chronyc cannot write to pipe when executed by ksh
Environment
- Red Hat Enterprise Linux (RHEL) 7.5
- selinux-policy-3.13.1-192.el7
Issue
Following command seems not properly working:
# ksh -c "chronyc -n sources |grep '10.0'"
Output is empty even if chronyc
output contains 10.0.x.x
IPs. Other shells like bash
, sh
or csh
return correct output:
# bash -c "chronyc -n sources |grep '10.0'"
^+ 10.0.0.1 2 10 377 552 -225us[ -225us] +/- 39ms
...
If we disable SELinux
, the command correctly works even from ksh
Resolution
As a workaround you can put chronyc
type to permissive domain:
semanage permissive -a chronyc_t
Issue tracked by public Bug 1618757
Root Cause
AVC
denial is met when chronyc
attempt to write the piped output:
type=AVC msg=audit(1534512530.981:335): avc: denied { read write } for pid=27450 comm="chronyc" path="socket:[48153]" dev="sockfs" ino=48153 scontext=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Diagnostic Steps
- Turn off
dontaudit
rules:
# semanage dontaudit off
- Watch
audit.log
:
# tail -f /var/log/audit/audit.log
- in another terminal test the command
# ksh -c "chronyc -n sources |grep 1"
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments