:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Setup :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 06:23:22 ] :: [ BEGIN ] :: Running 'rlImport 'selinux-policy/common'' :: [ 06:23:22 ] :: [ INFO ] :: rlImport: Found 'selinux-policy/common', version '43' during upwards traversal :: [ 06:23:22 ] :: [ INFO ] :: rlImport: Will try to import selinux-policy/common from /root/selinux/selinux-policy/Library/common/lib.sh :: [ 06:23:22 ] :: [ INFO ] :: found dependencies: 'distribution/epel ' :: [ 06:23:22 ] :: [ INFO ] :: rlImport: Found 'distribution/epel', version '2' during upwards traversal :: [ 06:23:22 ] :: [ INFO ] :: rlImport: Will try to import distribution/epel from /root/distribution/Library/epel/lib.sh :: [ 06:23:22 ] :: [ INFO ] :: found dependencies: ' distribution/LibrariesWrapper distribution/epel-internal' :: [ 06:23:22 ] :: [ INFO ] :: rlImport: Found 'distribution/LibrariesWrapper', version '9' during upwards traversal :: [ 06:23:22 ] :: [ INFO ] :: rlImport: Will try to import distribution/LibrariesWrapper from /root/distribution/Library/LibrariesWrapper/lib.sh :: [ 06:23:22 ] :: [ INFO ] :: found dependencies: '' :: [ 06:23:22 ] :: [ INFO ] :: rlImport: Found 'distribution/epel-internal', version '3' during upwards traversal :: [ 06:23:22 ] :: [ INFO ] :: rlImport: Will try to import distribution/epel-internal from /root/distribution/Library/epel-internal/lib.sh :: [ 06:23:22 ] :: [ INFO ] :: found dependencies: '' done. done. :: [ 06:23:23 ] :: [ BEGIN ] :: Running 'rlImport distribution/LibrariesWrapper' :: [ 06:23:23 ] :: [ PASS ] :: Command 'rlImport distribution/LibrariesWrapper' (Expected 0, got 0) :: [ 06:23:23 ] :: [ INFO ] :: LibrariesWrapperImport(): library fetched already :: [ 06:23:23 ] :: [ BEGIN ] :: Running 'git checkout "master" -- "epel"' :: [ 06:23:23 ] :: [ PASS ] :: Command 'git checkout "master" -- "epel"' (Expected 0, got 0) :: [ 06:23:23 ] :: [ INFO ] :: found epel v42 from https://github.com/beakerlib/epel.git?72a1d18b541fdbd775d87bb69b57c3e018e18552#epel in /root/distribution/Library/epel/lib/epel loading library distribution/epel v42... done. :: [ 06:23:23 ] :: [ LOG ] :: Determined distro is 'rhel' :: [ 06:23:23 ] :: [ LOG ] :: Determined rhel release is '10' :: [ 06:23:23 ] :: [ LOG ] :: epel repo is accessible :: [ 06:23:23 ] :: [ LOG ] :: epel repo already present :: [ 06:23:23 ] :: [ INFO ] :: SELinux: using 'semodule -lfull' to list modules :: [ 06:23:23 ] :: [ INFO ] :: Running with policy located in /etc/selinux/targeted/policy/policy.34 :: [ 06:23:23 ] :: [ LOG ] :: enriched audit log format already enabled :: [ 06:23:23 ] :: [ LOG ] :: stop the audit daemon first :: [ 06:23:23 ] :: [ BEGIN ] :: Running 'service auditd stop' Stopping logging: :: [ 06:23:23 ] :: [ PASS ] :: Command 'service auditd stop' (Expected 0,2, got 0) :: [ 06:23:28 ] :: [ LOG ] :: audit daemon configuration file is updated, starting the audit service Redirecting to /bin/systemctl status auditd.service Redirecting to /bin/systemctl start auditd.service :: [ 06:23:28 ] :: [ LOG ] :: rlServiceStart: Service auditd started successfully :: [ 06:23:28 ] :: [ INFO ] :: SELinux related packages listing: :: [ 06:23:28 ] :: [ INFO ] :: checkpolicy-3.8-1.el10.x86_64 libselinux-3.8-1.el10.x86_64 libselinux-utils-3.8-1.el10.x86_64 libsemanage-3.8.1-1.el10_0.x86_64 libsepol-3.8-1.el10.x86_64 mcstrans-3.8-1.el10.x86_64 policycoreutils-3.8-1.el10.x86_64 policycoreutils-devel-3.8-1.el10.x86_64 policycoreutils-newrole-3.8-1.el10.x86_64 policycoreutils-python-utils-3.8-1.el10.noarch selinux-policy-40.13.29-1.el10.noarch selinux-policy-devel-40.13.29-1.el10.noarch selinux-policy-mls-40.13.29-1.el10.noarch selinux-policy-targeted-40.13.29-1.el10.noarch setools-console-4.5.1-4.el10.x86_64 :: [ 06:23:28 ] :: [ INFO ] :: listing took 0 second(s) :: [ 06:23:28 ] :: [ INFO ] :: package 'setools-console-4.5.1-4.el10.x86_64' covers required package 'setools-console' :: [ 06:23:28 ] :: [ INFO ] :: package 'expect-5.45.4-25.el10.x86_64' covers required package 'expect' :: [ 06:23:28 ] :: [ INFO ] :: package 'policycoreutils-python-utils-3.8-1.el10.noarch' covers required package 'policycoreutils-python-utils' :: [ 06:23:28 ] :: [ INFO ] :: package 'selinux-policy-devel-40.13.29-1.el10.noarch' covers required package 'selinux-policy-devel' :: [ 06:23:29 ] :: [ PASS ] :: Command 'rlImport 'selinux-policy/common'' (Expected 0,1, got 0) :: [ 06:23:29 ] :: [ BEGIN ] :: Running 'epelyum install -y --nobest --nogpgcheck --skip-broken audit libselinux libselinux-utils policycoreutils selinux-policy-mls selinux-policy-targeted setools-console chrony ksh nscd /usr/bin/certtool /usr/sbin/service socat linuxptp ' actually running 'yum --enablerepo epel --enablerepo epel-internal install -y --nobest --nogpgcheck --skip-broken audit libselinux libselinux-utils policycoreutils selinux-policy-mls selinux-policy-targeted setools-console chrony ksh nscd /usr/bin/certtool /usr/sbin/service socat linuxptp' Updating Subscription Management repositories. Unable to read consumer identity This system is not registered with an entitlement server. You can use "rhc" or "subscription-manager" to register. internal epel repository 12 kB/s | 2.9 kB 00:00 Package audit-4.0.3-1.el10.x86_64 is already installed. Package libselinux-3.8-1.el10.x86_64 is already installed. Package libselinux-utils-3.8-1.el10.x86_64 is already installed. Package policycoreutils-3.8-1.el10.x86_64 is already installed. Package selinux-policy-mls-40.13.29-1.el10.noarch is already installed. Package selinux-policy-targeted-40.13.29-1.el10.noarch is already installed. Package setools-console-4.5.1-4.el10.x86_64 is already installed. Package chrony-4.6.1-1.el10.x86_64 is already installed. Package ksh-3:1.0.10-4.el10.x86_64 is already installed. No match for argument: nscd Package gnutls-utils-3.8.9-9.el10.x86_64 is already installed. Package initscripts-service-10.26-2.el10.noarch is already installed. Package socat-1.7.4.4-8.el10.x86_64 is already installed. Package linuxptp-4.4-2.el10.x86_64 is already installed. Dependencies resolved. Nothing to do. Complete! :: [ 06:23:30 ] :: [ PASS ] :: Command 'epelyum install -y --nobest --nogpgcheck --skip-broken audit libselinux libselinux-utils policycoreutils selinux-policy-mls selinux-policy-targeted setools-console chrony ksh nscd /usr/bin/certtool /usr/sbin/service socat linuxptp ' (Expected 0,1, got 0) selinux-policy-40.13.29-1.el10.noarch :: [ 06:23:30 ] :: [ PASS ] :: Checking for the presence of selinux-policy rpm :: [ 06:23:30 ] :: [ LOG ] :: Package versions: :: [ 06:23:30 ] :: [ LOG ] :: selinux-policy-40.13.29-1.el10.noarch selinux-policy-targeted-40.13.29-1.el10.noarch :: [ 06:23:30 ] :: [ PASS ] :: Checking for the presence of selinux-policy-targeted rpm :: [ 06:23:30 ] :: [ LOG ] :: Package versions: :: [ 06:23:30 ] :: [ LOG ] :: selinux-policy-targeted-40.13.29-1.el10.noarch chrony-4.6.1-1.el10.x86_64 :: [ 06:23:30 ] :: [ PASS ] :: Checking for the presence of chrony rpm :: [ 06:23:30 ] :: [ LOG ] :: Package versions: :: [ 06:23:30 ] :: [ LOG ] :: chrony-4.6.1-1.el10.x86_64 Redirecting to /bin/systemctl status ntpd.service Unit ntpd.service could not be found. :: [ 06:23:30 ] :: [ WARNING ] :: rlServiceStop: service ntpd status returned 4 :: [ 06:23:30 ] :: [ WARNING ] :: rlServiceStop: Guessing that original state of ntpd is stopped Redirecting to /bin/systemctl stop ntpd.service Failed to stop ntpd.service: Unit ntpd.service not loaded. :: [ 06:23:30 ] :: [ ERROR ] :: rlServiceStop: Stopping service ntpd failed :: [ 06:23:30 ] :: [ ERROR ] :: Status of the failed service: :: [ 06:23:30 ] :: [ LOG ] :: Redirecting to /bin/systemctl status ntpd.service :: [ 06:23:30 ] :: [ LOG ] :: Unit ntpd.service could not be found. Redirecting to /bin/systemctl status chronyd.service Redirecting to /bin/systemctl stop chronyd.service :: [ 06:23:30 ] :: [ INFO ] :: using '/var/tmp/beakerlib-EtyWJtr/backup' as backup destination :: [ 06:23:30 ] :: [ INFO ] :: using '/var/tmp/beakerlib-EtyWJtr/backup' as backup destination :: [ 06:23:30 ] :: [ INFO ] :: using '/var/tmp/beakerlib-EtyWJtr/backup' as backup destination :: [ 06:23:30 ] :: [ ERROR ] :: rlFileBackup: File /etc/chrony.keys does not exist. :: [ 06:23:30 ] :: [ BEGIN ] :: Running 'setenforce 1' :: [ 06:23:30 ] :: [ PASS ] :: Command 'setenforce 1' (Expected 0, got 0) :: [ 06:23:30 ] :: [ BEGIN ] :: Running 'id -Z' unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 :: [ 06:23:30 ] :: [ PASS ] :: Command 'id -Z' (Expected 0, got 0) :: [ 06:23:30 ] :: [ BEGIN ] :: Running 'sestatus' SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 :: [ 06:23:30 ] :: [ PASS ] :: Command 'sestatus' (Expected 0, got 0) :: [ 06:23:31 ] :: [ BEGIN ] :: Running 'semodule --list-modules=full | grep -i disabled' :: [ 06:23:31 ] :: [ PASS ] :: Command 'semodule --list-modules=full | grep -i disabled' (Expected 0,1, got 1) :: [ 06:23:31 ] :: [ LOG ] :: rlSESetTimestamp: Setting timestamp 'TIMESTAMP' [04/16/2025 06:23:31] :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 11s :: Assertions: 12 good, 0 bad :: RESULT: PASS (Setup) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#974992 + bz#978993 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /usr/sbin/chronyd system_u:object_r:chronyd_exec_t:s0 :: [ 06:23:33 ] :: [ PASS ] :: Result of matchpathcon /usr/sbin/chronyd should contain chronyd_exec_t (Assert: expected 0, got 0) :: [ 06:23:33 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t chronyd_t : capability { sys_nice } [ ]' FILTERED RULES allow chronyd_t chronyd_t:capability { chown dac_override dac_read_search fsetid ipc_lock net_admin net_bind_service setgid setuid sys_nice sys_resource sys_time }; :: [ 06:23:35 ] :: [ PASS ] :: check permission 'sys_nice' is present (Assert: '0' should equal '0') :: [ 06:23:35 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t chronyd_t : process { setsched } [ ]' FILTERED RULES allow chronyd_t chronyd_t:process { fork getcap getsched setcap setrlimit setsched sigchld sigkill signal signull sigstop }; :: [ 06:23:36 ] :: [ PASS ] :: check permission 'setsched' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 3s :: Assertions: 3 good, 0 bad :: RESULT: PASS (bz#974992 + bz#978993) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1243764 + bz#1243987 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /usr/libexec/chrony-helper system_u:object_r:chronyd_exec_t:s0 :: [ 06:23:37 ] :: [ PASS ] :: Result of matchpathcon /usr/libexec/chrony-helper should contain chronyd_exec_t (Assert: expected 0, got 0) /var/run/chrony-helper system_u:object_r:chronyd_var_run_t:s0 :: [ 06:23:37 ] :: [ PASS ] :: Result of matchpathcon /var/run/chrony-helper should contain chronyd_var_run_t (Assert: expected 0, got 0) /var/run/chrony-helper/added_servers system_u:object_r:chronyd_var_run_t:s0 :: [ 06:23:38 ] :: [ PASS ] :: Result of matchpathcon /var/run/chrony-helper/added_servers should contain chronyd_var_run_t (Assert: expected 0, got 0) /var/run/chrony-helper/lock system_u:object_r:chronyd_var_run_t:s0 :: [ 06:23:38 ] :: [ PASS ] :: Result of matchpathcon /var/run/chrony-helper/lock should contain chronyd_var_run_t (Assert: expected 0, got 0) /var/lib/dhclient system_u:object_r:dhcpc_state_t:s0 :: [ 06:23:39 ] :: [ PASS ] :: Result of matchpathcon /var/lib/dhclient should contain dhcpc_state_t (Assert: expected 0, got 0) /var/lib/dhclient/chrony.servers.eth0 system_u:object_r:dhcpc_state_t:s0 :: [ 06:23:39 ] :: [ PASS ] :: Result of matchpathcon /var/lib/dhclient/chrony.servers.eth0 should contain dhcpc_state_t (Assert: expected 0, got 0) /usr/bin/systemctl system_u:object_r:systemd_systemctl_exec_t:s0 :: [ 06:23:40 ] :: [ PASS ] :: Result of matchpathcon /usr/bin/systemctl should contain systemd_systemctl_exec_t (Assert: expected 0, got 0) :: [ 06:23:40 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow dhcpc_t chronyd_exec_t : file { getattr open read execute }' FILTERED RULES allow dhcpc_t chronyd_exec_t:file { execute getattr ioctl map open read }; allow domain file_type:file map; [ domain_can_mmap_files ]:True :: [ 06:23:41 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 06:23:41 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 06:23:41 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :: [ 06:23:41 ] :: [ PASS ] :: check permission 'execute' is present (Assert: '0' should equal '0') :: [ 06:23:41 ] :: [ INFO ] :: rlSESearchRule: checking rule 'type_transition dhcpc_t chronyd_exec_t : process chronyd_t' FILTERED RULES type_transition dhcpc_t chronyd_exec_t:process chronyd_t; :: [ 06:23:43 ] :: [ PASS ] :: check permission 'chronyd_t' is present (Assert: '0' should equal '0') :: [ 06:23:43 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow dhcpc_t chronyd_t : process { transition }' FILTERED RULES allow dhcpc_t chronyd_t:process { getattr transition }; :: [ 06:23:44 ] :: [ PASS ] :: check permission 'transition' is present (Assert: '0' should equal '0') :: [ 06:23:44 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t var_run_t : dir { read write add_name remove_name search open getattr }' FILTERED RULES allow chronyd_t var_run_t:dir { add_name remove_name write }; allow domain base_file_type:dir { getattr open search }; allow domain var_run_t:dir { ioctl lock read }; allow nsswitch_domain pidfile:dir { getattr open search }; :: [ 06:23:46 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :: [ 06:23:46 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :: [ 06:23:46 ] :: [ PASS ] :: check permission 'add_name' is present (Assert: '0' should equal '0') :: [ 06:23:46 ] :: [ PASS ] :: check permission 'remove_name' is present (Assert: '0' should equal '0') :: [ 06:23:46 ] :: [ PASS ] :: check permission 'search' is present (Assert: '0' should equal '0') :: [ 06:23:46 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 06:23:46 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 06:23:46 ] :: [ INFO ] :: rlSESearchRule: checking rule 'type_transition chronyd_t var_run_t : dir chronyd_var_run_t' FILTERED RULES type_transition chronyd_t var_run_t:dir chronyd_var_run_t; :: [ 06:23:48 ] :: [ PASS ] :: check permission 'chronyd_var_run_t' is present (Assert: '0' should equal '0') :: [ 06:23:48 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t chronyd_var_run_t : dir { read write add_name remove_name search open getattr }' FILTERED RULES allow chronyd_t chronyd_var_run_t:dir { add_name create ioctl link lock read remove_name rename reparent rmdir setattr unlink watch watch_reads write }; allow nsswitch_domain pidfile:dir { getattr open search }; :: [ 06:23:49 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :: [ 06:23:49 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :: [ 06:23:49 ] :: [ PASS ] :: check permission 'add_name' is present (Assert: '0' should equal '0') :: [ 06:23:49 ] :: [ PASS ] :: check permission 'remove_name' is present (Assert: '0' should equal '0') :: [ 06:23:49 ] :: [ PASS ] :: check permission 'search' is present (Assert: '0' should equal '0') :: [ 06:23:49 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 06:23:49 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 06:23:49 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t chronyd_var_run_t : file { getattr open read write create unlink }' FILTERED RULES allow chronyd_t chronyd_var_run_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write }; allow domain file_type:file map; [ domain_can_mmap_files ]:True :: [ 06:23:51 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 06:23:51 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 06:23:51 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :: [ 06:23:51 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :: [ 06:23:51 ] :: [ PASS ] :: check permission 'create' is present (Assert: '0' should equal '0') :: [ 06:23:51 ] :: [ PASS ] :: check permission 'unlink' is present (Assert: '0' should equal '0') :: [ 06:23:51 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t dhcpc_state_t : dir { getattr open read search }' FILTERED RULES allow chronyd_t dhcpc_state_t:dir { getattr ioctl lock open read search }; :: [ 06:23:52 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 06:23:52 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 06:23:52 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :: [ 06:23:52 ] :: [ PASS ] :: check permission 'search' is present (Assert: '0' should equal '0') :: [ 06:23:52 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t dhcpc_state_t : file { getattr open read }' FILTERED RULES allow chronyd_t dhcpc_state_t:file { getattr ioctl lock open read }; allow domain file_type:file map; [ domain_can_mmap_files ]:True :: [ 06:23:54 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 06:23:54 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 06:23:54 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :: [ 06:23:54 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t bin_t : file { getattr open read execute_no_trans }' FILTERED RULES allow chronyd_t base_ro_file_type:file { execute execute_no_trans map }; allow domain base_ro_file_type:file { getattr ioctl lock open read }; allow domain file_type:file map; [ domain_can_mmap_files ]:True :: [ 06:23:55 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 06:23:55 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 06:23:55 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :: [ 06:23:55 ] :: [ PASS ] :: check permission 'execute_no_trans' is present (Assert: '0' should equal '0') :: [ 06:23:55 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t systemd_systemctl_exec_t : file { getattr open read execute_no_trans }' FILTERED RULES allow chronyd_t systemd_systemctl_exec_t:file { execute execute_no_trans getattr ioctl lock map open read }; allow domain file_type:file map; [ domain_can_mmap_files ]:True :: [ 06:23:56 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 06:23:56 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 06:23:56 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :: [ 06:23:56 ] :: [ PASS ] :: check permission 'execute_no_trans' is present (Assert: '0' should equal '0') :: [ 06:23:57 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow timemaster_t chronyd_t : process { signal }' FILTERED RULES allow timemaster_t chronyd_t:process { signal transition }; :: [ 06:23:58 ] :: [ PASS ] :: check permission 'signal' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 22s :: Assertions: 50 good, 0 bad :: RESULT: PASS (bz#1243764 + bz#1243987) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1350765 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 06:23:58 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t chronyd_t : capability2 { block_suspend } [ ]' FILTERED RULES allow chronyd_t chronyd_t:capability2 block_suspend; :: [ 06:23:59 ] :: [ PASS ] :: check permission 'block_suspend' is present (Assert: '0' should equal '0') :: [ 06:24:00 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t kernel_t : system { module_request } [ ]' FILTERED RULES allow chronyd_t kernel_t:system module_request; :: [ 06:24:01 ] :: [ PASS ] :: check permission 'module_request' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 3s :: Assertions: 2 good, 0 bad :: RESULT: PASS (bz#1350765) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1416015 + bz#1421248 + bz#1425408 + bz#1440791 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /usr/sbin/chronyd system_u:object_r:chronyd_exec_t:s0 :: [ 06:24:02 ] :: [ PASS ] :: Result of matchpathcon /usr/sbin/chronyd should contain chronyd_exec_t (Assert: expected 0, got 0) /etc/adjtime system_u:object_r:adjtime_t:s0 :: [ 06:24:02 ] :: [ PASS ] :: Result of matchpathcon /etc/adjtime should contain adjtime_t (Assert: expected 0, got 0) /var/run/chrony system_u:object_r:chronyd_var_run_t:s0 :: [ 06:24:03 ] :: [ PASS ] :: Result of matchpathcon /var/run/chrony should contain chronyd_var_run_t (Assert: expected 0, got 0) /var/run/chrony/chronyd.sock system_u:object_r:chronyd_var_run_t:s0 :: [ 06:24:03 ] :: [ PASS ] :: Result of matchpathcon /var/run/chrony/chronyd.sock should contain chronyd_var_run_t (Assert: expected 0, got 0) /var/run/chrony/chronyc.1117.sock system_u:object_r:chronyd_var_run_t:s0 :: [ 06:24:04 ] :: [ PASS ] :: Result of matchpathcon /var/run/chrony/chronyc.1117.sock should contain chronyd_var_run_t (Assert: expected 0, got 0) :: [ 06:24:04 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t adjtime_t : file { getattr open read }' FILTERED RULES allow chronyd_t adjtime_t:file { getattr ioctl lock open read }; allow domain file_type:file map; [ domain_can_mmap_files ]:True :: [ 06:24:05 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 06:24:05 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 06:24:05 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :: [ 06:24:05 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t chronyd_t : capability { chown }' FILTERED RULES allow chronyd_t chronyd_t:capability { chown dac_override dac_read_search fsetid ipc_lock net_admin net_bind_service setgid setuid sys_nice sys_resource sys_time }; :: [ 06:24:07 ] :: [ PASS ] :: check permission 'chown' is present (Assert: '0' should equal '0') :: [ 06:24:07 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t chronyd_t : unix_dgram_socket { sendto }' FILTERED RULES allow chronyd_t chronyd_t:unix_dgram_socket { append bind connect create getattr getopt ioctl lock read sendto setattr setopt shutdown write }; :: [ 06:24:08 ] :: [ PASS ] :: check permission 'sendto' is present (Assert: '0' should equal '0') :: [ 06:24:08 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t chronyd_t : capability { net_admin }' FILTERED RULES allow chronyd_t chronyd_t:capability { chown dac_override dac_read_search fsetid ipc_lock net_admin net_bind_service setgid setuid sys_nice sys_resource sys_time }; :: [ 06:24:09 ] :: [ PASS ] :: check permission 'net_admin' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 8s :: Assertions: 11 good, 0 bad :: RESULT: PASS (bz#1416015 + bz#1421248 + bz#1425408 + bz#1440791) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1508486 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /usr/libexec/chrony-helper system_u:object_r:chronyd_exec_t:s0 :: [ 06:24:10 ] :: [ PASS ] :: Result of matchpathcon /usr/libexec/chrony-helper should contain chronyd_exec_t (Assert: expected 0, got 0) /usr/bin/chronyc system_u:object_r:chronyc_exec_t:s0 :: [ 06:24:11 ] :: [ PASS ] :: Result of matchpathcon /usr/bin/chronyc should contain chronyc_exec_t (Assert: expected 0, got 0) :: [ 06:24:11 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t chronyc_exec_t : file { getattr open read execute_no_trans }' FILTERED RULES allow chronyd_t chronyc_exec_t:file { execute execute_no_trans getattr ioctl lock map open read }; allow domain file_type:file map; [ domain_can_mmap_files ]:True :: [ 06:24:12 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 06:24:12 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 06:24:12 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :: [ 06:24:12 ] :: [ PASS ] :: check permission 'execute_no_trans' is present (Assert: '0' should equal '0') :: [ 06:24:12 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t chronyc_t : process { transition }' FILTERED RULES :: [ 06:24:13 ] :: [ PASS ] :: check permission 'transition' is present (Assert: '1' should equal '1') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 4s :: Assertions: 7 good, 0 bad :: RESULT: PASS (bz#1508486) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1509379 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /usr/bin/chronyc system_u:object_r:chronyc_exec_t:s0 :: [ 06:24:14 ] :: [ PASS ] :: Result of matchpathcon /usr/bin/chronyc should contain chronyc_exec_t (Assert: expected 0, got 0) :: [ 06:24:14 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t chronyc_t : capability { dac_read_search } [ ]' FILTERED RULES allow chronyc_t chronyc_t:capability { dac_override dac_read_search }; :: [ 06:24:15 ] :: [ PASS ] :: check permission 'dac_read_search' is present (Assert: '0' should equal '0') :: [ 06:24:16 ] :: [ INFO ] :: rlSESearchRule: checking rule 'type_transition chronyd_t chronyc_exec_t : process chronyc_t' FILTERED RULES :: [ 06:24:17 ] :: [ PASS ] :: check permission 'chronyc_t' is present (Assert: '1' should equal '1') :: [ 06:24:17 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t chronyd_t : capability { dac_read_search } [ ]' FILTERED RULES allow chronyd_t chronyd_t:capability { chown dac_override dac_read_search fsetid ipc_lock net_admin net_bind_service setgid setuid sys_nice sys_resource sys_time }; :: [ 06:24:19 ] :: [ PASS ] :: check permission 'dac_read_search' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 5s :: Assertions: 4 good, 0 bad :: RESULT: PASS (bz#1509379) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1530525 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /usr/bin/chronyc system_u:object_r:chronyc_exec_t:s0 :: [ 06:24:19 ] :: [ PASS ] :: Result of matchpathcon /usr/bin/chronyc should contain chronyc_exec_t (Assert: expected 0, got 0) /etc system_u:object_r:etc_t:s0 :: [ 06:24:20 ] :: [ PASS ] :: Result of matchpathcon /etc should contain etc_t (Assert: expected 0, got 0) /etc/chrony.keys system_u:object_r:chronyd_keys_t:s0 :: [ 06:24:20 ] :: [ PASS ] :: Result of matchpathcon /etc/chrony.keys should contain chronyd_keys_t (Assert: expected 0, got 0) :: [ 06:24:20 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t chronyd_keys_t : file { getattr ioctl append write } [ ]' FILTERED RULES allow chronyc_t chronyd_keys_t:file { create link rename setattr unlink watch watch_reads }; allow chronyc_t non_security_file_type:file { append getattr ioctl lock open read write }; :: [ 06:24:22 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 06:24:22 ] :: [ PASS ] :: check permission 'ioctl' is present (Assert: '0' should equal '0') :: [ 06:24:22 ] :: [ PASS ] :: check permission 'append' is present (Assert: '0' should equal '0') :: [ 06:24:22 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 3s :: Assertions: 7 good, 0 bad :: RESULT: PASS (bz#1530525) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1470150 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /var/run/chrony system_u:object_r:chronyd_var_run_t:s0 :: [ 06:24:22 ] :: [ PASS ] :: Result of matchpathcon /var/run/chrony should contain chronyd_var_run_t (Assert: expected 0, got 0) /var/run/chrony/chronyc.3781.sock system_u:object_r:chronyd_var_run_t:s0 :: [ 06:24:23 ] :: [ PASS ] :: Result of matchpathcon /var/run/chrony/chronyc.3781.sock should contain chronyd_var_run_t (Assert: expected 0, got 0) :: [ 06:24:23 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t chronyc_t : unix_dgram_socket { sendto }' FILTERED RULES allow chronyd_t chronyc_t:unix_dgram_socket sendto; :: [ 06:24:24 ] :: [ PASS ] :: check permission 'sendto' is present (Assert: '0' should equal '0') :: [ 06:24:24 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t chronyd_t : unix_dgram_socket { sendto }' FILTERED RULES allow chronyc_t chronyd_t:unix_dgram_socket sendto; :: [ 06:24:26 ] :: [ PASS ] :: check permission 'sendto' is present (Assert: '0' should equal '0') :: [ 06:24:26 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow system_cronjob_t chronyc_exec_t : file { getattr open read execute } [ ]' FILTERED RULES allow files_unconfined_type file_type:file { append audit_access create execute execute_no_trans getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink watch watch_mount watch_reads watch_sb watch_with_perm write }; :: [ 06:24:27 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 06:24:27 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 06:24:27 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :: [ 06:24:27 ] :: [ PASS ] :: check permission 'execute' is present (Assert: '0' should equal '0') :: [ 06:24:27 ] :: [ INFO ] :: rlSESearchRule: checking rule 'type_transition system_cronjob_t chronyc_exec_t : process chronyc_t' FILTERED RULES type_transition system_cronjob_t chronyc_exec_t:process chronyc_t; :: [ 06:24:29 ] :: [ PASS ] :: check permission 'chronyc_t' is present (Assert: '0' should equal '0') :: [ 06:24:29 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow system_cronjob_t chronyc_t : process { transition } [ ]' FILTERED RULES allow system_cronjob_t chronyc_t:process transition; allow unconfined_domain_type domain:process { fork getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setcurrent setexec setfscreate setkeycreate setpgid setrlimit setsched setsockcreate share sigchld siginh sigkill signal signull sigstop }; :: [ 06:24:30 ] :: [ PASS ] :: check permission 'transition' is present (Assert: '0' should equal '0') :: [ 06:24:30 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow inetd_child_t chronyc_exec_t : file { getattr open read execute } [ ]' FILTERED RULES allow files_unconfined_type file_type:file { append audit_access create execute execute_no_trans getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink watch watch_mount watch_reads watch_sb watch_with_perm write }; :: [ 06:24:32 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 06:24:32 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 06:24:32 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :: [ 06:24:32 ] :: [ PASS ] :: check permission 'execute' is present (Assert: '0' should equal '0') :: [ 06:24:32 ] :: [ INFO ] :: rlSESearchRule: checking rule 'type_transition inetd_child_t chronyc_exec_t : process chronyc_t' FILTERED RULES type_transition inetd_child_t chronyc_exec_t:process chronyc_t; :: [ 06:24:33 ] :: [ PASS ] :: check permission 'chronyc_t' is present (Assert: '0' should equal '0') :: [ 06:24:33 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow inetd_child_t chronyc_t : process { transition } [ ]' FILTERED RULES allow inetd_child_t chronyc_t:process transition; allow unconfined_domain_type domain:process { fork getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setcurrent setexec setfscreate setkeycreate setpgid setrlimit setsched setsockcreate share sigchld siginh sigkill signal signull sigstop }; :: [ 06:24:35 ] :: [ PASS ] :: check permission 'transition' is present (Assert: '0' should equal '0') :: [ 06:24:35 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t chronyd_var_run_t : sock_file { create write unlink }' FILTERED RULES allow chronyc_t chronyd_var_run_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write }; :: [ 06:24:36 ] :: [ PASS ] :: check permission 'create' is present (Assert: '0' should equal '0') :: [ 06:24:36 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :: [ 06:24:36 ] :: [ PASS ] :: check permission 'unlink' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 14s :: Assertions: 19 good, 0 bad :: RESULT: PASS (bz#1470150) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1281473 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /usr/sbin/chronyd system_u:object_r:chronyd_exec_t:s0 :: [ 06:24:37 ] :: [ PASS ] :: Result of matchpathcon /usr/sbin/chronyd should contain chronyd_exec_t (Assert: expected 0, got 0) /etc/chrony.keys system_u:object_r:chronyd_keys_t:s0 :: [ 06:24:37 ] :: [ PASS ] :: Result of matchpathcon /etc/chrony.keys should contain chronyd_keys_t (Assert: expected 0, got 0) /var/run/timemaster/chrony.conf system_u:object_r:timemaster_var_run_t:s0 :: [ 06:24:38 ] :: [ PASS ] :: Result of matchpathcon /var/run/timemaster/chrony.conf should contain timemaster_var_run_t (Assert: expected 0, got 0) :: [ 06:24:38 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t chronyd_keys_t : file { append setattr }' FILTERED RULES allow chronyd_t chronyd_keys_t:file { append getattr ioctl lock open read setattr }; allow domain file_type:file map; [ domain_can_mmap_files ]:True :: [ 06:24:39 ] :: [ PASS ] :: check permission 'append' is present (Assert: '0' should equal '0') :: [ 06:24:39 ] :: [ PASS ] :: check permission 'setattr' is present (Assert: '0' should equal '0') :: [ 06:24:39 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t timemaster_var_run_t : file { getattr open read }' FILTERED RULES allow chronyd_t timemaster_var_run_t:file { getattr ioctl lock open read }; allow domain file_type:file map; [ domain_can_mmap_files ]:True :: [ 06:24:41 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 06:24:41 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 06:24:41 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 5s :: Assertions: 8 good, 0 bad :: RESULT: PASS (bz#1281473) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1290310 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /usr/sbin/chronyd system_u:object_r:chronyd_exec_t:s0 :: [ 06:24:42 ] :: [ PASS ] :: Result of matchpathcon /usr/sbin/chronyd should contain chronyd_exec_t (Assert: expected 0, got 0) /var/run system_u:object_r:var_run_t:s0 /run system_u:object_r:var_run_t:s0 :: [ 06:24:42 ] :: [ PASS ] :: Results of matchpathcon /var/run /run should contain var_run_t (Assert: expected 0, got 0) /var/run/chronyd.sock system_u:object_r:chronyd_var_run_t:s0 :: [ 06:24:43 ] :: [ PASS ] :: Result of matchpathcon /var/run/chronyd.sock should contain chronyd_var_run_t (Assert: expected 0, got 0) :: [ 06:24:43 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t var_run_t : dir { getattr open search read write add_name remove_name }' FILTERED RULES allow chronyd_t var_run_t:dir { add_name remove_name write }; allow domain base_file_type:dir { getattr open search }; allow domain var_run_t:dir { ioctl lock read }; allow nsswitch_domain pidfile:dir { getattr open search }; :: [ 06:24:44 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 06:24:44 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 06:24:44 ] :: [ PASS ] :: check permission 'search' is present (Assert: '0' should equal '0') :: [ 06:24:44 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :: [ 06:24:44 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :: [ 06:24:44 ] :: [ PASS ] :: check permission 'add_name' is present (Assert: '0' should equal '0') :: [ 06:24:44 ] :: [ PASS ] :: check permission 'remove_name' is present (Assert: '0' should equal '0') :: [ 06:24:44 ] :: [ INFO ] :: rlSESearchRule: checking rule 'type_transition chronyd_t var_run_t : sock_file chronyd_var_run_t' FILTERED RULES type_transition chronyd_t var_run_t:sock_file chronyd_var_run_t; :: [ 06:24:46 ] :: [ PASS ] :: check permission 'chronyd_var_run_t' is present (Assert: '0' should equal '0') :: [ 06:24:46 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t chronyd_var_run_t : sock_file { create }' FILTERED RULES allow chronyd_t chronyd_var_run_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write }; :: [ 06:24:47 ] :: [ PASS ] :: check permission 'create' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 6s :: Assertions: 12 good, 0 bad :: RESULT: PASS (bz#1290310) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1390657 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /etc/chrony.keys system_u:object_r:chronyd_keys_t:s0 :: [ 06:24:48 ] :: [ PASS ] :: Result of matchpathcon /etc/chrony.keys should contain chronyd_keys_t (Assert: expected 0, got 0) :: [ 06:24:48 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow logrotate_t chronyd_keys_t : file { getattr open read }' FILTERED RULES allow domain file_type:file map; [ domain_can_mmap_files ]:True allow logrotate_t chronyd_keys_t:file { getattr ioctl lock open read }; :: [ 06:24:49 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 06:24:49 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 06:24:49 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 2s :: Assertions: 4 good, 0 bad :: RESULT: PASS (bz#1390657) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1509927 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /usr/bin/chronyc system_u:object_r:chronyc_exec_t:s0 :: [ 06:24:50 ] :: [ PASS ] :: Result of matchpathcon /usr/bin/chronyc should contain chronyc_exec_t (Assert: expected 0, got 0) :: [ 06:24:50 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t user_devpts_t : chr_file { read write getattr append open } [ ]' FILTERED RULES allow chronyc_t user_devpts_t:chr_file { append getattr ioctl lock open read write }; :: [ 06:24:52 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :: [ 06:24:52 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :: [ 06:24:52 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 06:24:52 ] :: [ PASS ] :: check permission 'append' is present (Assert: '0' should equal '0') :: [ 06:24:52 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 2s :: Assertions: 6 good, 0 bad :: RESULT: PASS (bz#1509927) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1574418 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /usr/bin/chronyc system_u:object_r:chronyc_exec_t:s0 :: [ 06:24:52 ] :: [ PASS ] :: Result of matchpathcon /usr/bin/chronyc should contain chronyc_exec_t (Assert: expected 0, got 0) /tmp system_u:object_r:tmp_t:s0 :: [ 06:24:53 ] :: [ PASS ] :: Result of matchpathcon /tmp should contain tmp_t (Assert: expected 0, got 0) /var/lib system_u:object_r:var_lib_t:s0 :: [ 06:24:53 ] :: [ PASS ] :: Result of matchpathcon /var/lib should contain var_lib_t (Assert: expected 0, got 0) /var/lib/check_mk_agent system_u:object_r:var_lib_t:s0 :: [ 06:24:54 ] :: [ PASS ] :: Result of matchpathcon /var/lib/check_mk_agent should contain var_lib_t (Assert: expected 0, got 0) /var/lib/check_mk_agent/cache system_u:object_r:var_lib_t:s0 :: [ 06:24:54 ] :: [ PASS ] :: Result of matchpathcon /var/lib/check_mk_agent/cache should contain var_lib_t (Assert: expected 0, got 0) /var/lib/check_mk_agent/cache/chrony.cache.new system_u:object_r:var_lib_t:s0 :: [ 06:24:55 ] :: [ PASS ] :: Result of matchpathcon /var/lib/check_mk_agent/cache/chrony.cache.new should contain var_lib_t (Assert: expected 0, got 0) /var/log system_u:object_r:var_log_t:s0 :: [ 06:24:55 ] :: [ PASS ] :: Result of matchpathcon /var/log should contain var_log_t (Assert: expected 0, got 0) :: [ 06:24:55 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t tmp_t : dir { write add_name } [ ]' FILTERED RULES allow domain base_file_type:dir { getattr open search }; allow nsswitch_domain tmp_t:dir { add_name ioctl lock read remove_name write }; :: [ 06:24:57 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :: [ 06:24:57 ] :: [ PASS ] :: check permission 'add_name' is present (Assert: '0' should equal '0') :: [ 06:24:57 ] :: [ INFO ] :: rlSESearchRule: checking rule 'type_transition chronyc_t tmp_t : file chronyd_tmp_t' FILTERED RULES type_transition chronyc_t tmp_t:file chronyd_tmp_t; type_transition chronyc_t tmp_t:file krb5_host_rcache_t krb5_0.rcache2; type_transition chronyc_t tmp_t:file krb5_host_rcache_t krb5_23.rcache2; type_transition chronyc_t tmp_t:file krb5_host_rcache_t krb5_55.rcache2; :: [ 06:24:58 ] :: [ PASS ] :: check permission 'chronyd_tmp_t' is present (Assert: '0' should equal '0') :: [ 06:24:58 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t chronyd_tmp_t : file { create getattr open write } [ ]' FILTERED RULES allow chronyc_t chronyd_tmp_t:file { create link rename setattr unlink watch watch_reads }; allow chronyc_t non_security_file_type:file { append getattr ioctl lock open read write }; allow domain tmpfile:file { append getattr ioctl lock read }; :: [ 06:25:00 ] :: [ PASS ] :: check permission 'create' is present (Assert: '0' should equal '0') :: [ 06:25:00 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 06:25:00 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 06:25:00 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :: [ 06:25:00 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t var_log_t : dir { write add_name } [ ]' FILTERED RULES allow chronyc_t var_log_t:dir { add_name ioctl lock read remove_name write }; allow domain var_log_t:dir { getattr open search }; :: [ 06:25:01 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :: [ 06:25:01 ] :: [ PASS ] :: check permission 'add_name' is present (Assert: '0' should equal '0') :: [ 06:25:01 ] :: [ INFO ] :: rlSESearchRule: checking rule 'type_transition chronyc_t var_log_t : file chronyd_var_log_t' FILTERED RULES type_transition chronyc_t var_log_t:file chronyd_var_log_t; :: [ 06:25:03 ] :: [ PASS ] :: check permission 'chronyd_var_log_t' is present (Assert: '0' should equal '0') :: [ 06:25:03 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t chronyd_var_log_t : file { create getattr open write } [ ]' FILTERED RULES allow application_domain_type logfile:file { append getattr ioctl lock }; allow chronyc_t chronyd_var_log_t:file { create link rename setattr unlink watch watch_reads }; allow chronyc_t non_security_file_type:file { append getattr ioctl lock open read write }; :: [ 06:25:04 ] :: [ PASS ] :: check permission 'create' is present (Assert: '0' should equal '0') :: [ 06:25:04 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 06:25:04 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 06:25:04 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :: [ 06:25:04 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t var_lib_t : dir { write add_name } [ ]' FILTERED RULES allow chronyc_t var_lib_t:dir { add_name remove_name write }; allow domain base_file_type:dir { getattr open search }; allow nsswitch_domain var_lib_t:dir { ioctl lock read }; :: [ 06:25:06 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :: [ 06:25:06 ] :: [ PASS ] :: check permission 'add_name' is present (Assert: '0' should equal '0') :: [ 06:25:06 ] :: [ INFO ] :: rlSESearchRule: checking rule 'type_transition chronyc_t var_lib_t : file chronyd_var_lib_t' FILTERED RULES type_transition chronyc_t var_lib_t:file chronyd_var_lib_t; :: [ 06:25:07 ] :: [ PASS ] :: check permission 'chronyd_var_lib_t' is present (Assert: '0' should equal '0') :: [ 06:25:07 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t chronyd_var_lib_t : file { create getattr open write } [ ]' FILTERED RULES allow chronyc_t chronyd_var_lib_t:file { create link rename setattr unlink watch watch_reads }; allow chronyc_t non_security_file_type:file { append getattr ioctl lock open read write }; :: [ 06:25:09 ] :: [ PASS ] :: check permission 'create' is present (Assert: '0' should equal '0') :: [ 06:25:09 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 06:25:09 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 06:25:09 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 17s :: Assertions: 28 good, 0 bad :: RESULT: PASS (bz#1574418) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1575002 + bz#1577057 + bz#1593267 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /dev/tty1 system_u:object_r:tty_device_t:s0 :: [ 06:25:09 ] :: [ PASS ] :: Result of matchpathcon /dev/tty1 should contain tty_device_t (Assert: expected 0, got 0) :: [ 06:25:10 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow unconfined_t chronyc_exec_t : file { getattr open read execute }' FILTERED RULES allow domain file_type:file map; [ domain_can_mmap_files ]:True allow files_unconfined_type file_type:file execmod; [ selinuxuser_execmod ]:True allow files_unconfined_type file_type:file { append audit_access create execute execute_no_trans getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink watch watch_mount watch_reads watch_sb watch_with_perm write }; :: [ 06:25:11 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 06:25:11 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 06:25:11 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :: [ 06:25:11 ] :: [ PASS ] :: check permission 'execute' is present (Assert: '0' should equal '0') :: [ 06:25:11 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow unconfined_t chronyc_t : process { transition }' FILTERED RULES allow unconfined_domain_type domain:process ptrace; [ deny_ptrace ]:False allow unconfined_domain_type domain:process { fork getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setcurrent setexec setfscreate setkeycreate setpgid setrlimit setsched setsockcreate share sigchld siginh sigkill signal signull sigstop }; allow unconfined_t domain:process dyntransition; [ unconfined_dyntrans_all ]:True allow unconfined_t domain:process transition; :: [ 06:25:12 ] :: [ PASS ] :: check permission 'transition' is present (Assert: '0' should equal '0') :: [ 06:25:12 ] :: [ INFO ] :: rlSESearchRule: checking rule 'type_transition unconfined_t chronyc_exec_t : process chronyc_t' FILTERED RULES type_transition unconfined_t chronyc_exec_t:process chronyc_t; :: [ 06:25:14 ] :: [ PASS ] :: check permission 'chronyc_t' is present (Assert: '0' should equal '0') :: [ 06:25:14 ] :: [ INFO ] :: rlSESearchRule: checking rule 'type_change unconfined_t tty_device_t : chr_file user_tty_device_t' FILTERED RULES type_change unconfined_t tty_device_t:chr_file user_tty_device_t; :: [ 06:25:15 ] :: [ PASS ] :: check permission 'user_tty_device_t' is present (Assert: '0' should equal '0') :: [ 06:25:15 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t user_tty_device_t : chr_file { read write } [ ]' FILTERED RULES allow chronyc_t user_tty_device_t:chr_file { append getattr ioctl lock read write }; :: [ 06:25:17 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :: [ 06:25:17 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 8s :: Assertions: 10 good, 0 bad :: RESULT: PASS (bz#1575002 + bz#1577057 + bz#1593267) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1596563 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /usr/bin/chronyc system_u:object_r:chronyc_exec_t:s0 :: [ 06:25:17 ] :: [ PASS ] :: Result of matchpathcon /usr/bin/chronyc should contain chronyc_exec_t (Assert: expected 0, got 0) /var/run/nscd/socket system_u:object_r:nscd_var_run_t:s0 :: [ 06:25:18 ] :: [ PASS ] :: Result of matchpathcon /var/run/nscd/socket should contain nscd_var_run_t (Assert: expected 0, got 0) /var/db/nscd/passwd system_u:object_r:nscd_var_run_t:s0 :: [ 06:25:18 ] :: [ PASS ] :: Result of matchpathcon /var/db/nscd/passwd should contain nscd_var_run_t (Assert: expected 0, got 0) :: [ 06:25:18 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t nscd_t : unix_stream_socket { connectto }' FILTERED RULES allow nsswitch_domain nscd_t:unix_stream_socket { append bind connect connectto create getattr getopt ioctl lock read setattr setopt shutdown write }; :: [ 06:25:20 ] :: [ PASS ] :: check permission 'connectto' is present (Assert: '0' should equal '0') :: [ 06:25:20 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow system_dbusd_t nscd_var_run_t : file { map }' FILTERED RULES allow domain file_type:file map; [ domain_can_mmap_files ]:True allow nsswitch_domain nscd_var_run_t:file map; allow system_dbusd_t non_security_file_type:file { read write }; :: [ 06:25:21 ] :: [ PASS ] :: check permission 'map' is present (Assert: '0' should equal '0') :: [ 06:25:21 ] :: [ INFO ] :: rlSESearchRule: checking rule 'dontaudit chronyc_t nscd_var_run_t : file { getattr open read }' FILTERED RULES dontaudit nsswitch_domain nscd_var_run_t:file { getattr ioctl lock open read }; :: [ 06:25:23 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 06:25:23 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 06:25:23 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :: [ 06:25:23 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t chronyd_tmpfs_t : file { map }' FILTERED RULES allow chronyd_t chronyd_tmpfs_t:file { append create getattr ioctl link lock map open read rename setattr unlink watch watch_reads write }; allow domain file_type:file map; [ domain_can_mmap_files ]:True :: [ 06:25:24 ] :: [ PASS ] :: check permission 'map' is present (Assert: '0' should equal '0') :: [ 06:25:24 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t gpsd_tmpfs_t : file { map }' FILTERED RULES allow chronyd_t gpsd_tmpfs_t:file { append getattr ioctl lock map open read write }; allow domain file_type:file map; [ domain_can_mmap_files ]:True :: [ 06:25:25 ] :: [ PASS ] :: check permission 'map' is present (Assert: '0' should equal '0') :: [ 06:25:25 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t nscd_t : nscd { shmemhost gethost }' FILTERED RULES allow chronyc_t nscd_t:nscd { getnetgrp getserv shmemgrp shmemhost shmemnetgrp shmempwd shmemserv }; allow nsswitch_domain nscd_t:nscd { getgrp gethost getpwd }; allow nsswitch_domain nscd_t:nscd { getnetgrp getserv }; [ nscd_use_shm ]:True allow nsswitch_domain nscd_t:nscd { getnetgrp getserv }; [ nscd_use_shm ]:True allow nsswitch_domain nscd_t:nscd { shmemgrp shmemhost shmemnetgrp shmempwd shmemserv }; [ nscd_use_shm ]:True allow nsswitch_domain nscd_t:nscd { shmemgrp shmemhost shmemnetgrp shmempwd shmemserv }; [ nscd_use_shm ]:True :: [ 06:25:27 ] :: [ PASS ] :: check permission 'shmemhost' is present (Assert: '0' should equal '0') :: [ 06:25:27 ] :: [ PASS ] :: check permission 'gethost' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 10s :: Assertions: 12 good, 0 bad :: RESULT: PASS (bz#1596563) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1568281 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /usr/bin/chronyc system_u:object_r:chronyc_exec_t:s0 :: [ 06:25:27 ] :: [ PASS ] :: Result of matchpathcon /usr/bin/chronyc should contain chronyc_exec_t (Assert: expected 0, got 0) /run/chrony system_u:object_r:chronyd_var_run_t:s0 :: [ 06:25:28 ] :: [ PASS ] :: Result of matchpathcon /run/chrony should contain chronyd_var_run_t (Assert: expected 0, got 0) :: [ 06:25:28 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow logrotate_t chronyc_exec_t : file { getattr open read execute } [ ]' FILTERED RULES allow logrotate_t application_exec_type:file { execute execute_no_trans ioctl lock map open read }; allow logrotate_t exec_type:file getattr; :: [ 06:25:29 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 06:25:29 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 06:25:29 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :: [ 06:25:29 ] :: [ PASS ] :: check permission 'execute' is present (Assert: '0' should equal '0') :: [ 06:25:30 ] :: [ INFO ] :: rlSESearchRule: checking rule 'type_transition logrotate_t chronyc_exec_t : process chronyc_t' FILTERED RULES type_transition logrotate_t chronyc_exec_t:process chronyc_t; :: [ 06:25:31 ] :: [ PASS ] :: check permission 'chronyc_t' is present (Assert: '0' should equal '0') :: [ 06:25:31 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow logrotate_t chronyc_t : process { transition } [ ]' FILTERED RULES allow logrotate_t chronyc_t:process transition; allow logrotate_t domain:process signal; :: [ 06:25:33 ] :: [ PASS ] :: check permission 'transition' is present (Assert: '0' should equal '0') :: [ 06:25:33 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t chronyd_var_run_t : dir { write } [ ]' FILTERED RULES allow chronyc_t chronyd_var_run_t:dir { add_name create ioctl link lock read remove_name rename reparent rmdir setattr unlink watch watch_reads write }; allow nsswitch_domain pidfile:dir { getattr open search }; :: [ 06:25:34 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 7s :: Assertions: 9 good, 0 bad :: RESULT: PASS (bz#1568281) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1567753 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /usr/sbin/chronyd system_u:object_r:chronyd_exec_t:s0 :: [ 06:25:35 ] :: [ PASS ] :: Result of matchpathcon /usr/sbin/chronyd should contain chronyd_exec_t (Assert: expected 0, got 0) /var/lib/libvirt/dnsmasq system_u:object_r:virt_var_lib_t:s0 :: [ 06:25:35 ] :: [ PASS ] :: Result of matchpathcon /var/lib/libvirt/dnsmasq should contain virt_var_lib_t (Assert: expected 0, got 0) :: [ 06:25:35 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t virt_var_lib_t : dir { getattr open search read } [ ]' FILTERED RULES allow nsswitch_domain virt_var_lib_t:dir { getattr ioctl lock open read search }; :: [ 06:25:37 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 06:25:37 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 06:25:37 ] :: [ PASS ] :: check permission 'search' is present (Assert: '0' should equal '0') :: [ 06:25:37 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 3s :: Assertions: 6 good, 0 bad :: RESULT: PASS (bz#1567753) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1618757 + bz#1622499 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /usr/bin/chronyc system_u:object_r:chronyc_exec_t:s0 :: [ 06:25:37 ] :: [ PASS ] :: Result of matchpathcon /usr/bin/chronyc should contain chronyc_exec_t (Assert: expected 0, got 0) :: [ 06:25:37 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t unconfined_t : unix_stream_socket { read write ioctl getattr } [ ]' FILTERED RULES allow chronyc_t userdomain:unix_stream_socket { append bind connect getattr getopt ioctl lock read setattr setopt shutdown write }; :: [ 06:25:39 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :: [ 06:25:39 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :: [ 06:25:39 ] :: [ PASS ] :: check permission 'ioctl' is present (Assert: '0' should equal '0') :: [ 06:25:39 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 2s :: Assertions: 5 good, 0 bad :: RESULT: PASS (bz#1618757 + bz#1622499) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1652079 + bz#1696252 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /usr/bin/chronyc system_u:object_r:chronyc_exec_t:s0 :: [ 06:25:39 ] :: [ PASS ] :: Result of matchpathcon /usr/bin/chronyc should contain chronyc_exec_t (Assert: expected 0, got 0) /var/lib system_u:object_r:var_lib_t:s0 :: [ 06:25:40 ] :: [ PASS ] :: Result of matchpathcon /var/lib should contain var_lib_t (Assert: expected 0, got 0) /var/lib/test system_u:object_r:var_lib_t:s0 :: [ 06:25:40 ] :: [ PASS ] :: Result of matchpathcon /var/lib/test should contain var_lib_t (Assert: expected 0, got 0) /var/log system_u:object_r:var_log_t:s0 :: [ 06:25:41 ] :: [ PASS ] :: Result of matchpathcon /var/log should contain var_log_t (Assert: expected 0, got 0) /var/log/test system_u:object_r:var_log_t:s0 :: [ 06:25:41 ] :: [ PASS ] :: Result of matchpathcon /var/log/test should contain var_log_t (Assert: expected 0, got 0) /var/run system_u:object_r:var_run_t:s0 /run system_u:object_r:var_run_t:s0 :: [ 06:25:42 ] :: [ PASS ] :: Results of matchpathcon /var/run /run should contain var_run_t (Assert: expected 0, got 0) /var/run/test system_u:object_r:var_run_t:s0 :: [ 06:25:42 ] :: [ PASS ] :: Result of matchpathcon /var/run/test should contain var_run_t (Assert: expected 0, got 0) /var/cache system_u:object_r:var_t:s0 :: [ 06:25:43 ] :: [ PASS ] :: Result of matchpathcon /var/cache should contain var_t (Assert: expected 0, got 0) /var/cache/test system_u:object_r:var_t:s0 :: [ 06:25:43 ] :: [ PASS ] :: Result of matchpathcon /var/cache/test should contain var_t (Assert: expected 0, got 0) :: [ 06:25:44 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t var_lib_t : dir { getattr open search write add_name } [ ]' FILTERED RULES allow chronyc_t var_lib_t:dir { add_name remove_name write }; allow domain base_file_type:dir { getattr open search }; allow nsswitch_domain var_lib_t:dir { ioctl lock read }; :: [ 06:25:45 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 06:25:45 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 06:25:45 ] :: [ PASS ] :: check permission 'search' is present (Assert: '0' should equal '0') :: [ 06:25:45 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :: [ 06:25:45 ] :: [ PASS ] :: check permission 'add_name' is present (Assert: '0' should equal '0') :: [ 06:25:45 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t var_lib_t : file { getattr ioctl write append } [ ]' FILTERED RULES allow chronyc_t non_security_file_type:file { append getattr ioctl lock open read write }; :: [ 06:25:46 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 06:25:46 ] :: [ PASS ] :: check permission 'ioctl' is present (Assert: '0' should equal '0') :: [ 06:25:46 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :: [ 06:25:46 ] :: [ PASS ] :: check permission 'append' is present (Assert: '0' should equal '0') :: [ 06:25:46 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t var_log_t : dir { getattr open search write add_name } [ ]' FILTERED RULES allow chronyc_t var_log_t:dir { add_name ioctl lock read remove_name write }; allow domain var_log_t:dir { getattr open search }; :: [ 06:25:48 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 06:25:48 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 06:25:48 ] :: [ PASS ] :: check permission 'search' is present (Assert: '0' should equal '0') :: [ 06:25:48 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :: [ 06:25:48 ] :: [ PASS ] :: check permission 'add_name' is present (Assert: '0' should equal '0') :: [ 06:25:48 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t var_log_t : file { getattr ioctl write append } [ ]' FILTERED RULES allow application_domain_type logfile:file { append getattr ioctl lock }; allow chronyc_t non_security_file_type:file { append getattr ioctl lock open read write }; :: [ 06:25:49 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 06:25:49 ] :: [ PASS ] :: check permission 'ioctl' is present (Assert: '0' should equal '0') :: [ 06:25:49 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :: [ 06:25:49 ] :: [ PASS ] :: check permission 'append' is present (Assert: '0' should equal '0') :: [ 06:25:49 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t var_t : file { getattr ioctl write append } [ ]' FILTERED RULES allow chronyc_t non_security_file_type:file { append getattr ioctl lock open read write }; :: [ 06:25:51 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 06:25:51 ] :: [ PASS ] :: check permission 'ioctl' is present (Assert: '0' should equal '0') :: [ 06:25:51 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :: [ 06:25:51 ] :: [ PASS ] :: check permission 'append' is present (Assert: '0' should equal '0') :: [ 06:25:51 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t var_run_t : file { getattr ioctl write append } [ ]' FILTERED RULES allow chronyc_t non_security_file_type:file { append getattr ioctl lock open read write }; :: [ 06:25:52 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 06:25:52 ] :: [ PASS ] :: check permission 'ioctl' is present (Assert: '0' should equal '0') :: [ 06:25:52 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :: [ 06:25:52 ] :: [ PASS ] :: check permission 'append' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 13s :: Assertions: 35 good, 0 bad :: RESULT: PASS (bz#1652079 + bz#1696252) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1593607 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /usr/libexec/chrony-helper system_u:object_r:chronyd_exec_t:s0 :: [ 06:25:53 ] :: [ PASS ] :: Result of matchpathcon /usr/libexec/chrony-helper should contain chronyd_exec_t (Assert: expected 0, got 0) :: [ 06:25:53 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t shell_exec_t : file { map } [ ] mls' FILTERED RULES allow chronyd_t shell_exec_t:file { execute execute_no_trans map }; allow domain base_ro_file_type:file { getattr ioctl lock open read }; :: [ 06:25:54 ] :: [ PASS ] :: check permission 'map' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 2s :: Assertions: 2 good, 0 bad :: RESULT: PASS (bz#1593607) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1772852 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /usr/bin/chronyc system_u:object_r:chronyc_exec_t:s0 :: [ 06:25:54 ] :: [ PASS ] :: Result of matchpathcon /usr/bin/chronyc should contain chronyc_exec_t (Assert: expected 0, got 0) /var/db/nscd/hosts system_u:object_r:nscd_var_run_t:s0 :: [ 06:25:55 ] :: [ PASS ] :: Result of matchpathcon /var/db/nscd/hosts should contain nscd_var_run_t (Assert: expected 0, got 0) :: [ 06:25:55 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t nscd_var_run_t : file { map } [ ]' FILTERED RULES allow chronyc_t non_security_file_type:file { append getattr ioctl lock open read write }; allow nsswitch_domain nscd_var_run_t:file map; :: [ 06:25:56 ] :: [ PASS ] :: check permission 'map' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 2s :: Assertions: 3 good, 0 bad :: RESULT: PASS (bz#1772852) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1895825 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /run/chrony-dhcp system_u:object_r:chronyd_var_run_t:s0 :: [ 06:25:57 ] :: [ PASS ] :: Result of matchpathcon /run/chrony-dhcp should contain chronyd_var_run_t (Assert: expected 0, got 0) /run/chrony-dhcp/something.source system_u:object_r:chronyd_var_run_t:s0 :: [ 06:25:58 ] :: [ PASS ] :: Result of matchpathcon /run/chrony-dhcp/something.source should contain chronyd_var_run_t (Assert: expected 0, got 0) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 1s :: Assertions: 2 good, 0 bad :: RESULT: PASS (bz#1895825) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1900143 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /run/systemd/resolve/io.systemd.Resolve system_u:object_r:systemd_resolved_var_run_t:s0 :: [ 06:25:58 ] :: [ PASS ] :: Result of matchpathcon /run/systemd/resolve/io.systemd.Resolve should contain systemd_resolved_var_run_t (Assert: expected 0, got 0) :: [ 06:25:58 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t systemd_resolved_var_run_t : sock_file { write } [ ]' FILTERED RULES allow domain systemd_resolved_var_run_t:sock_file { append getattr open write }; :: [ 06:26:00 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 2s :: Assertions: 2 good, 0 bad :: RESULT: PASS (bz#1900143) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#2173604 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /usr/bin/chronyc system_u:object_r:chronyc_exec_t:s0 :: [ 06:26:00 ] :: [ PASS ] :: Result of matchpathcon /usr/bin/chronyc should contain chronyc_exec_t (Assert: expected 0, got 0) :: [ 06:26:00 ] :: [ BEGIN ] :: Running 'ls -dZ /proc/sys/net/ipv6/conf/all | grep :sysctl_net_t' system_u:object_r:sysctl_net_t:s0 /proc/sys/net/ipv6/conf/all :: [ 06:26:00 ] :: [ PASS ] :: Command 'ls -dZ /proc/sys/net/ipv6/conf/all | grep :sysctl_net_t' (Expected 0, got 0) :: [ 06:26:00 ] :: [ BEGIN ] :: Running 'ls -dZ /proc/sys/net/ipv6/conf/all/disable_ipv6 | grep :sysctl_net_t' system_u:object_r:sysctl_net_t:s0 /proc/sys/net/ipv6/conf/all/disable_ipv6 :: [ 06:26:00 ] :: [ PASS ] :: Command 'ls -dZ /proc/sys/net/ipv6/conf/all/disable_ipv6 | grep :sysctl_net_t' (Expected 0, got 0) :: [ 06:26:00 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t sysctl_net_t : dir { search } [ ]' FILTERED RULES allow chronyc_t sysctl_net_t:dir { getattr ioctl lock open read search }; :: [ 06:26:02 ] :: [ PASS ] :: check permission 'search' is present (Assert: '0' should equal '0') :: [ 06:26:02 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t sysctl_net_t : file { getattr open read } [ ]' FILTERED RULES allow chronyc_t sysctl_net_t:file { getattr ioctl lock open read }; :: [ 06:26:03 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 06:26:03 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 06:26:03 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 3s :: Assertions: 7 good, 0 bad :: RESULT: PASS (bz#2173604) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#1961207 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 06:26:03 ] :: [ BEGIN ] :: Running 'seinfo --portcon=4460 | grep "portcon tcp .*:ntske_port_t"' portcon tcp 4460 system_u:object_r:ntske_port_t:s0 :: [ 06:26:04 ] :: [ PASS ] :: Command 'seinfo --portcon=4460 | grep "portcon tcp .*:ntske_port_t"' (Expected 0, got 0) /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-ki system_u:object_r:cert_t:s0 :: [ 06:26:04 ] :: [ PASS ] :: Result of matchpathcon /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-ki should contain cert_t (Assert: expected 0, got 0) :: [ 06:26:04 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t ntske_port_t : tcp_socket { name_bind name_connect } [ ]' FILTERED RULES allow chronyd_t ntske_port_t:tcp_socket { name_bind name_connect }; :: [ 06:26:06 ] :: [ PASS ] :: check permission 'name_bind' is present (Assert: '0' should equal '0') :: [ 06:26:06 ] :: [ PASS ] :: check permission 'name_connect' is present (Assert: '0' should equal '0') :: [ 06:26:06 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t chronyd_t : tcp_socket { listen accept }' FILTERED RULES allow chronyd_t chronyd_t:tcp_socket { accept append bind connect create getattr getopt ioctl listen lock read setattr setopt shutdown write }; :: [ 06:26:07 ] :: [ PASS ] :: check permission 'listen' is present (Assert: '0' should equal '0') :: [ 06:26:07 ] :: [ PASS ] :: check permission 'accept' is present (Assert: '0' should equal '0') :: [ 06:26:07 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t cert_t : file { map } [ ]' FILTERED RULES allow nsswitch_domain cert_t:file { getattr ioctl lock map open read }; :: [ 06:26:08 ] :: [ PASS ] :: check permission 'map' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 5s :: Assertions: 7 good, 0 bad :: RESULT: PASS (bz#1961207) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: real scenario :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 06:26:09 ] :: [ BEGIN ] :: Running 'echo "sched_priority 50" >> /etc/chrony.conf' :: [ 06:26:09 ] :: [ PASS ] :: Command 'echo "sched_priority 50" >> /etc/chrony.conf' (Expected 0, got 0) :: [ 06:26:09 ] :: [ BEGIN ] :: Running 'echo "refclock SHM 0" >> /etc/chrony.conf' :: [ 06:26:09 ] :: [ PASS ] :: Command 'echo "refclock SHM 0" >> /etc/chrony.conf' (Expected 0, got 0) :: [ 06:26:09 ] :: [ BEGIN ] :: Running 'echo "refclock SOCK /var/run/chronyd.sock" >> /etc/chrony.conf' :: [ 06:26:09 ] :: [ PASS ] :: Command 'echo "refclock SOCK /var/run/chronyd.sock" >> /etc/chrony.conf' (Expected 0, got 0) :: [ 06:26:09 ] :: [ BEGIN ] :: Running 'echo redhat | passwd --stdin root' BAD PASSWORD: The password is shorter than 8 characters :: [ 06:26:09 ] :: [ PASS ] :: Command 'echo redhat | passwd --stdin root' (Expected 0, got 0) chronyd_t is defined :: [ 06:26:09 ] :: [ BEGIN ] :: Running 'service chronyd start' Redirecting to /bin/systemctl start chronyd.service :: [ 06:26:09 ] :: [ PASS ] :: Command 'service chronyd start' (Expected 0, got 0) :: [ 06:26:10 ] :: [ BEGIN ] :: Running 'ps -efZ | grep -v " grep " | grep -E "chronyd"' system_u:system_r:chronyd_t:s0 chrony 51490 1 0 06:26 ? 00:00:00 /usr/sbin/chronyd -F 2 :: [ 06:26:10 ] :: [ PASS ] :: Command 'ps -efZ | grep -v " grep " | grep -E "chronyd"' (Expected 0, got 0) :: [ 06:26:11 ] :: [ BEGIN ] :: Running 'ps -efZ | grep -v " grep " | grep -E "chronyd_t.*chronyd"' system_u:system_r:chronyd_t:s0 chrony 51490 1 0 06:26 ? 00:00:00 /usr/sbin/chronyd -F 2 :: [ 06:26:11 ] :: [ PASS ] :: Command 'ps -efZ | grep -v " grep " | grep -E "chronyd_t.*chronyd"' (Expected 0, got 0) :: [ 06:26:12 ] :: [ BEGIN ] :: Running 'service chronyd status' Redirecting to /bin/systemctl status chronyd.service ● chronyd.service - NTP client/server Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; preset: enabled) Active: active (running) since Wed 2025-04-16 06:26:09 EDT; 2s ago Invocation: 59c62527eea24f3382cbad08bc0842ae Docs: man:chronyd(8) man:chrony.conf(5) Process: 51488 ExecStart=/usr/sbin/chronyd $OPTIONS (code=exited, status=0/SUCCESS) Main PID: 51490 (chronyd) Tasks: 1 (limit: 10683) Memory: 1M (peak: 2.9M) CPU: 27ms CGroup: /system.slice/chronyd.service └─51490 /usr/sbin/chronyd -F 2 Apr 16 06:26:09 prereserve-1mt-rhel-10.1-20250330.2-28248-2025-04-16-09-58 systemd[1]: Startin…. Apr 16 06:26:09 prereserve-1mt-rhel-10.1-20250330.2-28248-2025-04-16-09-58 chronyd[51490]: chro… Apr 16 06:26:09 prereserve-1mt-rhel-10.1-20250330.2-28248-2025-04-16-09-58 chronyd[51490]: Freq… Apr 16 06:26:09 prereserve-1mt-rhel-10.1-20250330.2-28248-2025-04-16-09-58 chronyd[51490]: Load… Apr 16 06:26:09 prereserve-1mt-rhel-10.1-20250330.2-28248-2025-04-16-09-58 systemd[1]: Started…. Hint: Some lines were ellipsized, use -l to show in full. :: [ 06:26:12 ] :: [ PASS ] :: Command 'service chronyd status' (Expected 0,1,3, got 0) :: [ 06:26:13 ] :: [ BEGIN ] :: Running 'ipcs -m | grep 0x4e545030' 0x4e545030 0 root 600 96 1 :: [ 06:26:13 ] :: [ PASS ] :: Command 'ipcs -m | grep 0x4e545030' (Expected 0, got 0) :: [ 06:26:13 ] :: [ BEGIN ] :: Running 'ls -Z /var/run/chronyd.sock | grep :chronyd_var_run_t' system_u:object_r:chronyd_var_run_t:s0 /var/run/chronyd.sock :: [ 06:26:13 ] :: [ PASS ] :: Command 'ls -Z /var/run/chronyd.sock | grep :chronyd_var_run_t' (Expected 0, got 0) :: [ 06:26:13 ] :: [ BEGIN ] :: Running 'restorecon -Rv /etc /run /var -e /var/ARTIFACTS' Can't stat exclude path "/var/ARTIFACTS", No such file or directory - ignoring. :: [ 06:26:13 ] :: [ PASS ] :: Command 'restorecon -Rv /etc /run /var -e /var/ARTIFACTS' (Expected 0-255, got 0) :: [ 06:26:13 ] :: [ BEGIN ] :: Running 'service chronyd restart' Redirecting to /bin/systemctl restart chronyd.service :: [ 06:26:13 ] :: [ PASS ] :: Command 'service chronyd restart' (Expected 0, got 0) :: [ 06:26:15 ] :: [ BEGIN ] :: Running 'ps -efZ | grep -v " grep " | grep -E "chronyd"' system_u:system_r:chronyd_t:s0 chrony 52173 1 0 06:26 ? 00:00:00 /usr/sbin/chronyd -F 2 :: [ 06:26:15 ] :: [ PASS ] :: Command 'ps -efZ | grep -v " grep " | grep -E "chronyd"' (Expected 0, got 0) :: [ 06:26:15 ] :: [ BEGIN ] :: Running 'ps -efZ | grep -v " grep " | grep -E "chronyd_t.*chronyd"' system_u:system_r:chronyd_t:s0 chrony 52173 1 0 06:26 ? 00:00:00 /usr/sbin/chronyd -F 2 :: [ 06:26:15 ] :: [ PASS ] :: Command 'ps -efZ | grep -v " grep " | grep -E "chronyd_t.*chronyd"' (Expected 0, got 0) :: [ 06:26:16 ] :: [ BEGIN ] :: Running 'service chronyd status' Redirecting to /bin/systemctl status chronyd.service ● chronyd.service - NTP client/server Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; preset: enabled) Active: active (running) since Wed 2025-04-16 06:26:13 EDT; 2s ago Invocation: ed44829c78144135989157c63526edb8 Docs: man:chronyd(8) man:chrony.conf(5) Process: 52171 ExecStart=/usr/sbin/chronyd $OPTIONS (code=exited, status=0/SUCCESS) Main PID: 52173 (chronyd) Tasks: 1 (limit: 10683) Memory: 1M (peak: 2.9M) CPU: 29ms CGroup: /system.slice/chronyd.service └─52173 /usr/sbin/chronyd -F 2 Apr 16 06:26:13 prereserve-1mt-rhel-10.1-20250330.2-28248-2025-04-16-09-58 systemd[1]: Startin…. Apr 16 06:26:13 prereserve-1mt-rhel-10.1-20250330.2-28248-2025-04-16-09-58 chronyd[52173]: chro… Apr 16 06:26:13 prereserve-1mt-rhel-10.1-20250330.2-28248-2025-04-16-09-58 chronyd[52173]: Freq… Apr 16 06:26:13 prereserve-1mt-rhel-10.1-20250330.2-28248-2025-04-16-09-58 chronyd[52173]: Load… Apr 16 06:26:13 prereserve-1mt-rhel-10.1-20250330.2-28248-2025-04-16-09-58 systemd[1]: Started…. Hint: Some lines were ellipsized, use -l to show in full. :: [ 06:26:16 ] :: [ PASS ] :: Command 'service chronyd status' (Expected 0,1,3, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'chronyc tracking' Reference ID : 00000000 () Stratum : 0 Ref time (UTC) : Thu Jan 01 00:00:00 1970 System time : 0.000000000 seconds fast of NTP time Last offset : +0.000000000 seconds RMS offset : 0.000000000 seconds Frequency : 0.000 ppm slow Residual freq : +0.000 ppm Skew : 0.000 ppm Root delay : 1.000000000 seconds Root dispersion : 1.000000000 seconds Update interval : 0.0 seconds Leap status : Not synchronised :: [ 06:26:18 ] :: [ PASS ] :: Command 'chronyc tracking' (Expected 0, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'rm -f /tmp/chronyc.output' :: [ 06:26:18 ] :: [ PASS ] :: Command 'rm -f /tmp/chronyc.output' (Expected 0, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'chronyc tracking > /tmp/chronyc.output' :: [ 06:26:18 ] :: [ PASS ] :: Command 'chronyc tracking > /tmp/chronyc.output' (Expected 0, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'test -s /tmp/chronyc.output' :: [ 06:26:18 ] :: [ PASS ] :: Command 'test -s /tmp/chronyc.output' (Expected 0, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'ls -Z /tmp/chronyc.output | grep -e :user_tmp_t -e :chronyd_var_lib_t -e :chronyd_var_log_t' unconfined_u:object_r:user_tmp_t:s0 /tmp/chronyc.output :: [ 06:26:18 ] :: [ PASS ] :: Command 'ls -Z /tmp/chronyc.output | grep -e :user_tmp_t -e :chronyd_var_lib_t -e :chronyd_var_log_t' (Expected 0, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'rm -f /var/lib/chrony/chronyc.output' :: [ 06:26:18 ] :: [ PASS ] :: Command 'rm -f /var/lib/chrony/chronyc.output' (Expected 0, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'chronyc tracking > /var/lib/chrony/chronyc.output' :: [ 06:26:18 ] :: [ PASS ] :: Command 'chronyc tracking > /var/lib/chrony/chronyc.output' (Expected 0, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'test -s /var/lib/chrony/chronyc.output' :: [ 06:26:18 ] :: [ PASS ] :: Command 'test -s /var/lib/chrony/chronyc.output' (Expected 0, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'ls -Z /var/lib/chrony/chronyc.output | grep -e :user_tmp_t -e :chronyd_var_lib_t -e :chronyd_var_log_t' unconfined_u:object_r:chronyd_var_lib_t:s0 /var/lib/chrony/chronyc.output :: [ 06:26:18 ] :: [ PASS ] :: Command 'ls -Z /var/lib/chrony/chronyc.output | grep -e :user_tmp_t -e :chronyd_var_lib_t -e :chronyd_var_log_t' (Expected 0, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'rm -f /var/log/chrony/chronyc.output' :: [ 06:26:18 ] :: [ PASS ] :: Command 'rm -f /var/log/chrony/chronyc.output' (Expected 0, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'chronyc tracking > /var/log/chrony/chronyc.output' :: [ 06:26:18 ] :: [ PASS ] :: Command 'chronyc tracking > /var/log/chrony/chronyc.output' (Expected 0, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'test -s /var/log/chrony/chronyc.output' :: [ 06:26:18 ] :: [ PASS ] :: Command 'test -s /var/log/chrony/chronyc.output' (Expected 0, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'ls -Z /var/log/chrony/chronyc.output | grep -e :user_tmp_t -e :chronyd_var_lib_t -e :chronyd_var_log_t' unconfined_u:object_r:chronyd_var_log_t:s0 /var/log/chrony/chronyc.output :: [ 06:26:18 ] :: [ PASS ] :: Command 'ls -Z /var/log/chrony/chronyc.output | grep -e :user_tmp_t -e :chronyd_var_lib_t -e :chronyd_var_log_t' (Expected 0, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'rm -f /var/lib/test' :: [ 06:26:18 ] :: [ PASS ] :: Command 'rm -f /var/lib/test' (Expected 0, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'chronyc -n tracking > /var/lib/test' :: [ 06:26:18 ] :: [ PASS ] :: Command 'chronyc -n tracking > /var/lib/test' (Expected 0, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'test -s /var/lib/test' :: [ 06:26:18 ] :: [ PASS ] :: Command 'test -s /var/lib/test' (Expected 0, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'chronyc -n tracking >> /var/lib/test' :: [ 06:26:18 ] :: [ PASS ] :: Command 'chronyc -n tracking >> /var/lib/test' (Expected 0, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'ls -Z /var/lib/test' unconfined_u:object_r:var_lib_t:s0 /var/lib/test :: [ 06:26:18 ] :: [ PASS ] :: Command 'ls -Z /var/lib/test' (Expected 0, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'ls -Z /var/lib/test | grep -e :var_lib_t -e :var_log_t -e :var_run_t -e :var_t' unconfined_u:object_r:var_lib_t:s0 /var/lib/test :: [ 06:26:18 ] :: [ PASS ] :: Command 'ls -Z /var/lib/test | grep -e :var_lib_t -e :var_log_t -e :var_run_t -e :var_t' (Expected 0, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'rm -f /var/lib/test' :: [ 06:26:18 ] :: [ PASS ] :: Command 'rm -f /var/lib/test' (Expected 0, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'rm -f /var/log/test' :: [ 06:26:18 ] :: [ PASS ] :: Command 'rm -f /var/log/test' (Expected 0, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'chronyc -n tracking > /var/log/test' :: [ 06:26:18 ] :: [ PASS ] :: Command 'chronyc -n tracking > /var/log/test' (Expected 0, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'test -s /var/log/test' :: [ 06:26:18 ] :: [ PASS ] :: Command 'test -s /var/log/test' (Expected 0, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'chronyc -n tracking >> /var/log/test' :: [ 06:26:18 ] :: [ PASS ] :: Command 'chronyc -n tracking >> /var/log/test' (Expected 0, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'ls -Z /var/log/test' unconfined_u:object_r:var_log_t:s0 /var/log/test :: [ 06:26:18 ] :: [ PASS ] :: Command 'ls -Z /var/log/test' (Expected 0, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'ls -Z /var/log/test | grep -e :var_lib_t -e :var_log_t -e :var_run_t -e :var_t' unconfined_u:object_r:var_log_t:s0 /var/log/test :: [ 06:26:18 ] :: [ PASS ] :: Command 'ls -Z /var/log/test | grep -e :var_lib_t -e :var_log_t -e :var_run_t -e :var_t' (Expected 0, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'rm -f /var/log/test' :: [ 06:26:18 ] :: [ PASS ] :: Command 'rm -f /var/log/test' (Expected 0, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'rm -f /var/run/test' :: [ 06:26:18 ] :: [ PASS ] :: Command 'rm -f /var/run/test' (Expected 0, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'chronyc -n tracking > /var/run/test' :: [ 06:26:18 ] :: [ PASS ] :: Command 'chronyc -n tracking > /var/run/test' (Expected 0, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'test -s /var/run/test' :: [ 06:26:18 ] :: [ PASS ] :: Command 'test -s /var/run/test' (Expected 0, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'chronyc -n tracking >> /var/run/test' :: [ 06:26:18 ] :: [ PASS ] :: Command 'chronyc -n tracking >> /var/run/test' (Expected 0, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'ls -Z /var/run/test' unconfined_u:object_r:var_run_t:s0 /var/run/test :: [ 06:26:18 ] :: [ PASS ] :: Command 'ls -Z /var/run/test' (Expected 0, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'ls -Z /var/run/test | grep -e :var_lib_t -e :var_log_t -e :var_run_t -e :var_t' unconfined_u:object_r:var_run_t:s0 /var/run/test :: [ 06:26:18 ] :: [ PASS ] :: Command 'ls -Z /var/run/test | grep -e :var_lib_t -e :var_log_t -e :var_run_t -e :var_t' (Expected 0, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'rm -f /var/run/test' :: [ 06:26:18 ] :: [ PASS ] :: Command 'rm -f /var/run/test' (Expected 0, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'rm -f /var/cache/test' :: [ 06:26:18 ] :: [ PASS ] :: Command 'rm -f /var/cache/test' (Expected 0, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'chronyc -n tracking > /var/cache/test' :: [ 06:26:18 ] :: [ PASS ] :: Command 'chronyc -n tracking > /var/cache/test' (Expected 0, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'test -s /var/cache/test' :: [ 06:26:18 ] :: [ PASS ] :: Command 'test -s /var/cache/test' (Expected 0, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'chronyc -n tracking >> /var/cache/test' :: [ 06:26:18 ] :: [ PASS ] :: Command 'chronyc -n tracking >> /var/cache/test' (Expected 0, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'ls -Z /var/cache/test' unconfined_u:object_r:var_t:s0 /var/cache/test :: [ 06:26:18 ] :: [ PASS ] :: Command 'ls -Z /var/cache/test' (Expected 0, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'ls -Z /var/cache/test | grep -e :var_lib_t -e :var_log_t -e :var_run_t -e :var_t' unconfined_u:object_r:var_t:s0 /var/cache/test :: [ 06:26:18 ] :: [ PASS ] :: Command 'ls -Z /var/cache/test | grep -e :var_lib_t -e :var_log_t -e :var_run_t -e :var_t' (Expected 0, got 0) :: [ 06:26:18 ] :: [ BEGIN ] :: Running 'rm -f /var/cache/test' :: [ 06:26:18 ] :: [ PASS ] :: Command 'rm -f /var/cache/test' (Expected 0, got 0) :: [ 06:26:21 ] :: [ BEGIN ] :: Running 'getsebool -a | grep nscd' nscd_use_shm --> on :: [ 06:26:21 ] :: [ PASS ] :: Command 'getsebool -a | grep nscd' (Expected 0, got 0) :: [ 06:26:21 ] :: [ BEGIN ] :: Running 'chronyc sources' MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== #? SHM0 0 4 0 - +0ns[ +0ns] +/- 0ns #? SOC1 0 4 0 - +0ns[ +0ns] +/- 0ns ^? hc-007-ntp1.weber.edu 0 6 0 - +0ns[ +0ns] +/- 0ns ^? ntp1.glypnod.com 0 6 0 - +0ns[ +0ns] +/- 0ns ^? startkeylogger.hungrycat> 0 6 0 - +0ns[ +0ns] +/- 0ns ^? 2602:2eb:2:95:1234:5678:> 0 6 0 - +0ns[ +0ns] +/- 0ns ^? t2.davehart.net 0 6 0 - +0ns[ +0ns] +/- 0ns ^? kjsl-fmt2-net.fmt2.kjsl.> 0 6 0 - +0ns[ +0ns] +/- 0ns ^? 2603:c024:c005:a600:efb6> 0 6 0 - +0ns[ +0ns] +/- 0ns ^? ntp.maxhost.io 0 6 0 - +0ns[ +0ns] +/- 0ns :: [ 06:26:21 ] :: [ PASS ] :: Command 'chronyc sources' (Expected 0, got 0) :: [ 06:26:21 ] :: [ BEGIN ] :: Running 'ksh -c "chronyc sources"' MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== #? SHM0 0 4 0 - +0ns[ +0ns] +/- 0ns #? SOC1 0 4 0 - +0ns[ +0ns] +/- 0ns ^? hc-007-ntp1.weber.edu 0 6 0 - +0ns[ +0ns] +/- 0ns ^? ntp1.glypnod.com 0 6 0 - +0ns[ +0ns] +/- 0ns ^? startkeylogger.hungrycat> 0 6 0 - +0ns[ +0ns] +/- 0ns ^? 2602:2eb:2:95:1234:5678:> 0 6 0 - +0ns[ +0ns] +/- 0ns ^? t2.davehart.net 0 6 0 - +0ns[ +0ns] +/- 0ns ^? kjsl-fmt2-net.fmt2.kjsl.> 0 6 0 - +0ns[ +0ns] +/- 0ns ^? 2603:c024:c005:a600:efb6> 0 6 0 - +0ns[ +0ns] +/- 0ns ^? ntp.maxhost.io 0 6 0 - +0ns[ +0ns] +/- 0ns :: [ 06:26:21 ] :: [ PASS ] :: Command 'ksh -c "chronyc sources"' (Expected 0, got 0) :: [ 06:26:21 ] :: [ BEGIN ] :: Running 'chronyc serverstats' NTP packets received : 0 NTP packets dropped : 0 Command packets received : 35 Command packets dropped : 0 Client log records dropped : 0 NTS-KE connections accepted: 0 NTS-KE connections dropped : 0 Authenticated NTP packets : 0 Interleaved NTP packets : 0 NTP timestamps held : 0 NTP timestamp span : 0 NTP daemon RX timestamps : 0 NTP daemon TX timestamps : 0 NTP kernel RX timestamps : 0 NTP kernel TX timestamps : 0 NTP hardware RX timestamps : 0 NTP hardware TX timestamps : 0 :: [ 06:26:21 ] :: [ PASS ] :: Command 'chronyc serverstats' (Expected 0, got 0) :: [ 06:26:21 ] :: [ BEGIN ] :: Running 'service chronyd stop' Redirecting to /bin/systemctl stop chronyd.service :: [ 06:26:21 ] :: [ PASS ] :: Command 'service chronyd stop' (Expected 0, got 0) :: [ 06:26:22 ] :: [ BEGIN ] :: Running 'service chronyd status' Redirecting to /bin/systemctl status chronyd.service ○ chronyd.service - NTP client/server Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; preset: enabled) Active: inactive (dead) since Wed 2025-04-16 06:26:21 EDT; 1s ago Duration: 7.381s Invocation: ed44829c78144135989157c63526edb8 Docs: man:chronyd(8) man:chrony.conf(5) Process: 52171 ExecStart=/usr/sbin/chronyd $OPTIONS (code=exited, status=0/SUCCESS) Main PID: 52173 (code=exited, status=0/SUCCESS) Mem peak: 2.9M CPU: 34ms Apr 16 06:26:13 prereserve-1mt-rhel-10.1-20250330.2-28248-2025-04-16-09-58 systemd[1]: Startin…. Apr 16 06:26:13 prereserve-1mt-rhel-10.1-20250330.2-28248-2025-04-16-09-58 chronyd[52173]: chro… Apr 16 06:26:13 prereserve-1mt-rhel-10.1-20250330.2-28248-2025-04-16-09-58 chronyd[52173]: Freq… Apr 16 06:26:13 prereserve-1mt-rhel-10.1-20250330.2-28248-2025-04-16-09-58 chronyd[52173]: Load… Apr 16 06:26:13 prereserve-1mt-rhel-10.1-20250330.2-28248-2025-04-16-09-58 systemd[1]: Started…. Apr 16 06:26:21 prereserve-1mt-rhel-10.1-20250330.2-28248-2025-04-16-09-58 chronyd[52173]: chro… Apr 16 06:26:21 prereserve-1mt-rhel-10.1-20250330.2-28248-2025-04-16-09-58 systemd[1]: Stoppin…. Apr 16 06:26:21 prereserve-1mt-rhel-10.1-20250330.2-28248-2025-04-16-09-58 systemd[1]: chronyd…. Apr 16 06:26:21 prereserve-1mt-rhel-10.1-20250330.2-28248-2025-04-16-09-58 systemd[1]: Stopped…. Hint: Some lines were ellipsized, use -l to show in full. :: [ 06:26:22 ] :: [ PASS ] :: Command 'service chronyd status' (Expected 0,1,3, got 3) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 15s :: Assertions: 62 good, 0 bad :: RESULT: PASS (real scenario) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: real scenario -- bz#1530525 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 06:26:24 ] :: [ BEGIN ] :: Running 'rm -f /etc/chrony.keys' :: [ 06:26:24 ] :: [ PASS ] :: Command 'rm -f /etc/chrony.keys' (Expected 0, got 0) :: [ 06:26:24 ] :: [ BEGIN ] :: Running 'touch /etc/chrony.keys' :: [ 06:26:24 ] :: [ PASS ] :: Command 'touch /etc/chrony.keys' (Expected 0, got 0) :: [ 06:26:24 ] :: [ BEGIN ] :: Running 'restorecon -v /etc/chrony.keys' Relabeled /etc/chrony.keys from unconfined_u:object_r:etc_t:s0 to unconfined_u:object_r:chronyd_keys_t:s0 :: [ 06:26:24 ] :: [ PASS ] :: Command 'restorecon -v /etc/chrony.keys' (Expected 0, got 0) :: [ 06:26:24 ] :: [ BEGIN ] :: Running 'chronyc keygen 1111 SHA1 > /etc/chrony.keys' :: [ 06:26:24 ] :: [ PASS ] :: Command 'chronyc keygen 1111 SHA1 > /etc/chrony.keys' (Expected 0, got 0) :: [ 06:26:24 ] :: [ BEGIN ] :: Running 'chronyc keygen 1111 SHA1 >> /etc/chrony.keys' :: [ 06:26:24 ] :: [ PASS ] :: Command 'chronyc keygen 1111 SHA1 >> /etc/chrony.keys' (Expected 0, got 0) :: [ 06:26:24 ] :: [ BEGIN ] :: Running 'ls -Z /etc/chrony.keys | grep :chronyd_keys_t' unconfined_u:object_r:chronyd_keys_t:s0 /etc/chrony.keys :: [ 06:26:24 ] :: [ PASS ] :: Command 'ls -Z /etc/chrony.keys | grep :chronyd_keys_t' (Expected 0, got 0) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 0s :: Assertions: 6 good, 0 bad :: RESULT: PASS (real scenario -- bz#1530525) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: real scenario -- bz#1961207 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 06:26:24 ] :: [ BEGIN ] :: Running './chrony-nts-test.sh' Generating a 256 bit EdDSA (Ed25519) private key ... Generating a self signed certificate... X.509 Certificate Information: Version: 3 Serial Number (hex): 01 Validity: Not Before: Wed Jan 01 00:00:00 UTC 2020 Not After: Tue Jan 01 00:00:00 UTC 2030 Subject: CN=chrony-nts-test Subject Public Key Algorithm: EdDSA (Ed25519) Algorithm Security Level: High (256 bits) Curve: Ed25519 X: 5a:eb:a4:ad:02:60:ee:1f:bb:12:f7:52:95:27:9c:aa 0f:24:4d:95:d3:36:3c:23:8c:a6:e4:c5:c4:31:f9:4c Extensions: Basic Constraints (critical): Certificate Authority (CA): FALSE Key Usage (critical): Digital signature. Subject Key Identifier (not critical): 576792542f0eebd79dfa9928efd25c9518b55fe2 Other Information: Public Key ID: sha1:576792542f0eebd79dfa9928efd25c9518b55fe2 sha256:1670a5bbcb97b70b2270f472e8f549516e9900485bd3dac04fe44cb530047ea9 Public Key PIN: pin-sha256:FnClu8uXtwsicPRy6PVJUW6ZAEhb09rAT+RMtTAEfqk= Signing certificate... Name/IP address Mode KeyID Type KLen Last Atmp NAK Cook CLen ========================================================================= chrony-nts-test NTS 1 30 128 0 0 0 8 64 time.cloudflare.com NTS 0 0 0 - 1 0 0 0 :: [ 06:26:28 ] :: [ PASS ] :: Command './chrony-nts-test.sh' (Expected 0, got 0) :: [ 06:26:28 ] :: [ BEGIN ] :: Running 'rm -f /var/lib/chrony/*.nts' :: [ 06:26:28 ] :: [ PASS ] :: Command 'rm -f /var/lib/chrony/*.nts' (Expected 0, got 0) :: [ 06:26:28 ] :: [ BEGIN ] :: Running 'systemctl restart chronyd' :: [ 06:26:28 ] :: [ PASS ] :: Command 'systemctl restart chronyd' (Expected 0, got 0) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 4s :: Assertions: 3 good, 0 bad :: RESULT: PASS (real scenario -- bz#1961207) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#2065313 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 06:26:28 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t unconfined_t : unix_dgram_socket { sendto }' FILTERED RULES allow chronyd_t unconfined_t:unix_dgram_socket sendto; :: [ 06:26:29 ] :: [ PASS ] :: check permission 'sendto' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 1s :: Assertions: 1 good, 0 bad :: RESULT: PASS (bz#2065313) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: real scenario -- bz#2065313 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 06:26:29 ] :: [ LOG ] :: special socat command talks to chronyd via its UNIX socket 00000000 06 02 00 00 00 21 00 05 00 00 00 00 00 00 00 00 |.....!..........| 00000010 21 d7 e4 22 00 00 00 00 00 00 00 00 7f 7f 01 01 |!.."............| 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000030 00 00 00 00 00 0a 00 00 00 00 00 00 67 ff 85 d2 |............g...| 00000040 21 56 e9 31 00 00 00 00 00 00 00 00 00 00 00 00 |!V.1............| 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000060 00 00 00 00 00 00 00 00 |........| 00000068 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 1s :: Assertions: 0 good, 0 bad :: RESULT: PASS (real scenario -- bz#2065313) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#2118628 + bz#2118631 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 06:26:30 ] :: [ BEGIN ] :: Running 'seinfo --portcon=319 | grep "portcon udp .*:ptp_event_port_t"' portcon udp 319 system_u:object_r:ptp_event_port_t:s0 :: [ 06:26:30 ] :: [ PASS ] :: Command 'seinfo --portcon=319 | grep "portcon udp .*:ptp_event_port_t"' (Expected 0, got 0) :: [ 06:26:30 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_t ptp_event_port_t : udp_socket { name_bind } [ ]' FILTERED RULES allow chronyd_t ptp_event_port_t:udp_socket name_bind; :: [ 06:26:32 ] :: [ PASS ] :: check permission 'name_bind' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 2s :: Assertions: 2 good, 0 bad :: RESULT: PASS (bz#2118628 + bz#2118631) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: real scenario -- bz#2118628 + bz#2118631 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 06:26:32 ] :: [ BEGIN ] :: Running 'echo -en ' allow ptpport 319 server 127.0.0.1 port 319 minpoll 0 maxpoll 0 ' >> /etc/chrony.conf' :: [ 06:26:32 ] :: [ PASS ] :: Command 'echo -en ' allow ptpport 319 server 127.0.0.1 port 319 minpoll 0 maxpoll 0 ' >> /etc/chrony.conf' (Expected 0, got 0) :: [ 06:26:32 ] :: [ BEGIN ] :: Running 'systemctl restart chronyd' :: [ 06:26:32 ] :: [ PASS ] :: Command 'systemctl restart chronyd' (Expected 0, got 0) :: [ 06:26:37 ] :: [ BEGIN ] :: Running 'chronyc ntpdata 127.0.0.1 | grep 'Total RX'' Total RX : 5 :: [ 06:26:37 ] :: [ PASS ] :: Command 'chronyc ntpdata 127.0.0.1 | grep 'Total RX'' (Expected 0, got 0) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 5s :: Assertions: 3 good, 0 bad :: RESULT: PASS (real scenario -- bz#2118628 + bz#2118631) chronyd_restricted_t is defined :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: RHEL-82299 + RHEL-82308 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 06:26:37 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyc_t chronyd_restricted_t : unix_dgram_socket { sendto } [ ]' FILTERED RULES allow chronyc_t chronyd_restricted_t:unix_dgram_socket sendto; :: [ 06:26:39 ] :: [ PASS ] :: check permission 'sendto' is present (Assert: '0' should equal '0') :: [ 06:26:39 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow chronyd_restricted_t chronyc_t : unix_dgram_socket { sendto } [ ]' FILTERED RULES allow chronyd_restricted_t chronyc_t:unix_dgram_socket sendto; :: [ 06:26:40 ] :: [ PASS ] :: check permission 'sendto' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 3s :: Assertions: 2 good, 0 bad :: RESULT: PASS (RHEL-82299 + RHEL-82308) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: chronyd-restricted -- bz#2169949 + RHEL-18219 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 06:26:40 ] :: [ BEGIN ] :: Running 'systemctl stop chronyd' :: [ 06:26:40 ] :: [ PASS ] :: Command 'systemctl stop chronyd' (Expected 0, got 0) :: [ 06:26:40 ] :: [ BEGIN ] :: Running 'mkdir -p /etc/systemd/system/chronyd-restricted.service.d' :: [ 06:26:40 ] :: [ PASS ] :: Command 'mkdir -p /etc/systemd/system/chronyd-restricted.service.d' (Expected 0, got 0) SELinuxContext=system_u:system_r:chronyd_restricted_t:s0 :: [ 06:26:40 ] :: [ BEGIN ] :: Running 'systemctl start chronyd-restricted' :: [ 06:26:40 ] :: [ PASS ] :: Command 'systemctl start chronyd-restricted' (Expected 0, got 0) :: [ 06:26:43 ] :: [ BEGIN ] :: Running 'ps -o pid,uid,command,context -C chronyd | grep -1 system_u:system_r:chronyd_restricted_t:' PID UID COMMAND CONTEXT 56530 995 /usr/sbin/chronyd -U -F 2 system_u:system_r:chronyd_restricted_t:s0 56531 995 /usr/sbin/chronyd -U -F 2 system_u:system_r:chronyd_restricted_t:s0 :: [ 06:26:43 ] :: [ PASS ] :: Command 'ps -o pid,uid,command,context -C chronyd | grep -1 system_u:system_r:chronyd_restricted_t:' (Expected 0, got 0) :: [ 06:26:43 ] :: [ BEGIN ] :: Running 'systemctl status chronyd-restricted' ● chronyd-restricted.service - NTP client (restricted) Loaded: loaded (/usr/lib/systemd/system/chronyd-restricted.service; disabled; preset: disabled) Active: active (running) since Wed 2025-04-16 06:26:40 EDT; 3s ago Invocation: 55f9cc23c9fc45e69974a82f0d751a90 Docs: man:chronyd(8) man:chrony.conf(5) Process: 56524 ExecStart=/usr/sbin/chronyd -U $OPTIONS (code=exited, status=0/SUCCESS) Main PID: 56530 (chronyd) Tasks: 2 (limit: 10683) Memory: 17.7M (peak: 17.7M) CPU: 115ms CGroup: /system.slice/chronyd-restricted.service ├─56530 /usr/sbin/chronyd -U -F 2 └─56531 /usr/sbin/chronyd -U -F 2 Apr 16 06:26:40 prereserve-1mt-rhel-10.1-20250330.2-28248-2025-04-16-09-58 chronyd[56530]: Coul… Apr 16 06:26:40 prereserve-1mt-rhel-10.1-20250330.2-28248-2025-04-16-09-58 chronyd[56530]: Coul… Apr 16 06:26:40 prereserve-1mt-rhel-10.1-20250330.2-28248-2025-04-16-09-58 chronyd[56530]: Coul… Apr 16 06:26:40 prereserve-1mt-rhel-10.1-20250330.2-28248-2025-04-16-09-58 chronyd[56530]: Coul… Apr 16 06:26:40 prereserve-1mt-rhel-10.1-20250330.2-28248-2025-04-16-09-58 chronyd[56530]: Coul… Apr 16 06:26:40 prereserve-1mt-rhel-10.1-20250330.2-28248-2025-04-16-09-58 chronyd[56530]: Coul… Apr 16 06:26:40 prereserve-1mt-rhel-10.1-20250330.2-28248-2025-04-16-09-58 chronyd[56530]: Load… Apr 16 06:26:40 prereserve-1mt-rhel-10.1-20250330.2-28248-2025-04-16-09-58 chronyd[56530]: Load… Apr 16 06:26:40 prereserve-1mt-rhel-10.1-20250330.2-28248-2025-04-16-09-58 systemd[1]: Started…. Apr 16 06:26:41 prereserve-1mt-rhel-10.1-20250330.2-28248-2025-04-16-09-58 chronyd[56530]: Coul… Hint: Some lines were ellipsized, use -l to show in full. :: [ 06:26:43 ] :: [ PASS ] :: Command 'systemctl status chronyd-restricted' (Expected 0, got 0) :: [ 06:26:44 ] :: [ BEGIN ] :: Running 'chronyc reload sources' 200 OK :: [ 06:26:44 ] :: [ PASS ] :: Command 'chronyc reload sources' (Expected 0,1, got 0) :: [ 06:26:44 ] :: [ BEGIN ] :: Running 'systemctl restart chronyd-restricted' :: [ 06:26:44 ] :: [ PASS ] :: Command 'systemctl restart chronyd-restricted' (Expected 0, got 0) :: [ 06:26:44 ] :: [ BEGIN ] :: Running 'systemctl status chronyd-restricted' ● chronyd-restricted.service - NTP client (restricted) Loaded: loaded (/usr/lib/systemd/system/chronyd-restricted.service; disabled; preset: disabled) Active: active (running) since Wed 2025-04-16 06:26:44 EDT; 32ms ago Invocation: 2fe3168ed1f443899301eb7a661d9e8c Docs: man:chronyd(8) man:chrony.conf(5) Process: 56639 ExecStart=/usr/sbin/chronyd -U $OPTIONS (code=exited, status=0/SUCCESS) Main PID: 56645 (chronyd) Tasks: 2 (limit: 10683) Memory: 1.3M (peak: 4.3M) CPU: 30ms CGroup: /system.slice/chronyd-restricted.service ├─56645 /usr/sbin/chronyd -U -F 2 └─56646 /usr/sbin/chronyd -U -F 2 Apr 16 06:26:44 prereserve-1mt-rhel-10.1-20250330.2-28248-2025-04-16-09-58 chronyd[56645]: chro… Apr 16 06:26:44 prereserve-1mt-rhel-10.1-20250330.2-28248-2025-04-16-09-58 chronyd[56645]: Coul… Apr 16 06:26:44 prereserve-1mt-rhel-10.1-20250330.2-28248-2025-04-16-09-58 chronyd[56645]: Coul… Apr 16 06:26:44 prereserve-1mt-rhel-10.1-20250330.2-28248-2025-04-16-09-58 chronyd[56645]: Coul… Apr 16 06:26:44 prereserve-1mt-rhel-10.1-20250330.2-28248-2025-04-16-09-58 chronyd[56645]: Coul… Apr 16 06:26:44 prereserve-1mt-rhel-10.1-20250330.2-28248-2025-04-16-09-58 chronyd[56645]: Coul… Apr 16 06:26:44 prereserve-1mt-rhel-10.1-20250330.2-28248-2025-04-16-09-58 chronyd[56645]: Coul… Apr 16 06:26:44 prereserve-1mt-rhel-10.1-20250330.2-28248-2025-04-16-09-58 chronyd[56645]: Load… Apr 16 06:26:44 prereserve-1mt-rhel-10.1-20250330.2-28248-2025-04-16-09-58 chronyd[56645]: Load… Apr 16 06:26:44 prereserve-1mt-rhel-10.1-20250330.2-28248-2025-04-16-09-58 systemd[1]: Started…. Hint: Some lines were ellipsized, use -l to show in full. :: [ 06:26:44 ] :: [ PASS ] :: Command 'systemctl status chronyd-restricted' (Expected 0, got 0) :: [ 06:26:44 ] :: [ BEGIN ] :: Running 'systemctl stop chronyd-restricted' :: [ 06:26:44 ] :: [ PASS ] :: Command 'systemctl stop chronyd-restricted' (Expected 0, got 0) :: [ 06:26:44 ] :: [ BEGIN ] :: Running 'rm -f /etc/systemd/system/chronyd-restricted.service.d/context.conf' :: [ 06:26:44 ] :: [ PASS ] :: Command 'rm -f /etc/systemd/system/chronyd-restricted.service.d/context.conf' (Expected 0, got 0) :: [ 06:26:44 ] :: [ BEGIN ] :: Running 'systemctl daemon-reload' :: [ 06:26:44 ] :: [ PASS ] :: Command 'systemctl daemon-reload' (Expected 0, got 0) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 4s :: Assertions: 11 good, 0 bad :: RESULT: PASS (chronyd-restricted -- bz#2169949 + RHEL-18219) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Cleanup :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 06:26:46 ] :: [ LOG ] :: rlSEAVCCheck: Search for AVCs, USER_AVCs, SELINUX_ERRs, and USER_SELINUX_ERRs since timestamp 'TIMESTAMP' [04/16/2025 06:23:31] :: [ 06:26:46 ] :: [ INFO ] :: rlSEAVCCheck: ignoring patterns: :: [ 06:26:46 ] :: [ INFO ] :: rlSEAVCCheck: type=USER_AVC.*received (policyload|setenforce) notice :: [ 06:26:46 ] :: [ PASS ] :: Check there are no unexpected AVCs/ERRORs (Assert: expected 0, got 0) :: [ 06:26:46 ] :: [ BEGIN ] :: Running 'rm -f /tmp/chronyc.output /var/lib/chrony/chronyc.output /var/log/chrony/chronyc.output' :: [ 06:26:46 ] :: [ PASS ] :: Command 'rm -f /tmp/chronyc.output /var/lib/chrony/chronyc.output /var/log/chrony/chronyc.output' (Expected 0, got 0) Redirecting to /bin/systemctl status ntpd.service Unit ntpd.service could not be found. :: [ 06:26:46 ] :: [ WARNING ] :: rlServiceRestore: service ntpd status returned 4 :: [ 06:26:46 ] :: [ WARNING ] :: rlServiceRestore: Guessing that current state of ntpd is stopped Redirecting to /bin/systemctl status chronyd.service Redirecting to /bin/systemctl start chronyd.service :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 2s :: Assertions: 2 good, 0 bad :: RESULT: PASS (Cleanup)