Bug 1284691
Summary: | chronyd denial during installation | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | matt jia <mjia> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 24 | CC: | dominick.grift, dwalsh, edgar.hoch, lslebodn, lvrabec, mgrepl, mjia, plautrba, pstudeni |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-10-26 08:35:26 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
matt jia
2015-11-23 22:31:00 UTC
Hi, Could you attach output of: ps -efZ | grep unconfined_service_t Thank you. This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle. Changing version to '24'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase On Fedora 24 I received this AVC messages: time->Tue Jun 28 20:09:52 2016 type=AVC msg=audit(1467158992.759:88): avc: denied { sendto } for pid=797 comm="chronyd" path="/run/chrony/chronyc.803.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_dgram_socket permissive=0 This message I see on system with Fedora 23 as well. time->Mon Jul 11 20:13:29 2016 type=AVC msg=audit(1468282409.735:108): avc: denied { sendto } for pid=823 comm="chronyd" path="/run/chrony/chronyc.844.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_dgram_socket permissive=0 I have run the command of comment #24 on an Fedora 24 system: # ps -efZ | grep unconfined_service_t system_u:system_r:unconfined_service_t:s0 root 1005 1 0 20:20 ? 00:00:00 /usr/libexec/udisks2/udisksd --no-debug unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 2313 2239 0 20:55 pts/0 00:00:00 grep --color=auto unconfined_service_t I have the same messages: type=AVC msg=audit(1468952437.787:227): avc: denied { sendto } for pid=1018 comm="chronyd" path="/run/chrony/chronyc.1108.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_dgram_socket permissive=0 It looks like a issue with service chrony-wait.service. [root@host ~]# systemctl stop chrony-wait.service [root@host ~]# systemctl restart chronyd.service [root@host ~]# ausearch -m avc -i <no matches> [root@host ~]# systemctl start chrony-wait.service [root@host ~]# systemctl restart chronyd.service [root@host ~]# ausearch -m avc -i ---- type=AVC msg=audit(08/27/2016 10:29:00.155:189) : avc: denied { sendto } for pid=13418 comm=chronyd path=/run/chrony/chronyc.13455.sock scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_dgram_socket permissive=1 and it also look like a duplicate of BZ1350815 Bump *** This bug has been marked as a duplicate of bug 1350815 *** |