Bug 1508486

Summary: AVC denial about chronyc, chronyd_t, and chronyc_exec_t
Product: Red Hat Enterprise Linux 7 Reporter: Jan Pazdziora (Red Hat) <jpazdziora>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 7.5CC: dapospis, jpazdziora, lslebodn, lvrabec, mgrepl, mmalik, pholica, plautrba, ssekidde
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-176.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 12:46:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1477564    

Description Jan Pazdziora (Red Hat) 2017-11-01 14:18:13 UTC 
Description of problem:

When docker is started, it likely does something to chronyd which leads to chrony-helper invocation. That produces AVC denials.

Version-Release number of selected component (if applicable):

docker-1.12.6-61.git85d7426.el7.x86_64
chrony-3.2-1.el7.x86_64
selinux-policy-3.13.1-175.el7.noarch

How reproducible:

Deterministic.

Steps to Reproduce:
1. Install docker from Extras.
2. systemctl start docker
3. Check audit.log

Actual results:

type=AVC msg=audit(1509545489.744:85): avc:  denied  { execute_no_trans } for  pid=13062 comm="chrony-helper" path="/usr/bin/chronyc" dev="dm-0" ino=283534 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:chronyc_exec_t:s0 tclass=file

Expected results:

No AVC denial.

Additional info:
Comment 3 Jan Pazdziora (Red Hat) 2017-11-01 14:18:38 UTC 
I believe this is RHEL version of Fedora bug 1507478.
Comment 5 Jan Pazdziora (Red Hat) 2017-11-01 14:19:42 UTC 
On RHEL 7.5, I see

# ls -laZ /usr/bin/chronyc
-rwxr-xr-x. root root system_u:object_r:chronyc_exec_t:s0 /usr/bin/chronyc

On RHEL 7.4 with selinux-policy-3.13.1-166.el7_4.5.noarch, there is

# ls -laZ /usr/bin/chronyc
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/chronyc
Comment 6 Lukas Vrabec 2017-11-01 14:22:55 UTC 
Jan, 

You're right. This should be fixed in RHEL-7.5. Adding devel_ack+. 

Thanks,
Lukas.
Comment 15 errata-xmlrpc 2018-04-10 12:46:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763