Bug 1255944 - SELinux is preventing chrony-helper from 'write' accesses on the file lock.
Summary: SELinux is preventing chrony-helper from 'write' accesses on the file lock.
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 22
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:aac7ad3ccc2fba2ce908019428a...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-08-22 05:53 UTC by Thomas Drake-Brockman
Modified: 2015-09-16 21:20 UTC (History)
5 users (show)

Fixed In Version: 3.13.1-128.13.fc22
Clone Of:
Environment:
Last Closed: 2015-09-16 21:20:41 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Thomas Drake-Brockman 2015-08-22 05:53:59 UTC 
Description of problem:
SELinux is preventing chrony-helper from 'write' accesses on the file lock.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that chrony-helper should be allowed write access on the lock file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep chrony-helper /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:chronyd_t:s0
Target Context                system_u:object_r:var_run_t:s0
Target Objects                lock [ file ]
Source                        chrony-helper
Source Path                   chrony-helper
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-128.10.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.1.4-200.fc22.x86_64 #1 SMP Tue
                              Aug 4 03:22:33 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-08-22 13:44:06 AWST
Last Seen                     2015-08-22 13:44:06 AWST
Local ID                      7e5346a2-6394-44ff-a2e4-935b45189521

Raw Audit Messages
type=AVC msg=audit(1440222246.972:657): avc:  denied  { write } for  pid=29114 comm="chrony-helper" name="lock" dev="tmpfs" ino=24384 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0


Hash: chrony-helper,chronyd_t,var_run_t,file,write

Version-Release number of selected component:
selinux-policy-3.13.1-128.10.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.4-200.fc22.x86_64
type:           libreport
Comment 1 Lukas Vrabec 2015-08-27 12:22:40 UTC 
commit 93f93a18558a48c73bab38a6f12f0884b8e369fc
Author: Lukas Vrabec <lvrabec>
Date:   Thu Aug 13 13:23:54 2015 +0200

    Label /var/run/chrony-helper dir as chronyd_var_run_t.
Comment 2 Fedora Update System 2015-09-14 09:59:58 UTC 
selinux-policy-3.13.1-128.13.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-15798
Comment 3 Fedora Update System 2015-09-15 05:55:35 UTC 
selinux-policy-3.13.1-128.13.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-15798
Comment 4 Fedora Update System 2015-09-16 21:20:27 UTC 
selinux-policy-3.13.1-128.13.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.