RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2131733 - SELinux is preventing /usr/bin/chronyc from 'read, write' accesses on the chr_file /dev/pts/1
Summary: SELinux is preventing /usr/bin/chronyc from 'read, write' accesses on the chr...
Keywords:
Status: CLOSED DUPLICATE of bug 2119507
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.6
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: 8.8
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-10-03 14:05 UTC by RG
Modified: 2022-11-08 10:42 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-10-03 15:44:27 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-135562 0 None None None 2022-10-03 14:14:10 UTC

Description RG 2022-10-03 14:05:43 UTC 
Description of problem:

Every 4 hours, SELinux policy generates log messages for chronyc:

Oct  3 04:22:38 [host] setroubleshoot[473492]: SELinux is preventing /usr/bin/chronyc from 'read, write' accesses on the chr_file /dev/pts/1. For complete SELinux messages run: sealert -l 4eaac90c-fb29-4072-9936-36b9706bda76


Oct  3 04:22:38 [host] setroubleshoot[473492]: SELinux is preventing /usr/bin/chronyc from 'read, write' accesses on the chr_file /dev/pts/1. For complete SELinux messages run: sealert -l 4eaac90c-fb29-4072-9936-36b9706bda76
Oct  3 04:22:38 ppm-rhel-test-4 setroubleshoot[473492]: SELinux is preventing /usr/bin/chronyc from 'read, write' accesses on the chr_file /dev/pts/1.#012#012*****  Plugin leaks (86.2 confidence) suggests   *****************************#012#012If you want to ignore chronyc trying to read write access the 1 chr_file, because you believe it should not need this access.#012Then you should report this as a bug.  #012You can generate a local policy module to dontaudit this access.#012Do#012# ausearch -x /usr/bin/chronyc --raw | audit2allow -D -M my-chronyc#012# semodule -X 300 -i my-chronyc.pp#012#012*****  Plugin catchall (14.7 confidence) suggests   **************************#012#012If you believe that chronyc should be allowed read write access on the 1 chr_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'chronyc' --raw | audit2allow -M my-chronyc#012# semodule -X 300 -i my-chronyc.pp#012



Version-Release number of selected component (if applicable):

cat /etc/redhat-release
Red Hat Enterprise Linux release 8.6 (Ootpa)


How reproducible:

Stock installe (base) with chrony.
Comment 1 RG 2022-10-03 14:07:08 UTC 
# sealert -l 4eaac90c-fb29-4072-9936-36b9706bda76
SELinux is preventing /usr/bin/chronyc from 'read, write' accesses on the chr_file /dev/pts/1.

*****  Plugin leaks (86.2 confidence) suggests   *****************************

If you want to ignore chronyc trying to read write access the 1 chr_file, because you believe it should not need this access.
Then you should report this as a bug.
You can generate a local policy module to dontaudit this access.
Do
# ausearch -x /usr/bin/chronyc --raw | audit2allow -D -M my-chronyc
# semodule -X 300 -i my-chronyc.pp

*****  Plugin catchall (14.7 confidence) suggests   **************************

If you believe that chronyc should be allowed read write access on the 1 chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'chronyc' --raw | audit2allow -M my-chronyc
# semodule -X 300 -i my-chronyc.pp


Additional Information:
Source Context                system_u:system_r:chronyc_t:s0
Target Context                system_u:object_r:devpts_t:s0
Target Objects                /dev/pts/1 [ chr_file ]
Source                        chronyc
Source Path                   /usr/bin/chronyc
Port                          <Unknown>
Host                          ppm-rhel-test-4
Source RPM Packages           chrony-4.1-1.el8.x86_64
Target RPM Packages
SELinux Policy RPM            selinux-policy-targeted-3.14.3-95.el8_6.4.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-95.el8_6.4.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ppm-rhel-test-4
Platform                      Linux ppm-rhel-test-4 4.18.0-372.26.1.el8_6.x86_64
                              #1 SMP Sat Aug 27 02:44:20 EDT 2022 x86_64 x86_64
Alert Count                   13
First Seen                    2022-09-30 21:06:42 PDT
Last Seen                     2022-10-03 04:22:35 PDT
Local ID                      4eaac90c-fb29-4072-9936-36b9706bda76

Raw Audit Messages
type=AVC msg=audit(1664796155.615:2016): avc:  denied  { read write } for  pid=473440 comm="chronyc" path="/dev/pts/1" dev="devpts" ino=4 scontext=system_u:system_r:chronyc_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file permissive=0


type=SYSCALL msg=audit(1664796155.615:2016): arch=x86_64 syscall=execve success=yes exit=0 a0=5617eb45fa80 a1=5617eb45ff70 a2=5617eb45c860 a3=1b6 items=0 ppid=473439 pid=473440 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=chronyc exe=/usr/bin/chronyc subj=system_u:system_r:chronyc_t:s0 key=(null)

Hash: chronyc,chronyc_t,devpts_t,chr_file,read,write
Comment 2 Zdenek Pytela 2022-10-03 14:48:49 UTC 
commit 822a150f673b5d376d077777d0bb41cbd3352c6b
Author: Zdenek Pytela <zpytela>
Date:   Mon Aug 22 12:44:49 2022 +0200

    Allow chronyc read and write generic pty type
Comment 4 Zdenek Pytela 2022-10-03 15:44:27 UTC 
Right, fix for this issue was a part of a large patchset for RHEL 8.7.

*** This bug has been marked as a duplicate of bug 2119507 ***
Note You need to log in before you can comment on or make changes to this bug.