object_r:var_log_t:s0 :: [ 10:12:51 ] :: [ PASS ] :: Result of matchpathcon /var/log should contain var_log_t (Assert: expected 0, got 0) /var/log/test system_u:object_r:var_log_t:s0 :: [ 10:12:52 ] :: [ PASS ] :: Result of matchpathcon /var/log/test should contain var_log_t (Assert: expected 0, got 0) /var/run system_u:object_r:var_run_t:s0 /run system_u:object_r:var_run_t:s0 :: [ 10:12:52 ] :: [ PASS ] :: Results of matchpathcon /var/run /run should contain var_run_t (Assert: expected 0, got 0) /var/run/test system_u:object_r:var_run_t:s0 :: [ 10:12:53 ] :: [ PASS ] :: Result of matchpathcon /var/run/test should contain var_run_t (Assert: expected 0, got 0) /var/cache system_u:object_r:var_t:s0 :: [ 10:12:53 ] :: [ PASS ] :: Result of matchpathcon /var/cache should contain var_t (Assert: expected 0, got 0) /var/cache/test system_u:object_r:var_t:s0 :: [ 10:12:54 ] :: [ PASS ] :: Result of matchpathcon /var/cache/test should contain var_t (Assert: expected 0, got 0) :: [ 10:12:54 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t var_lib_t : dir { getattr open search write add_name } [ ]' FILTERED RULES allow chronyc_t var_lib_t:dir { add_name remove_name write }; allow domain base_file_type:dir { getattr open search }; allow nsswitch_domain var_lib_t:dir { ioctl lock read }; :: [ 10:12:56 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 10:12:56 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 10:12:56 ] :: [ PASS ] :: check permission 'search' is present (Assert: '0' should equal '0') :: [ 10:12:56 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :: [ 10:12:56 ] :: [ PASS ] :: check permission 'add_name' is present (Assert: '0' should equal '0') :: [ 10:12:56 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t var_lib_t : file { getattr ioctl write append } [ ]' FILTERED RULES allow chronyc_t non_security_file_type:file { append getattr ioctl lock open read write }; :: [ 10:12:58 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 10:12:58 ] :: [ PASS ] :: check permission 'ioctl' is present (Assert: '0' should equal '0') :: [ 10:12:58 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :: [ 10:12:58 ] :: [ PASS ] :: check permission 'append' is present (Assert: '0' should equal '0') :: [ 10:12:59 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t var_log_t : dir { getattr open search write add_name } [ ]' FILTERED RULES allow chronyc_t var_log_t:dir { add_name ioctl lock read remove_name write }; allow domain var_log_t:dir { getattr open search }; :: [ 10:13:01 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 10:13:01 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 10:13:01 ] :: [ PASS ] :: check permission 'search' is present (Assert: '0' should equal '0') :: [ 10:13:01 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :: [ 10:13:01 ] :: [ PASS ] :: check permission 'add_name' is present (Assert: '0' should equal '0') :: [ 10:13:01 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t var_log_t : file { getattr ioctl write append } [ ]' FILTERED RULES allow application_domain_type logfile:file { append getattr ioctl lock }; allow chronyc_t non_security_file_type:file { append getattr ioctl lock open read write }; :: [ 10:13:03 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 10:13:03 ] :: [ PASS ] :: check permission 'ioctl' is present (Assert: '0' should equal '0') :: [ 10:13:03 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :: [ 10:13:03 ] :: [ PASS ] :: check permission 'append' is present (Assert: '0' should equal '0') :: [ 10:13:03 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t var_t : file { getattr ioctl write append } [ ]' FILTERED RULES allow chronyc_t non_security_file_type:file { append getattr ioctl lock open read write }; :: [ 10:13:05 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 10:13:05 ] :: [ PASS ] :: check permission 'ioctl' is present (Assert: '0' should equal '0') :: [ 10:13:05 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :: [ 10:13:05 ] :: [ PASS ] :: check permission 'append' is present (Assert: '0' should equal '0') :: [ 10:13:05 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t var_run_t : file { getattr ioctl write append } [ ]' FILTERED RULES allow chronyc_t non_security_file_type:file { append getattr ioctl lock open read write }; :: [ 10:13:07 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 10:13:07 ] :: [ PASS ] :: check permission 'ioctl' is present (Assert: '0' should equal '0') :: [ 10:13:07 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :: [ 10:13:07 ] :: [ PASS ] :: check permission 'append' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 18s :: Assertions: 35 good, 0 bad :: RESULT: PASS (bz#1652079 + bz#1696252) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1593607 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /usr/libexec/chrony-helper system_u:object_r:chronyd_exec_t:s0 :: [ 10:13:08 ] :: [ PASS ] :: Result of matchpathcon /usr/libexec/chrony-helper should contain chronyd_exec_t (Assert: expected 0, got 0) :: [ 10:13:08 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t shell_exec_t : file { map } [ ] mls' FILTERED RULES allow chronyd_t shell_exec_t:file { execute execute_no_trans map }; allow domain base_ro_file_type:file { getattr ioctl lock open read }; :: [ 10:13:09 ] :: [ PASS ] :: check permission 'map' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 2s :: Assertions: 2 good, 0 bad :: RESULT: PASS (bz#1593607) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1772852 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /usr/bin/chronyc system_u:object_r:chronyc_exec_t:s0 :: [ 10:13:10 ] :: [ PASS ] :: Result of matchpathcon /usr/bin/chronyc should contain chronyc_exec_t (Assert: expected 0, got 0) /var/db/nscd/hosts system_u:object_r:nscd_var_run_t:s0 :: [ 10:13:10 ] :: [ PASS ] :: Result of matchpathcon /var/db/nscd/hosts should contain nscd_var_run_t (Assert: expected 0, got 0) :: [ 10:13:10 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t nscd_var_run_t : file { map } [ ]' FILTERED RULES allow chronyc_t non_security_file_type:file { append getattr ioctl lock open read write }; allow nsswitch_domain nscd_var_run_t:file map; :: [ 10:13:12 ] :: [ PASS ] :: check permission 'map' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 3s :: Assertions: 3 good, 0 bad :: RESULT: PASS (bz#1772852) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1895825 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /run/chrony-dhcp system_u:object_r:chronyd_var_run_t:s0 :: [ 10:13:13 ] :: [ PASS ] :: Result of matchpathcon /run/chrony-dhcp should contain chronyd_var_run_t (Assert: expected 0, got 0) /run/chrony-dhcp/something.source system_u:object_r:chronyd_var_run_t:s0 :: [ 10:13:14 ] :: [ PASS ] :: Result of matchpathcon /run/chrony-dhcp/something.source should contain chronyd_var_run_t (Assert: expected 0, got 0) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 1s :: Assertions: 2 good, 0 bad :: RESULT: PASS (bz#1895825) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1900143 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /run/systemd/resolve/io.systemd.Resolve system_u:object_r:systemd_resolved_var_run_t:s0 :: [ 10:13:14 ] :: [ PASS ] :: Result of matchpathcon /run/systemd/resolve/io.systemd.Resolve should contain systemd_resolved_var_run_t (Assert: expected 0, got 0) :: [ 10:13:14 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t systemd_resolved_var_run_t : sock_file { write } [ ]' FILTERED RULES allow domain systemd_resolved_var_run_t:sock_file { append getattr open write }; :: [ 10:13:17 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 3s :: Assertions: 2 good, 0 bad :: RESULT: PASS (bz#1900143) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#2173604 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /usr/bin/chronyc system_u:object_r:chronyc_exec_t:s0 :: [ 10:13:17 ] :: [ PASS ] :: Result of matchpathcon /usr/bin/chronyc should contain chronyc_exec_t (Assert: expected 0, got 0) :: [ 10:13:17 ] :: [ BEGIN ] :: Running 'ls -dZ /proc/sys/net/ipv6/conf/all | grep :sysctl_net_t' system_u:object_r:sysctl_net_t:s0 /proc/sys/net/ipv6/conf/all :: [ 10:13:17 ] :: [ PASS ] :: Command 'ls -dZ /proc/sys/net/ipv6/conf/all | grep :sysctl_net_t' (Expected 0, got 0) :: [ 10:13:17 ] :: [ BEGIN ] :: Running 'ls -dZ /proc/sys/net/ipv6/conf/all/disable_ipv6 | grep :sysctl_net_t' system_u:object_r:sysctl_net_t:s0 /proc/sys/net/ipv6/conf/all/disable_ipv6 :: [ 10:13:17 ] :: [ PASS ] :: Command 'ls -dZ /proc/sys/net/ipv6/conf/all/disable_ipv6 | grep :sysctl_net_t' (Expected 0, got 0) :: [ 10:13:17 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t sysctl_net_t : dir { search } [ ]' FILTERED RULES allow chronyc_t sysctl_net_t:dir { getattr ioctl lock open read search }; :: [ 10:13:20 ] :: [ PASS ] :: check permission 'search' is present (Assert: '0' should equal '0') :: [ 10:13:20 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t sysctl_net_t : file { getattr open read } [ ]' FILTERED RULES allow chronyc_t sysctl_net_t:file { getattr ioctl lock open read }; :: [ 10:13:22 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 10:13:22 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 10:13:22 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 5s :: Assertions: 7 good, 0 bad :: RESULT: PASS (bz#2173604) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1961207 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 10:13:22 ] :: [ BEGIN ] :: Running 'seinfo --portcon=4460 | grep "portcon tcp .*:ntske_port_t"' portcon tcp 4460 system_u:object_r:ntske_port_t:s0 :: [ 10:13:22 ] :: [ PASS ] :: Command 'seinfo --portcon=4460 | grep "portcon tcp .*:ntske_port_t"' (Expected 0, got 0) /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-ki system_u:object_r:cert_t:s0 :: [ 10:13:23 ] :: [ PASS ] :: Result of matchpathcon /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-ki should contain cert_t (Assert: expected 0, got 0) :: [ 10:13:23 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t ntske_port_t : tcp_socket { name_bind name_connect } [ ]' FILTERED RULES allow chronyd_t ntske_port_t:tcp_socket { name_bind name_connect }; :: [ 10:13:25 ] :: [ PASS ] :: check permission 'name_bind' is present (Assert: '0' should equal '0') :: [ 10:13:25 ] :: [ PASS ] :: check permission 'name_connect' is present (Assert: '0' should equal '0') :: [ 10:13:25 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t chronyd_t : tcp_socket { listen accept }' FILTERED RULES allow chronyd_t chronyd_t:tcp_socket { accept append bind connect create getattr getopt ioctl listen lock read setattr setopt shutdown write }; :: [ 10:13:27 ] :: [ PASS ] :: check permission 'listen' is present (Assert: '0' should equal '0') :: [ 10:13:27 ] :: [ PASS ] :: check permission 'accept' is present (Assert: '0' should equal '0') :: [ 10:13:27 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t cert_t : file { map } [ ]' FILTERED RULES allow nsswitch_domain cert_t:file { getattr ioctl lock map open read }; :: [ 10:13:29 ] :: [ PASS ] :: check permission 'map' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 7s :: Assertions: 7 good, 0 bad :: RESULT: PASS (bz#1961207) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: real scenario :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 10:13:29 ] :: [ BEGIN ] :: Running 'echo "sched_priority 50" >> /etc/chrony.conf' :: [ 10:13:29 ] :: [ PASS ] :: Command 'echo "sched_priority 50" >> /etc/chrony.conf' (Expected 0, got 0) :: [ 10:13:29 ] :: [ BEGIN ] :: Running 'echo "refclock SHM 0" >> /etc/chrony.conf' :: [ 10:13:29 ] :: [ PASS ] :: Command 'echo "refclock SHM 0" >> /etc/chrony.conf' (Expected 0, got 0) :: [ 10:13:29 ] :: [ BEGIN ] :: Running 'echo "refclock SOCK /var/run/chronyd.sock" >> /etc/chrony.conf' :: [ 10:13:29 ] :: [ PASS ] :: Command 'echo "refclock SOCK /var/run/chronyd.sock" >> /etc/chrony.conf' (Expected 0, got 0) :: [ 10:13:29 ] :: [ BEGIN ] :: Running 'echo redhat | passwd --stdin root' Changing password for user root. passwd: all authentication tokens updated successfully. :: [ 10:13:29 ] :: [ PASS ] :: Command 'echo redhat | passwd --stdin root' (Expected 0, got 0) chronyd_t is defined :: [ 10:13:30 ] :: [ BEGIN ] :: Running 'service chronyd start' Redirecting to /bin/systemctl start chronyd.service :: [ 10:13:30 ] :: [ PASS ] :: Command 'service chronyd start' (Expected 0, got 0) :: [ 10:13:31 ] :: [ BEGIN ] :: Running 'ps -efZ | grep -v " grep " | grep -E "chronyd"' system_u:system_r:chronyd_t:s0 chrony 38068 1 0 10:13 ? 00:00:00 /usr/sbin/chronyd -F 2 :: [ 10:13:31 ] :: [ PASS ] :: Command 'ps -efZ | grep -v " grep " | grep -E "chronyd"' (Expected 0, got 0) :: [ 10:13:31 ] :: [ BEGIN ] :: Running 'ps -efZ | grep -v " grep " | grep -E "chronyd_t.*chronyd"' system_u:system_r:chronyd_t:s0 chrony 38068 1 0 10:13 ? 00:00:00 /usr/sbin/chronyd -F 2 :: [ 10:13:31 ] :: [ PASS ] :: Command 'ps -efZ | grep -v " grep " | grep -E "chronyd_t.*chronyd"' (Expected 0, got 0) :: [ 10:13:33 ] :: [ BEGIN ] :: Running 'service chronyd status' Redirecting to /bin/systemctl status chronyd.service ● chronyd.service - NTP client/server Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; preset: enabled) Active: active (running) since Fri 2025-04-11 10:13:30 EDT; 2s ago Docs: man:chronyd(8) man:chrony.conf(5) Process: 38066 ExecStart=/usr/sbin/chronyd $OPTIONS (code=exited, status=0/SUCCESS) Main PID: 38068 (chronyd) Tasks: 1 (limit: 11052) Memory: 1.0M CPU: 31ms CGroup: /system.slice/chronyd.service └─38068 /usr/sbin/chronyd -F 2 Apr 11 10:13:30 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com systemd[1]: Star… Apr 11 10:13:30 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com chronyd[38068]: ... Apr 11 10:13:30 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com chronyd[38068]: ... Apr 11 10:13:30 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com chronyd[38068]: ... Apr 11 10:13:30 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com chronyd[38068]: ... Apr 11 10:13:30 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com chronyd[38068]: ... Apr 11 10:13:30 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com systemd[1]: Star… Hint: Some lines were ellipsized, use -l to show in full. :: [ 10:13:33 ] :: [ PASS ] :: Command 'service chronyd status' (Expected 0,1,3, got 0) :: [ 10:13:34 ] :: [ BEGIN ] :: Running 'ipcs -m | grep 0x4e545030' 0x4e545030 0 root 600 96 1 :: [ 10:13:34 ] :: [ PASS ] :: Command 'ipcs -m | grep 0x4e545030' (Expected 0, got 0) :: [ 10:13:34 ] :: [ BEGIN ] :: Running 'ls -Z /var/run/chronyd.sock | grep :chronyd_var_run_t' system_u:object_r:chronyd_var_run_t:s0 /var/run/chronyd.sock :: [ 10:13:34 ] :: [ PASS ] :: Command 'ls -Z /var/run/chronyd.sock | grep :chronyd_var_run_t' (Expected 0, got 0) :: [ 10:13:34 ] :: [ BEGIN ] :: Running 'restorecon -Rv /etc /run /var -e /var/ARTIFACTS' Can't stat exclude path "/var/ARTIFACTS", No such file or directory - ignoring. :: [ 10:13:35 ] :: [ PASS ] :: Command 'restorecon -Rv /etc /run /var -e /var/ARTIFACTS' (Expected 0-255, got 0) :: [ 10:13:35 ] :: [ BEGIN ] :: Running 'service chronyd restart' Redirecting to /bin/systemctl restart chronyd.service :: [ 10:13:35 ] :: [ PASS ] :: Command 'service chronyd restart' (Expected 0, got 0) :: [ 10:13:37 ] :: [ BEGIN ] :: Running 'ps -efZ | grep -v " grep " | grep -E "chronyd"' system_u:system_r:chronyd_t:s0 chrony 38750 1 0 10:13 ? 00:00:00 /usr/sbin/chronyd -F 2 :: [ 10:13:37 ] :: [ PASS ] :: Command 'ps -efZ | grep -v " grep " | grep -E "chronyd"' (Expected 0, got 0) :: [ 10:13:37 ] :: [ BEGIN ] :: Running 'ps -efZ | grep -v " grep " | grep -E "chronyd_t.*chronyd"' system_u:system_r:chronyd_t:s0 chrony 38750 1 0 10:13 ? 00:00:00 /usr/sbin/chronyd -F 2 :: [ 10:13:37 ] :: [ PASS ] :: Command 'ps -efZ | grep -v " grep " | grep -E "chronyd_t.*chronyd"' (Expected 0, got 0) :: [ 10:13:38 ] :: [ BEGIN ] :: Running 'service chronyd status' Redirecting to /bin/systemctl status chronyd.service ● chronyd.service - NTP client/server Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; preset: enabled) Active: active (running) since Fri 2025-04-11 10:13:35 EDT; 2s ago Docs: man:chronyd(8) man:chrony.conf(5) Process: 38748 ExecStart=/usr/sbin/chronyd $OPTIONS (code=exited, status=0/SUCCESS) Main PID: 38750 (chronyd) Tasks: 1 (limit: 11052) Memory: 1.0M CPU: 30ms CGroup: /system.slice/chronyd.service └─38750 /usr/sbin/chronyd -F 2 Apr 11 10:13:35 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com systemd[1]: Star… Apr 11 10:13:35 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com chronyd[38750]: ... Apr 11 10:13:35 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com chronyd[38750]: ... Apr 11 10:13:35 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com chronyd[38750]: ... Apr 11 10:13:35 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com chronyd[38750]: ... Apr 11 10:13:35 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com chronyd[38750]: ... Apr 11 10:13:35 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com systemd[1]: Star… Hint: Some lines were ellipsized, use -l to show in full. :: [ 10:13:38 ] :: [ PASS ] :: Command 'service chronyd status' (Expected 0,1,3, got 0) :: [ 10:13:39 ] :: [ BEGIN ] :: Running 'chronyc tracking' Reference ID : 00000000 () Stratum : 0 Ref time (UTC) : Thu Jan 01 00:00:00 1970 System time : 0.000000000 seconds fast of NTP time Last offset : +0.000000000 seconds RMS offset : 0.000000000 seconds Frequency : 0.000 ppm slow Residual freq : +0.000 ppm Skew : 0.000 ppm Root delay : 1.000000000 seconds Root dispersion : 1.000000000 seconds Update interval : 0.0 seconds Leap status : Not synchronised :: [ 10:13:39 ] :: [ PASS ] :: Command 'chronyc tracking' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'rm -f /tmp/chronyc.output' :: [ 10:13:40 ] :: [ PASS ] :: Command 'rm -f /tmp/chronyc.output' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'chronyc tracking > /tmp/chronyc.output' :: [ 10:13:40 ] :: [ PASS ] :: Command 'chronyc tracking > /tmp/chronyc.output' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'test -s /tmp/chronyc.output' :: [ 10:13:40 ] :: [ PASS ] :: Command 'test -s /tmp/chronyc.output' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'ls -Z /tmp/chronyc.output | grep -e :user_tmp_t -e :chronyd_var_lib_t -e :chronyd_var_log_t' unconfined_u:object_r:user_tmp_t:s0 /tmp/chronyc.output :: [ 10:13:40 ] :: [ PASS ] :: Command 'ls -Z /tmp/chronyc.output | grep -e :user_tmp_t -e :chronyd_var_lib_t -e :chronyd_var_log_t' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'rm -f /var/lib/chrony/chronyc.output' :: [ 10:13:40 ] :: [ PASS ] :: Command 'rm -f /var/lib/chrony/chronyc.output' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'chronyc tracking > /var/lib/chrony/chronyc.output' :: [ 10:13:40 ] :: [ PASS ] :: Command 'chronyc tracking > /var/lib/chrony/chronyc.output' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'test -s /var/lib/chrony/chronyc.output' :: [ 10:13:40 ] :: [ PASS ] :: Command 'test -s /var/lib/chrony/chronyc.output' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'ls -Z /var/lib/chrony/chronyc.output | grep -e :user_tmp_t -e :chronyd_var_lib_t -e :chronyd_var_log_t' unconfined_u:object_r:chronyd_var_lib_t:s0 /var/lib/chrony/chronyc.output :: [ 10:13:40 ] :: [ PASS ] :: Command 'ls -Z /var/lib/chrony/chronyc.output | grep -e :user_tmp_t -e :chronyd_var_lib_t -e :chronyd_var_log_t' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'rm -f /var/log/chrony/chronyc.output' :: [ 10:13:40 ] :: [ PASS ] :: Command 'rm -f /var/log/chrony/chronyc.output' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'chronyc tracking > /var/log/chrony/chronyc.output' :: [ 10:13:40 ] :: [ PASS ] :: Command 'chronyc tracking > /var/log/chrony/chronyc.output' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'test -s /var/log/chrony/chronyc.output' :: [ 10:13:40 ] :: [ PASS ] :: Command 'test -s /var/log/chrony/chronyc.output' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'ls -Z /var/log/chrony/chronyc.output | grep -e :user_tmp_t -e :chronyd_var_lib_t -e :chronyd_var_log_t' unconfined_u:object_r:chronyd_var_log_t:s0 /var/log/chrony/chronyc.output :: [ 10:13:40 ] :: [ PASS ] :: Command 'ls -Z /var/log/chrony/chronyc.output | grep -e :user_tmp_t -e :chronyd_var_lib_t -e :chronyd_var_log_t' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'rm -f /var/lib/test' :: [ 10:13:40 ] :: [ PASS ] :: Command 'rm -f /var/lib/test' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'chronyc -n tracking > /var/lib/test' :: [ 10:13:40 ] :: [ PASS ] :: Command 'chronyc -n tracking > /var/lib/test' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'test -s /var/lib/test' :: [ 10:13:40 ] :: [ PASS ] :: Command 'test -s /var/lib/test' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'chronyc -n tracking >> /var/lib/test' :: [ 10:13:40 ] :: [ PASS ] :: Command 'chronyc -n tracking >> /var/lib/test' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'ls -Z /var/lib/test' unconfined_u:object_r:var_lib_t:s0 /var/lib/test :: [ 10:13:40 ] :: [ PASS ] :: Command 'ls -Z /var/lib/test' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'ls -Z /var/lib/test | grep -e :var_lib_t -e :var_log_t -e :var_run_t -e :var_t' unconfined_u:object_r:var_lib_t:s0 /var/lib/test :: [ 10:13:40 ] :: [ PASS ] :: Command 'ls -Z /var/lib/test | grep -e :var_lib_t -e :var_log_t -e :var_run_t -e :var_t' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'rm -f /var/lib/test' :: [ 10:13:40 ] :: [ PASS ] :: Command 'rm -f /var/lib/test' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'rm -f /var/log/test' :: [ 10:13:40 ] :: [ PASS ] :: Command 'rm -f /var/log/test' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'chronyc -n tracking > /var/log/test' :: [ 10:13:40 ] :: [ PASS ] :: Command 'chronyc -n tracking > /var/log/test' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'test -s /var/log/test' :: [ 10:13:40 ] :: [ PASS ] :: Command 'test -s /var/log/test' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'chronyc -n tracking >> /var/log/test' :: [ 10:13:40 ] :: [ PASS ] :: Command 'chronyc -n tracking >> /var/log/test' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'ls -Z /var/log/test' unconfined_u:object_r:var_log_t:s0 /var/log/test :: [ 10:13:40 ] :: [ PASS ] :: Command 'ls -Z /var/log/test' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'ls -Z /var/log/test | grep -e :var_lib_t -e :var_log_t -e :var_run_t -e :var_t' unconfined_u:object_r:var_log_t:s0 /var/log/test :: [ 10:13:40 ] :: [ PASS ] :: Command 'ls -Z /var/log/test | grep -e :var_lib_t -e :var_log_t -e :var_run_t -e :var_t' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'rm -f /var/log/test' :: [ 10:13:40 ] :: [ PASS ] :: Command 'rm -f /var/log/test' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'rm -f /var/run/test' :: [ 10:13:40 ] :: [ PASS ] :: Command 'rm -f /var/run/test' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'chronyc -n tracking > /var/run/test' :: [ 10:13:40 ] :: [ PASS ] :: Command 'chronyc -n tracking > /var/run/test' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'test -s /var/run/test' :: [ 10:13:40 ] :: [ PASS ] :: Command 'test -s /var/run/test' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'chronyc -n tracking >> /var/run/test' :: [ 10:13:40 ] :: [ PASS ] :: Command 'chronyc -n tracking >> /var/run/test' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'ls -Z /var/run/test' unconfined_u:object_r:var_run_t:s0 /var/run/test :: [ 10:13:40 ] :: [ PASS ] :: Command 'ls -Z /var/run/test' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'ls -Z /var/run/test | grep -e :var_lib_t -e :var_log_t -e :var_run_t -e :var_t' unconfined_u:object_r:var_run_t:s0 /var/run/test :: [ 10:13:40 ] :: [ PASS ] :: Command 'ls -Z /var/run/test | grep -e :var_lib_t -e :var_log_t -e :var_run_t -e :var_t' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'rm -f /var/run/test' :: [ 10:13:40 ] :: [ PASS ] :: Command 'rm -f /var/run/test' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'rm -f /var/cache/test' :: [ 10:13:40 ] :: [ PASS ] :: Command 'rm -f /var/cache/test' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'chronyc -n tracking > /var/cache/test' :: [ 10:13:40 ] :: [ PASS ] :: Command 'chronyc -n tracking > /var/cache/test' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'test -s /var/cache/test' :: [ 10:13:40 ] :: [ PASS ] :: Command 'test -s /var/cache/test' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'chronyc -n tracking >> /var/cache/test' :: [ 10:13:40 ] :: [ PASS ] :: Command 'chronyc -n tracking >> /var/cache/test' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'ls -Z /var/cache/test' unconfined_u:object_r:var_t:s0 /var/cache/test :: [ 10:13:40 ] :: [ PASS ] :: Command 'ls -Z /var/cache/test' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'ls -Z /var/cache/test | grep -e :var_lib_t -e :var_log_t -e :var_run_t -e :var_t' unconfined_u:object_r:var_t:s0 /var/cache/test :: [ 10:13:40 ] :: [ PASS ] :: Command 'ls -Z /var/cache/test | grep -e :var_lib_t -e :var_log_t -e :var_run_t -e :var_t' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'rm -f /var/cache/test' :: [ 10:13:40 ] :: [ PASS ] :: Command 'rm -f /var/cache/test' (Expected 0, got 0) :: [ 10:13:40 ] :: [ BEGIN ] :: Running 'service nscd start' Redirecting to /bin/systemctl start nscd.service :: [ 10:13:40 ] :: [ PASS ] :: Command 'service nscd start' (Expected 0, got 0) :: [ 10:13:42 ] :: [ BEGIN ] :: Running 'getsebool -a | grep nscd' nscd_use_shm --> on :: [ 10:13:42 ] :: [ PASS ] :: Command 'getsebool -a | grep nscd' (Expected 0, got 0) :: [ 10:13:42 ] :: [ BEGIN ] :: Running 'chronyc sources' MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== #? SHM0 0 4 0 - +0ns[ +0ns] +/- 0ns #? SOC1 0 4 0 - +0ns[ +0ns] +/- 0ns ^? ip229.ip-51-81-226.us 0 6 0 - +0ns[ +0ns] +/- 0ns ^? 2001:470:b:22d::123 0 6 0 - +0ns[ +0ns] +/- 0ns ^? 66.59.198.178 0 6 0 - +0ns[ +0ns] +/- 0ns ^? 2604:a880:800:a1::ec9:50> 0 6 0 - +0ns[ +0ns] +/- 0ns ^? ntp0.idealab.com 0 6 0 - +0ns[ +0ns] +/- 0ns ^? 2600:4040:e0da:f000::cbb> 0 6 0 - +0ns[ +0ns] +/- 0ns ^? server.slakjd.com 0 6 0 - +0ns[ +0ns] +/- 0ns ^? 2600:1700:3d24:740f:9524> 0 6 0 - +0ns[ +0ns] +/- 0ns :: [ 10:13:43 ] :: [ PASS ] :: Command 'chronyc sources' (Expected 0, got 0) :: [ 10:13:43 ] :: [ BEGIN ] :: Running 'ksh -c "chronyc sources"' MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== #? SHM0 0 4 0 - +0ns[ +0ns] +/- 0ns #? SOC1 0 4 0 - +0ns[ +0ns] +/- 0ns ^? ip229.ip-51-81-226.us 0 6 0 - +0ns[ +0ns] +/- 0ns ^? 2001:470:b:22d::123 0 6 0 - +0ns[ +0ns] +/- 0ns ^? 66.59.198.178 0 6 0 - +0ns[ +0ns] +/- 0ns ^? 2604:a880:800:a1::ec9:50> 0 6 0 - +0ns[ +0ns] +/- 0ns ^? ntp0.idealab.com 0 6 0 - +0ns[ +0ns] +/- 0ns ^? 2600:4040:e0da:f000::cbb> 0 6 0 - +0ns[ +0ns] +/- 0ns ^? server.slakjd.com 0 6 0 - +0ns[ +0ns] +/- 0ns ^? 2600:1700:3d24:740f:9524> 0 6 0 - +0ns[ +0ns] +/- 0ns :: [ 10:13:43 ] :: [ PASS ] :: Command 'ksh -c "chronyc sources"' (Expected 0, got 0) :: [ 10:13:43 ] :: [ BEGIN ] :: Running 'chronyc serverstats' NTP packets received : 0 NTP packets dropped : 0 Command packets received : 35 Command packets dropped : 0 Client log records dropped : 0 NTS-KE connections accepted: 0 NTS-KE connections dropped : 0 Authenticated NTP packets : 0 Interleaved NTP packets : 0 NTP timestamps held : 0 NTP timestamp span : 0 NTP daemon RX timestamps : 0 NTP daemon TX timestamps : 0 NTP kernel RX timestamps : 0 NTP kernel TX timestamps : 0 NTP hardware RX timestamps : 0 NTP hardware TX timestamps : 0 :: [ 10:13:43 ] :: [ PASS ] :: Command 'chronyc serverstats' (Expected 0, got 0) :: [ 10:13:43 ] :: [ BEGIN ] :: Running 'service nscd stop' Redirecting to /bin/systemctl stop nscd.service :: [ 10:13:43 ] :: [ PASS ] :: Command 'service nscd stop' (Expected 0, got 0) :: [ 10:13:43 ] :: [ BEGIN ] :: Running 'service chronyd stop' Redirecting to /bin/systemctl stop chronyd.service :: [ 10:13:43 ] :: [ PASS ] :: Command 'service chronyd stop' (Expected 0, got 0) :: [ 10:13:45 ] :: [ BEGIN ] :: Running 'service chronyd status' Redirecting to /bin/systemctl status chronyd.service ○ chronyd.service - NTP client/server Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; preset: enabled) Active: inactive (dead) since Fri 2025-04-11 10:13:43 EDT; 1s ago Duration: 7.786s Docs: man:chronyd(8) man:chrony.conf(5) Process: 38748 ExecStart=/usr/sbin/chronyd $OPTIONS (code=exited, status=0/SUCCESS) Main PID: 38750 (code=exited, status=0/SUCCESS) CPU: 35ms Apr 11 10:13:35 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com chronyd[38750]: ... Apr 11 10:13:35 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com chronyd[38750]: ... Apr 11 10:13:35 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com chronyd[38750]: ... Apr 11 10:13:35 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com chronyd[38750]: ... Apr 11 10:13:35 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com chronyd[38750]: ... Apr 11 10:13:35 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com systemd[1]: Star… Apr 11 10:13:43 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com chronyd[38750]: ... Apr 11 10:13:43 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com systemd[1]: Stop… Apr 11 10:13:43 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com systemd[1]: chro… Apr 11 10:13:43 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com systemd[1]: Stop… Hint: Some lines were ellipsized, use -l to show in full. :: [ 10:13:45 ] :: [ PASS ] :: Command 'service chronyd status' (Expected 0,1,3, got 3) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 17s :: Assertions: 64 good, 0 bad :: RESULT: PASS (real scenario) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: real scenario -- bz#1530525 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 10:13:46 ] :: [ BEGIN ] :: Running 'rm -f /etc/chrony.keys' :: [ 10:13:46 ] :: [ PASS ] :: Command 'rm -f /etc/chrony.keys' (Expected 0, got 0) :: [ 10:13:46 ] :: [ BEGIN ] :: Running 'touch /etc/chrony.keys' :: [ 10:13:46 ] :: [ PASS ] :: Command 'touch /etc/chrony.keys' (Expected 0, got 0) :: [ 10:13:46 ] :: [ BEGIN ] :: Running 'restorecon -v /etc/chrony.keys' Relabeled /etc/chrony.keys from unconfined_u:object_r:etc_t:s0 to unconfined_u:object_r:chronyd_keys_t:s0 :: [ 10:13:46 ] :: [ PASS ] :: Command 'restorecon -v /etc/chrony.keys' (Expected 0, got 0) :: [ 10:13:46 ] :: [ BEGIN ] :: Running 'chronyc keygen 1111 SHA1 > /etc/chrony.keys' :: [ 10:13:46 ] :: [ PASS ] :: Command 'chronyc keygen 1111 SHA1 > /etc/chrony.keys' (Expected 0, got 0) :: [ 10:13:46 ] :: [ BEGIN ] :: Running 'chronyc keygen 1111 SHA1 >> /etc/chrony.keys' :: [ 10:13:46 ] :: [ PASS ] :: Command 'chronyc keygen 1111 SHA1 >> /etc/chrony.keys' (Expected 0, got 0) :: [ 10:13:46 ] :: [ BEGIN ] :: Running 'ls -Z /etc/chrony.keys | grep :chronyd_keys_t' unconfined_u:object_r:chronyd_keys_t:s0 /etc/chrony.keys :: [ 10:13:46 ] :: [ PASS ] :: Command 'ls -Z /etc/chrony.keys | grep :chronyd_keys_t' (Expected 0, got 0) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 0s :: Assertions: 6 good, 0 bad :: RESULT: PASS (real scenario -- bz#1530525) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: real scenario -- bz#1961207 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 10:13:47 ] :: [ BEGIN ] :: Running './chrony-nts-test.sh' Generating a 256 bit EdDSA (Ed25519) private key ... Generating a self signed certificate... X.509 Certificate Information: Version: 3 Serial Number (hex): 01 Validity: Not Before: Wed Jan 01 00:00:00 UTC 2020 Not After: Tue Jan 01 00:00:00 UTC 2030 Subject: CN=chrony-nts-test Subject Public Key Algorithm: EdDSA (Ed25519) Algorithm Security Level: High (256 bits) Curve: Ed25519 X: d8:8e:fa:e9:48:28:f8:20:c0:7d:e2:ad:9b:f0:db:da 8b:46:a1:a7:64:16:e1:ee:72:af:3a:ca:24:03:0c:97 Extensions: Basic Constraints (critical): Certificate Authority (CA): FALSE Key Usage (critical): Digital signature. Subject Key Identifier (not critical): b3b3db44f71943be42e213235cf9ef40b60220de Other Information: Public Key ID: sha1:b3b3db44f71943be42e213235cf9ef40b60220de sha256:471a6297a435ef21774967471f99597bc0330cc301f1d1460de297def31325b7 Public Key PIN: pin-sha256:Rxpil6Q17yF3SWdHH5lZe8AzDMMB8dFGDeKX3vMTJbc= Signing certificate... Name/IP address Mode KeyID Type KLen Last Atmp NAK Cook CLen ========================================================================= chrony-nts-test NTS 1 30 128 0 0 0 8 64 time.cloudflare.com NTS 0 0 0 - 1 0 0 0 :: [ 10:13:50 ] :: [ PASS ] :: Command './chrony-nts-test.sh' (Expected 0, got 0) :: [ 10:13:50 ] :: [ BEGIN ] :: Running 'rm -f /var/lib/chrony/*.nts' :: [ 10:13:50 ] :: [ PASS ] :: Command 'rm -f /var/lib/chrony/*.nts' (Expected 0, got 0) :: [ 10:13:50 ] :: [ BEGIN ] :: Running 'systemctl restart chronyd' :: [ 10:13:50 ] :: [ PASS ] :: Command 'systemctl restart chronyd' (Expected 0, got 0) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 3s :: Assertions: 3 good, 0 bad :: RESULT: PASS (real scenario -- bz#1961207) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#2065313 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 10:13:50 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t unconfined_t : unix_dgram_socket { sendto }' FILTERED RULES allow chronyd_t unconfined_t:unix_dgram_socket sendto; :: [ 10:13:52 ] :: [ PASS ] :: check permission 'sendto' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 2s :: Assertions: 1 good, 0 bad :: RESULT: PASS (bz#2065313) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: real scenario -- bz#2065313 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 10:13:52 ] :: [ LOG ] :: special socat command talks to chronyd via its UNIX socket 00000000 06 02 00 00 00 21 00 05 00 00 00 00 00 00 00 00 |.....!..........| 00000010 21 d7 e4 22 00 00 00 00 00 00 00 00 7f 7f 01 01 |!.."............| 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000030 00 00 00 00 00 0a 00 00 00 00 00 00 67 f9 23 9c |............g.#.| 00000040 32 d8 44 4b 00 00 00 00 00 00 00 00 00 00 00 00 |2.DK............| 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000060 00 00 00 00 00 00 00 00 |........| 00000068 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 1s :: Assertions: 0 good, 0 bad :: RESULT: PASS (real scenario -- bz#2065313) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#2118628 + bz#2118631 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 10:13:53 ] :: [ BEGIN ] :: Running 'seinfo --portcon=319 | grep "portcon udp .*:ptp_event_port_t"' portcon udp 319 system_u:object_r:ptp_event_port_t:s0 :: [ 10:13:53 ] :: [ PASS ] :: Command 'seinfo --portcon=319 | grep "portcon udp .*:ptp_event_port_t"' (Expected 0, got 0) :: [ 10:13:53 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t ptp_event_port_t : udp_socket { name_bind } [ ]' FILTERED RULES allow chronyd_t ptp_event_port_t:udp_socket name_bind; :: [ 10:13:55 ] :: [ PASS ] :: check permission 'name_bind' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 2s :: Assertions: 2 good, 0 bad :: RESULT: PASS (bz#2118628 + bz#2118631) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: real scenario -- bz#2118628 + bz#2118631 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 10:13:56 ] :: [ BEGIN ] :: Running 'echo -en ' allow ptpport 319 server 127.0.0.1 port 319 minpoll 0 maxpoll 0 ' >> /etc/chrony.conf' :: [ 10:13:56 ] :: [ PASS ] :: Command 'echo -en ' allow ptpport 319 server 127.0.0.1 port 319 minpoll 0 maxpoll 0 ' >> /etc/chrony.conf' (Expected 0, got 0) :: [ 10:13:56 ] :: [ BEGIN ] :: Running 'systemctl restart chronyd' :: [ 10:13:56 ] :: [ PASS ] :: Command 'systemctl restart chronyd' (Expected 0, got 0) :: [ 10:14:01 ] :: [ BEGIN ] :: Running 'chronyc ntpdata 127.0.0.1 | grep 'Total RX'' Total RX : 5 :: [ 10:14:01 ] :: [ PASS ] :: Command 'chronyc ntpdata 127.0.0.1 | grep 'Total RX'' (Expected 0, got 0) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 6s :: Assertions: 3 good, 0 bad :: RESULT: PASS (real scenario -- bz#2118628 + bz#2118631) chronyd_restricted_t is defined :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: RHEL-82299 + RHEL-82308 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 10:14:01 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t chronyd_restricted_t : unix_dgram_socket { sendto } [ ]' FILTERED RULES allow chronyc_t chronyd_restricted_t:unix_dgram_socket sendto; :: [ 10:14:03 ] :: [ PASS ] :: check permission 'sendto' is present (Assert: '0' should equal '0') :: [ 10:14:03 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_restricted_t chronyc_t : unix_dgram_socket { sendto } [ ]' FILTERED RULES allow chronyd_restricted_t chronyc_t:unix_dgram_socket sendto; :: [ 10:14:05 ] :: [ PASS ] :: check permission 'sendto' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 4s :: Assertions: 2 good, 0 bad :: RESULT: PASS (RHEL-82299 + RHEL-82308) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: chronyd-restricted -- bz#2169949 + RHEL-18219 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 10:14:05 ] :: [ BEGIN ] :: Running 'systemctl stop chronyd' :: [ 10:14:05 ] :: [ PASS ] :: Command 'systemctl stop chronyd' (Expected 0, got 0) :: [ 10:14:05 ] :: [ BEGIN ] :: Running 'mkdir -p /etc/systemd/system/chronyd-restricted.service.d' :: [ 10:14:05 ] :: [ PASS ] :: Command 'mkdir -p /etc/systemd/system/chronyd-restricted.service.d' (Expected 0, got 0) SELinuxContext=system_u:system_r:chronyd_restricted_t:s0 :: [ 10:14:05 ] :: [ BEGIN ] :: Running 'systemctl start chronyd-restricted' :: [ 10:14:05 ] :: [ PASS ] :: Command 'systemctl start chronyd-restricted' (Expected 0, got 0) :: [ 10:14:08 ] :: [ BEGIN ] :: Running 'ps -o pid,uid,command,context -C chronyd | grep -1 system_u:system_r:chronyd_restricted_t:' PID UID COMMAND CONTEXT 43170 997 /usr/sbin/chronyd -U -F 2 system_u:system_r:chronyd_restricted_t:s0 43171 997 /usr/sbin/chronyd -U -F 2 system_u:system_r:chronyd_restricted_t:s0 :: [ 10:14:08 ] :: [ PASS ] :: Command 'ps -o pid,uid,command,context -C chronyd | grep -1 system_u:system_r:chronyd_restricted_t:' (Expected 0, got 0) :: [ 10:14:08 ] :: [ BEGIN ] :: Running 'systemctl status chronyd-restricted' ● chronyd-restricted.service - NTP client (restricted) Loaded: loaded (/usr/lib/systemd/system/chronyd-restricted.service; disabled; preset: disabled) Active: active (running) since Fri 2025-04-11 10:14:05 EDT; 3s ago Docs: man:chronyd(8) man:chrony.conf(5) Process: 43168 ExecStart=/usr/sbin/chronyd -U $OPTIONS (code=exited, status=0/SUCCESS) Main PID: 43170 (chronyd) Tasks: 2 (limit: 11052) Memory: 17.6M CPU: 114ms CGroup: /system.slice/chronyd-restricted.service ├─43170 /usr/sbin/chronyd -U -F 2 └─43171 /usr/sbin/chronyd -U -F 2 Apr 11 10:14:05 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com chronyd[43170]: ... Apr 11 10:14:05 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com chronyd[43170]: ... Apr 11 10:14:05 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com chronyd[43170]: ... Apr 11 10:14:05 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com chronyd[43170]: ... Apr 11 10:14:05 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com chronyd[43170]: ... Apr 11 10:14:05 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com chronyd[43170]: ... Apr 11 10:14:05 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com chronyd[43170]: ... Apr 11 10:14:05 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com chronyd[43170]: ... Apr 11 10:14:05 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com systemd[1]: Star… Apr 11 10:14:06 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com chronyd[43170]: ... Hint: Some lines were ellipsized, use -l to show in full. :: [ 10:14:09 ] :: [ PASS ] :: Command 'systemctl status chronyd-restricted' (Expected 0, got 0) :: [ 10:14:09 ] :: [ BEGIN ] :: Running 'chronyc reload sources' 200 OK :: [ 10:14:09 ] :: [ PASS ] :: Command 'chronyc reload sources' (Expected 0,1, got 0) :: [ 10:14:09 ] :: [ BEGIN ] :: Running 'systemctl restart chronyd-restricted' :: [ 10:14:09 ] :: [ PASS ] :: Command 'systemctl restart chronyd-restricted' (Expected 0, got 0) :: [ 10:14:09 ] :: [ BEGIN ] :: Running 'systemctl status chronyd-restricted' ● chronyd-restricted.service - NTP client (restricted) Loaded: loaded (/usr/lib/systemd/system/chronyd-restricted.service; disabled; preset: disabled) Active: active (running) since Fri 2025-04-11 10:14:09 EDT; 29ms ago Docs: man:chronyd(8) man:chrony.conf(5) Process: 43279 ExecStart=/usr/sbin/chronyd -U $OPTIONS (code=exited, status=0/SUCCESS) Main PID: 43281 (chronyd) Tasks: 2 (limit: 11052) Memory: 1.2M CPU: 32ms CGroup: /system.slice/chronyd-restricted.service ├─43281 /usr/sbin/chronyd -U -F 2 └─43282 /usr/sbin/chronyd -U -F 2 Apr 11 10:14:09 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com chronyd[43281]: ... Apr 11 10:14:09 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com chronyd[43281]: ... Apr 11 10:14:09 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com chronyd[43281]: ... Apr 11 10:14:09 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com chronyd[43281]: ... Apr 11 10:14:09 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com chronyd[43281]: ... Apr 11 10:14:09 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com chronyd[43281]: ... Apr 11 10:14:09 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com chronyd[43281]: ... Apr 11 10:14:09 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com chronyd[43281]: ... Apr 11 10:14:09 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com chronyd[43281]: ... Apr 11 10:14:09 vm-10-0-185-101.hosted.upshift.rdu2.redhat.com systemd[1]: Star… Hint: Some lines were ellipsized, use -l to show in full. :: [ 10:14:09 ] :: [ PASS ] :: Command 'systemctl status chronyd-restricted' (Expected 0, got 0) :: [ 10:14:09 ] :: [ BEGIN ] :: Running 'systemctl stop chronyd-restricted' :: [ 10:14:09 ] :: [ PASS ] :: Command 'systemctl stop chronyd-restricted' (Expected 0, got 0) :: [ 10:14:09 ] :: [ BEGIN ] :: Running 'rm -f /etc/systemd/system/chronyd-restricted.service.d/context.conf' :: [ 10:14:09 ] :: [ PASS ] :: Command 'rm -f /etc/systemd/system/chronyd-restricted.service.d/context.conf' (Expected 0, got 0) :: [ 10:14:09 ] :: [ BEGIN ] :: Running 'systemctl daemon-reload' :: [ 10:14:09 ] :: [ PASS ] :: Command 'systemctl daemon-reload' (Expected 0, got 0) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 4s :: Assertions: 11 good, 0 bad :: RESULT: PASS (chronyd-restricted -- bz#2169949 + RHEL-18219) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Cleanup :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 10:14:11 ] :: [ LOG ] :: rlSEAVCCheck: Search for AVCs, USER_AVCs, SELINUX_ERRs, and USER_SELINUX_ERRs since timestamp 'TIMESTAMP' [04/11/2025 10:09:47] :: [ 10:14:11 ] :: [ INFO ] :: rlSEAVCCheck: ignoring patterns: :: [ 10:14:11 ] :: [ INFO ] :: rlSEAVCCheck: type=USER_AVC.*received (policyload|setenforce) notice :: [ 10:14:11 ] :: [ PASS ] :: Check there are no unexpected AVCs/ERRORs (Assert: expected 0, got 0) :: [ 10:14:11 ] :: [ BEGIN ] :: Running 'rm -f /tmp/chronyc.output /var/lib/chrony/chronyc.output /var/log/chrony/chronyc.output' :: [ 10:14:11 ] :: [ PASS ] :: Command 'rm -f /tmp/chronyc.output /var/lib/chrony/chronyc.output /var/log/chrony/chronyc.output' (Expected 0, got 0) Redirecting to /bin/systemctl status ntpd.service Unit ntpd.service could not be found. :: [ 10:14:11 ] :: [ WARNING ] :: rlServiceRestore: service ntpd status returned 4 :: [ 10:14:11 ] :: [ WARNING ] :: rlServiceRestore: Guessing that current state of ntpd is stopped Redirecting to /bin/systemctl status chronyd.service Redirecting to /bin/systemctl start chronyd.service :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 2s :: Assertions: 2 good, 0 bad :: RESULT: PASS (Cleanup)