Bug 1872304
| Summary: | allow chronyc_t self:tcp_socket create; | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Miroslav HradĂlek <mhradile> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED DUPLICATE | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 8.3 | CC: | amahdal, lvrabec, mmalik, plautrba, qe-baseos-security, ssekidde, vmojzis, zpytela |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 8.0 | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1805931 | Environment: | |
| Last Closed: | 2020-09-10 09:34:14 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1805931 | ||
| Bug Blocks: | |||
Milosi,
You are right, I haven't noticed it since the change upstream got into rawhide only and is a bit hidden here:
commit cafd50640ad014d92e9efdc9aef3dbde638f1816
Author: Zdenek Pytela <zpytela>
Date: Mon May 18 17:36:08 2020 +0200
Allow chronyc_t domain to use nsswitch
diff --git a/chronyd.te b/chronyd.te
index 258a9750d..47e3692d9 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -207,6 +207,8 @@ files_tmp_filetrans(chronyc_t, chronyd_tmp_t, file)
kernel_read_system_state(chronyc_t)
kernel_read_network_state(chronyc_t)
+auth_use_nsswitch(chronyc_t)
+
corecmd_exec_bin(chronyc_t)
files_rw_inherited_non_security_files(chronyc_t)
because of
sysnet_dns_name_resolve(nsswitch_domain)
in authlogin.te
*** This bug has been marked as a duplicate of bug 1772852 ***
|
The bug is fixed on RHEL-8.3: # sesearch -s chronyc_t -t chronyc_t -c tcp_socket -p create -A allow chronyc_t chronyc_t:tcp_socket { accept append bind connect create getattr getopt ioctl listen lock read setattr setopt shutdown write }; [ nis_enabled ]:True allow chronyc_t chronyc_t:tcp_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write }; allow chronyc_t chronyc_t:tcp_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write }; [ authlogin_nsswitch_use_ldap ]:True allow chronyc_t chronyc_t:tcp_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write }; [ kerberos_enabled ]:True # The execution of /CoreOS/chrony/Upgrade/basic does not trigger any SELinux denials on RHEL-8.3, even if all 3 above-mentioned booleans are disabled.