Bug 667301
| Summary: | SELinux policy problem with chrony | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Bastian Ebeling <bastian.ebeling> | ||||||
| Component: | chrony | Assignee: | Miroslav Lichvar <mlichvar> | ||||||
| Status: | CLOSED WORKSFORME | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | low | Docs Contact: | |||||||
| Priority: | low | ||||||||
| Version: | 14 | CC: | bastian.ebeling, dwalsh, mlichvar | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2011-01-06 14:00:57 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Created attachment 471806 [details]
.te-ruleset by audit2allow
Created attachment 471807 [details]
.pp-ruleset by audit2allow
Hm, I don't see it here, with allow_daemons_use_tty off. I think you have something mislabeled in /var/run
restorecon -R -v /var/run /var/log
Should fix.
This looks like a leaked file descriptor
allow chronyd_t user_devpts_t:chr_file { read write };
Hi, I tried "restorecon ..." and that did not work. But later (sorry) I found, that in my "chrony.conf" the log-dir was set up fine - but the instances to log have been commented out... Thus no files got produces - as it should be. Maybe the defaults should be changed? It seems to be running fine now. Thanks for your assistance. |
Description of problem: After successful installation of chrony into my fresh fine running fc14 (2.6.35.10-74 kernel) in Oracle VM VirtualBox (3.2.12 r68302) on my Intel Core Quad Q9550 I got SELinux complains: /usr/sbin/chronyd like to read/write to chronyd.pid. Further I found entries in /var/log/messages, that /var/lib/chrony/drift could not be opened. Also no files in /var/log/chrony got created. I ran "grep chronyd /var/log/audit/audit*|audit2allow" and got #============= chronyd_t ============== #!!!! This avc can be allowed using the boolean 'allow_daemons_use_tty' allow chronyd_t user_devpts_t:chr_file { read write }; allow chronyd_t var_run_t:file { read write }; and created my local rule by "grep chronyd /var/log/audit/audit*|audit2allow -M localchronydrules". After installation of this rule, again no files in /var/log/chrony got created - even after a restart. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: