[RHEL7.5+] Cannot redirect "chronyc" output to a file
Issue
-
After upgrading to RHEL7.5, redirecting
chronyc
output to a file fails silently with a AVC denied, creates the file but file remains empty# chronyc -n tracking > /var/lib/test; echo $? 0 # ls -la /var/lib/test -rw-r--r--. 1 root root 0 May 4 11:00 /var/lib/test # ausearch -ts recent -m avc ---- time->Thu May 3 10:03:46 2018 type=PROCTITLE msg=audit(1525334626.324:225): proctitle=6368726F6E7963002D6E00747261636B696E67 type=SYSCALL msg=audit(1525334626.324:225): arch=c000003e syscall=59 success=yes exit=0 ... comm="chronyc" exe="/usr/bin/chronyc" subj=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1525334626.324:225): avc: denied { write } for pid=25627 comm="chronyc" path="/var/lib/test" dev="dm-0" ino=33631503 scontext=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
-
After upgrading to RHEL7.5, redirecting
chronyc
output to a file in/var/log
fails silently without any AVC denied, creates the file but file remains empty# chronyc -n tracking > /var/log/test; echo $? 0 # ls -la /var/log/test -rw-r--r--. 1 root root 0 May 4 11:00 /var/log/test # ausearch -ts recent -m avc <no matches>
Environment
- Red Hat Enterprise Linux (RHEL) 7.5 and later
- chrony
- selinux-policy-3.13.1-192.el7_5.3.noarch and later
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.