Bug 1255944
| Summary: | SELinux is preventing chrony-helper from 'write' accesses on the file lock. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Thomas Drake-Brockman <thomas> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 22 | CC: | dominick.grift, dwalsh, lvrabec, mgrepl, plautrba |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:aac7ad3ccc2fba2ce908019428a93b24dbdede396acf202c274d3d43f8228768 | ||
| Fixed In Version: | 3.13.1-128.13.fc22 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-09-16 21:20:41 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
commit 93f93a18558a48c73bab38a6f12f0884b8e369fc
Author: Lukas Vrabec <lvrabec>
Date: Thu Aug 13 13:23:54 2015 +0200
Label /var/run/chrony-helper dir as chronyd_var_run_t.
selinux-policy-3.13.1-128.13.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-15798 selinux-policy-3.13.1-128.13.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-15798 selinux-policy-3.13.1-128.13.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: SELinux is preventing chrony-helper from 'write' accesses on the file lock. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that chrony-helper should be allowed write access on the lock file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep chrony-helper /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:chronyd_t:s0 Target Context system_u:object_r:var_run_t:s0 Target Objects lock [ file ] Source chrony-helper Source Path chrony-helper Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-128.10.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.1.4-200.fc22.x86_64 #1 SMP Tue Aug 4 03:22:33 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-08-22 13:44:06 AWST Last Seen 2015-08-22 13:44:06 AWST Local ID 7e5346a2-6394-44ff-a2e4-935b45189521 Raw Audit Messages type=AVC msg=audit(1440222246.972:657): avc: denied { write } for pid=29114 comm="chrony-helper" name="lock" dev="tmpfs" ino=24384 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0 Hash: chrony-helper,chronyd_t,var_run_t,file,write Version-Release number of selected component: selinux-policy-3.13.1-128.10.fc22.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.1.4-200.fc22.x86_64 type: libreport