[RHEL7.5] Cannot redirect chronyc output to a file

Solution Verified - Updated -

Issue

  • After upgrading to RHEL7.5, redirecting chronyc output to a file fails silently with a AVC denied, creates the file but file remains empty

    # chronyc -n tracking > /var/lib/test; echo $?
    0
    # ls -la /var/lib/test 
    -rw-r--r--. 1 root root 0 May  4 11:00 /var/lib/test
    
    # ausearch -ts recent -m avc
    ----
    time->Thu May  3 10:03:46 2018
    type=PROCTITLE msg=audit(1525334626.324:225): proctitle=6368726F6E7963002D6E00747261636B696E67
    type=SYSCALL msg=audit(1525334626.324:225): arch=c000003e syscall=59 success=yes exit=0 ... comm="chronyc" exe="/usr/bin/chronyc" subj=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 key=(null)
    type=AVC msg=audit(1525334626.324:225): avc:  denied  { write } for  pid=25627 comm="chronyc" path="/var/lib/test" dev="dm-0" ino=33631503 
    scontext=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
    
  • After upgrading to RHEL7.5, redirecting chronyc output to a file in /var/log fails silently without any AVC denied, creates the file but file remains empty

    # chronyc -n tracking > /var/log/test; echo $?
    0
    # ls -la /var/log/test 
    -rw-r--r--. 1 root root 0 May  4 11:00 /var/log/test
    
    # ausearch -ts recent -m avc
    <no matches>
    

Environment

  • Red Hat Enterprise Linux (RHEL) 7.5 and later
  • chrony
  • selinux-policy-3.13.1-192.el7_5.3.noarch and later

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In