Red Hat Bugzilla – Bug 1618757
chronyc cannot write to pipe (socket when executed from ksh)
Last modified: 2018-10-31 06:14:32 EDT
Description of problem: chronyc executed from ksh is denied to write to pipe (actually a socket) with AVC: type=AVC msg=audit(1534512601.216:338): avc: denied { read write } for pid=27459 comm="chronyc" path="socket:[48180]" dev="sockfs" ino=48180 scontext=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket Version-Release number of selected component (if applicable): selinux-policy-3.13.1-215.el7.noarch How reproducible: always Steps to Reproduce: 1. # ksh -c "chronyc -n sources |grep '1'" Actual results: empty output Expected results: st like 210 Number of sources = 4 ^? 195.21.152.161 0 10 0 - +0ns[ +0ns] +/- 0ns ^? 72.30.35.89 0 10 0 - +0ns[ +0ns] +/- 0ns ^? 2600:3c03::f03c:91ff:feae:82c1 0 9 0 - +0ns[ +0ns] +/- 0ns ^? 63.211.239.58 0 10 0 - +0ns[ +0ns] +/- 0ns Additional info: other shells don't trigger (different pipe handling) by default no record in audit log, `semanage dontaudit off` needed to reveal more AVCs occur after `semanage permissive -d chronyc_t` type=AVC msg=audit(1534512601.216:338): avc: denied { read write } for pid=27459 comm="chronyc" path="socket:[48180]" dev="sockfs" ino=48180 scontext=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=SYSCALL msg=audit(1534512601.216:338): arch=c000003e syscall=59 success=yes exit=0 a0=7ff823cccc29 a1=7ff823ccc6b0 a2=7ff823ccca38 a3=0 items=0 ppid=27458 pid=27459 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="chronyc" exe="/usr/bin/chronyc" subj=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 key=(null) type=PROCTITLE msg=audit(1534512601.216:338): proctitle=6368726F6E7963002D6E00736F7572636573 type=AVC msg=audit(1534512601.218:339): avc: denied { ioctl } for pid=27459 comm="chronyc" path="socket:[48180]" dev="sockfs" ino=48180 scontext=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=SYSCALL msg=audit(1534512601.218:339): arch=c000003e syscall=16 success=no exit=-25 a0=1 a1=5401 a2=7ffd56fca780 a3=56505e9ad0dd items=0 ppid=27458 pid=27459 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="chronyc" exe="/usr/bin/chronyc" subj=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 key=(null) type=PROCTITLE msg=audit(1534512601.218:339): proctitle=6368726F6E7963002D6E00736F7572636573 type=AVC msg=audit(1534512601.220:340): avc: denied { getattr } for pid=27459 comm="chronyc" path="socket:[48180]" dev="sockfs" ino=48180 scontext=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=SYSCALL msg=audit(1534512601.220:340): arch=c000003e syscall=5 success=yes exit=0 a0=1 a1=7ffd56fc8cb0 a2=7ffd56fc8cb0 a3=56505e9ad072 items=0 ppid=27458 pid=27459 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="chronyc" exe="/usr/bin/chronyc" subj=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 key=(null) type=PROCTITLE msg=audit(1534512601.220:340): proctitle=6368726F6E7963002D6E00736F7572636573