Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Write policy for starting/stopping/restarting chronyd #193

Closed
ghost opened this issue Aug 2, 2015 · 2 comments
Closed

Write policy for starting/stopping/restarting chronyd #193

ghost opened this issue Aug 2, 2015 · 2 comments
Labels
Code Review High Priority selinux Testing Complete
Milestone
RHEL_7-Beta

Comments

@ghost
Copy link

ghost commented Aug 2, 2015

These are the denials I saw when restarting chronyd.service

type=USER_AVC msg=audit(1438548942.643:1949): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=1000 uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="systemctl start chronyd.service" scontext=toor_u:toor_r:toor_t:s0 tcontext=system_u:object_r:ntpd_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1438548942.648:1950): avc:  denied  { rlimitinh } for  pid=14287 comm="chronyd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=process
type=AVC msg=audit(1438548942.648:1950): avc:  denied  { siginh } for  pid=14287 comm="chronyd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=process
type=AVC msg=audit(1438548942.648:1950): avc:  denied  { noatsecure } for  pid=14287 comm="chronyd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=process
type=AVC msg=audit(1438548942.658:1951): avc:  denied  { rlimitinh } for  pid=14290 comm="chrony-helper" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process
type=AVC msg=audit(1438548942.658:1951): avc:  denied  { siginh } for  pid=14290 comm="chrony-helper" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process
type=AVC msg=audit(1438548942.658:1951): avc:  denied  { noatsecure } for  pid=14290 comm="chrony-helper" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process
type=AVC msg=audit(1438408678.026:1507): avc:  denied  { execute } for  pid=13378 comm="dhclient-script" name="setfiles" dev="dm-1" ino=528521 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file
type=AVC msg=audit(1438408678.051:1508): avc:  denied  { search } for  pid=13381 comm="mountpoint" name="/" dev="tmpfs" ino=6425 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1438408678.051:1508): avc:  denied  { getattr } for  pid=13381 comm="mountpoint" path="/sys/fs/cgroup/systemd" dev="cgroup" ino=6427 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1438408678.121:1509): avc:  denied  { read write } for  pid=13400 comm="arping" path="socket:[15162]" dev="sockfs" ino=15162 scontext=system_u:system_r:netutils_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=udp_socket
type=AVC msg=audit(1438408852.507:1511): avc:  denied  { search } for  pid=1809 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=key
type=AVC msg=audit(1438408852.507:1511): avc:  denied  { write } for  pid=1809 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=key
type=AVC msg=audit(1438408852.777:1518): avc:  denied  { create } for  pid=1865 comm="sudo" scontext=toor_u:staff_r:staff_t:s0 tcontext=toor_u:staff_r:staff_t:s0 tclass=netlink_audit_socket
type=AVC msg=audit(1438408852.778:1519): avc:  denied  { write } for  pid=1865 comm="sudo" scontext=toor_u:staff_r:staff_t:s0 tcontext=toor_u:staff_r:staff_t:s0 tclass=netlink_audit_socket
type=AVC msg=audit(1438408852.778:1519): avc:  denied  { nlmsg_relay } for  pid=1865 comm="sudo" scontext=toor_u:staff_r:staff_t:s0 tcontext=toor_u:staff_r:staff_t:s0 tclass=netlink_audit_socket
type=AVC msg=audit(1438408852.778:1519): avc:  denied  { audit_write } for  pid=1865 comm="sudo" capability=29  scontext=toor_u:staff_r:staff_t:s0 tcontext=toor_u:staff_r:staff_t:s0 tclass=capability
type=AVC msg=audit(1438408852.778:1521): avc:  denied  { read } for  pid=1865 comm="sudo" scontext=toor_u:staff_r:staff_t:s0 tcontext=toor_u:staff_r:staff_t:s0 tclass=netlink_audit_socket
type=AVC msg=audit(1438408861.281:1523): avc:  denied  { search } for  pid=13411 comm="crond" name="faillock" dev="tmpfs" ino=14063 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir
type=AVC msg=audit(1438408861.292:1527): avc:  denied  { use } for  pid=13411 comm="crond" path="/run/systemd/sessions/9.ref" dev="tmpfs" ino=66091 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=fd
type=AVC msg=audit(1438408861.292:1527): avc:  denied  { write } for  pid=13411 comm="crond" path="/run/systemd/sessions/9.ref" dev="tmpfs" ino=66091 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=fifo_file
type=AVC msg=audit(1438409560.901:1532): avc:  denied  { execute } for  pid=13497 comm="dhclient-script" name="setfiles" dev="dm-1" ino=528521 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file
type=USER_AVC msg=audit(1438409588.999:1533): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=1000 uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="systemctl restart chronyd.service" scontext=toor_u:toor_r:toor_t:s0 tcontext=system_u:object_r:ntpd_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1438409589.350:1534): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=1000 uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="systemctl restart chronyd.service" scontext=toor_u:toor_r:toor_t:s0 tcontext=system_u:object_r:ntpd_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
@ghost ghost self-assigned this Aug 2, 2015
@ghost ghost added this to the RHEL_7-Beta milestone Aug 2, 2015
@ghost ghost mentioned this issue Aug 2, 2015
Closed
12 tasks
@ghost ghost changed the title Write policy for starting/stopping/restarting cronyd Write policy for starting/stopping/restarting chronyd Aug 2, 2015
@mpalmi
Copy link
Contributor

mpalmi commented Aug 7, 2015

Fixed as of mpalmi@64322f0

@ghost
Copy link
Author

ghost commented Aug 9, 2015

Verified that this was resolved with #134. Leaving this open until #134 is merged.

@ghost ghost closed this as completed Sep 2, 2015
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Code Review High Priority selinux Testing Complete
Projects
None yet
Milestone
RHEL_7-Beta
Development

No branches or pull requests
2 participants
@mpalmi @minapoli