[RHEL7.5] Cannot redirect chronyc output to a file

Solution Verified - Updated -

Issue

  • After upgrading to RHEL7.5, redirecting chronyc output to a file fails silently with a AVC denied, creates the file but file remains empty

    # chronyc -n tracking > /var/lib/test; echo $?
0
# ls -la /var/lib/test 
-rw-r--r--. 1 root root 0 May  4 11:00 /var/lib/test

# ausearch -ts recent -m avc
----
time->Thu May  3 10:03:46 2018
type=PROCTITLE msg=audit(1525334626.324:225): proctitle=6368726F6E7963002D6E00747261636B696E67
type=SYSCALL msg=audit(1525334626.324:225): arch=c000003e syscall=59 success=yes exit=0 ... comm="chronyc" exe="/usr/bin/chronyc" subj=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1525334626.324:225): avc:  denied  { write } for  pid=25627 comm="chronyc" path="/var/lib/test" dev="dm-0" ino=33631503 
scontext=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file

  • After upgrading to RHEL7.5, redirecting chronyc output to a file in /var/log fails silently without any AVC denied, creates the file but file remains empty

    # chronyc -n tracking > /var/log/test; echo $?
0
# ls -la /var/log/test 
-rw-r--r--. 1 root root 0 May  4 11:00 /var/log/test

# ausearch -ts recent -m avc
<no matches>

Environment

  • Red Hat Enterprise Linux (RHEL) 7.5
  • chrony
  • selinux-policy-3.13.1-192.el7_5.3.noarch

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.