Bug 974992 - SELinux prevents /usr/sbin/chronyd from calling sched_setscheduler
SELinux prevents /usr/sbin/chronyd from calling sched_setscheduler
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.0
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-17 06:32 EDT by Milos Malik
Modified: 2014-06-17 22:22 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-13 05:23:20 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Milos Malik 2013-06-17 06:32:23 EDT
Description of problem:

Version-Release number of selected component (if applicable):
chrony-1.27-3.el7.x86_64
selinux-policy-3.12.1-49.el7.noarch
selinux-policy-devel-3.12.1-49.el7.noarch
selinux-policy-doc-3.12.1-49.el7.noarch
selinux-policy-minimum-3.12.1-49.el7.noarch
selinux-policy-mls-3.12.1-49.el7.noarch
selinux-policy-targeted-3.12.1-49.el7.noarch

How reproducible:
always

Steps to Reproduce:
1. get a RHEL-7.0 machine
2. add "sched_priority 50" to /etc/chrony.conf
3. service chronyd restart
4. search for AVCs

Actual results:
----
type=SYSCALL msg=audit(06/17/2013 12:29:21.658:25065) : arch=x86_64 syscall=sched_setscheduler success=no exit=-1(Operation not permitted) a0=0x0 a1=SCHED_FIFO a2=0x7fff9169f7e0 a3=0x3 items=0 ppid=1 pid=26360 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=(none) comm=chronyd exe=/usr/sbin/chronyd subj=system_u:system_r:chronyd_t:s0 key=(null) 
type=AVC msg=audit(06/17/2013 12:29:21.658:25065) : avc:  denied  { sys_nice } for  pid=26360 comm=chronyd capability=sys_nice  scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=capability 
----

Expected results:
 * no AVCs
Comment 1 Milos Malik 2013-07-09 07:33:22 EDT
# rpm -qa selinux-policy\*
selinux-policy-minimum-3.12.1-59.el7.noarch
selinux-policy-mls-3.12.1-59.el7.noarch
selinux-policy-3.12.1-59.el7.noarch
selinux-policy-doc-3.12.1-59.el7.noarch
selinux-policy-devel-3.12.1-59.el7.noarch
selinux-policy-targeted-3.12.1-59.el7.noarch
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
#

Another AVC appeared:
----
time->Tue Jul  9 13:31:30 2013
type=SYSCALL msg=audit(1373369490.539:8968): arch=c000003e syscall=144 success=no exit=-13 a0=0 a1=1 a2=7ffffe13de90 a3=2 items=0 ppid=1 pid=23879 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="chronyd" exe="/usr/sbin/chronyd" subj=system_u:system_r:chronyd_t:s0 key=(null)
type=AVC msg=audit(1373369490.539:8968): avc:  denied  { setsched } for  pid=23879 comm="chronyd" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=process
----
Comment 2 Miroslav Grepl 2013-07-10 04:47:50 EDT
commit aa5d8ce77972d914dcc6bed675a461c0f63f0cd8
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Wed Jul 10 10:47:29 2013 +0200

    Allow setsched for chronyd
Comment 4 Ludek Smid 2014-06-13 05:23:20 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.