Bug 2131733
| Summary: | SELinux is preventing /usr/bin/chronyc from 'read, write' accesses on the chr_file /dev/pts/1 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | RG <ronnie.grant> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED DUPLICATE | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.6 | CC: | lvrabec, mmalik, ssekidde |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 8.8 | Flags: | pm-rhel:
mirror+
|
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-10-03 15:44:27 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
RG
2022-10-03 14:05:43 UTC
# sealert -l 4eaac90c-fb29-4072-9936-36b9706bda76
SELinux is preventing /usr/bin/chronyc from 'read, write' accesses on the chr_file /dev/pts/1.
***** Plugin leaks (86.2 confidence) suggests *****************************
If you want to ignore chronyc trying to read write access the 1 chr_file, because you believe it should not need this access.
Then you should report this as a bug.
You can generate a local policy module to dontaudit this access.
Do
# ausearch -x /usr/bin/chronyc --raw | audit2allow -D -M my-chronyc
# semodule -X 300 -i my-chronyc.pp
***** Plugin catchall (14.7 confidence) suggests **************************
If you believe that chronyc should be allowed read write access on the 1 chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'chronyc' --raw | audit2allow -M my-chronyc
# semodule -X 300 -i my-chronyc.pp
Additional Information:
Source Context system_u:system_r:chronyc_t:s0
Target Context system_u:object_r:devpts_t:s0
Target Objects /dev/pts/1 [ chr_file ]
Source chronyc
Source Path /usr/bin/chronyc
Port <Unknown>
Host ppm-rhel-test-4
Source RPM Packages chrony-4.1-1.el8.x86_64
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-3.14.3-95.el8_6.4.noarch
Local Policy RPM selinux-policy-targeted-3.14.3-95.el8_6.4.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name ppm-rhel-test-4
Platform Linux ppm-rhel-test-4 4.18.0-372.26.1.el8_6.x86_64
#1 SMP Sat Aug 27 02:44:20 EDT 2022 x86_64 x86_64
Alert Count 13
First Seen 2022-09-30 21:06:42 PDT
Last Seen 2022-10-03 04:22:35 PDT
Local ID 4eaac90c-fb29-4072-9936-36b9706bda76
Raw Audit Messages
type=AVC msg=audit(1664796155.615:2016): avc: denied { read write } for pid=473440 comm="chronyc" path="/dev/pts/1" dev="devpts" ino=4 scontext=system_u:system_r:chronyc_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file permissive=0
type=SYSCALL msg=audit(1664796155.615:2016): arch=x86_64 syscall=execve success=yes exit=0 a0=5617eb45fa80 a1=5617eb45ff70 a2=5617eb45c860 a3=1b6 items=0 ppid=473439 pid=473440 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=chronyc exe=/usr/bin/chronyc subj=system_u:system_r:chronyc_t:s0 key=(null)
Hash: chronyc,chronyc_t,devpts_t,chr_file,read,write
commit 822a150f673b5d376d077777d0bb41cbd3352c6b
Author: Zdenek Pytela <zpytela>
Date: Mon Aug 22 12:44:49 2022 +0200
Allow chronyc read and write generic pty type
Right, fix for this issue was a part of a large patchset for RHEL 8.7. *** This bug has been marked as a duplicate of bug 2119507 *** |