ksh-20120801-248.fc29.x86_64 selinux-policy-3.14.2-26.fc29.noarch reproduces as well +++ This bug was initially created as a clone of Bug #1618757 +++ Description of problem: chronyc executed from ksh is denied to write to pipe (actually a socket) with AVC: type=AVC msg=audit(1534512601.216:338): avc: denied { read write } for pid=27459 comm="chronyc" path="socket:[48180]" dev="sockfs" ino=48180 scontext=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket Version-Release number of selected component (if applicable): selinux-policy-3.13.1-215.el7.noarch How reproducible: always Steps to Reproduce: 1. # ksh -c "chronyc -n sources |grep '1'" Actual results: empty output Expected results: st like 210 Number of sources = 4 ^? 195.21.152.161 0 10 0 - +0ns[ +0ns] +/- 0ns ^? 72.30.35.89 0 10 0 - +0ns[ +0ns] +/- 0ns ^? 2600:3c03::f03c:91ff:feae:82c1 0 9 0 - +0ns[ +0ns] +/- 0ns ^? 63.211.239.58 0 10 0 - +0ns[ +0ns] +/- 0ns Additional info: other shells don't trigger (different pipe handling) by default no record in audit log, `semanage dontaudit off` needed to reveal more AVCs occur after `semanage permissive -d chronyc_t` type=AVC msg=audit(1534512601.216:338): avc: denied { read write } for pid=27459 comm="chronyc" path="socket:[48180]" dev="sockfs" ino=48180 scontext=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=SYSCALL msg=audit(1534512601.216:338): arch=c000003e syscall=59 success=yes exit=0 a0=7ff823cccc29 a1=7ff823ccc6b0 a2=7ff823ccca38 a3=0 items=0 ppid=27458 pid=27459 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="chronyc" exe="/usr/bin/chronyc" subj=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 key=(null) type=PROCTITLE msg=audit(1534512601.216:338): proctitle=6368726F6E7963002D6E00736F7572636573 type=AVC msg=audit(1534512601.218:339): avc: denied { ioctl } for pid=27459 comm="chronyc" path="socket:[48180]" dev="sockfs" ino=48180 scontext=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=SYSCALL msg=audit(1534512601.218:339): arch=c000003e syscall=16 success=no exit=-25 a0=1 a1=5401 a2=7ffd56fca780 a3=56505e9ad0dd items=0 ppid=27458 pid=27459 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="chronyc" exe="/usr/bin/chronyc" subj=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 key=(null) type=PROCTITLE msg=audit(1534512601.218:339): proctitle=6368726F6E7963002D6E00736F7572636573 type=AVC msg=audit(1534512601.220:340): avc: denied { getattr } for pid=27459 comm="chronyc" path="socket:[48180]" dev="sockfs" ino=48180 scontext=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=SYSCALL msg=audit(1534512601.220:340): arch=c000003e syscall=5 success=yes exit=0 a0=1 a1=7ffd56fc8cb0 a2=7ffd56fc8cb0 a3=56505e9ad072 items=0 ppid=27458 pid=27459 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="chronyc" exe="/usr/bin/chronyc" subj=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 key=(null) type=PROCTITLE msg=audit(1534512601.220:340): proctitle=6368726F6E7963002D6E00736F7572636573
selinux-policy-3.14.2-34.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-db240a1726
selinux-policy-3.14.2-34.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.