461446 – hwclock fails to start on selinux strict -9999

Bug 461446 - hwclock fails to start on selinux strict -9999

Summary: hwclock fails to start on selinux strict -9999

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	SELinux (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Sven Vermeulen (RETIRED)

URL:
Whiteboard:	sec-policy
Keywords:

Depends on:
Blocks:

Reported:	2013-03-11 19:53 UTC by Amadeusz Sławiński
Modified:	2013-03-17 19:43 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Amadeusz Sławiński 2013-03-11 19:53:05 UTC

Probably caused by enabling CONFIG_GRKERNSEC_IO

# /etc/init.d/hwclock restart
Authenticating root.
Password: 
 * WARNING: you are stopping a boot service
 * Setting hardware clock using the system clock [UTC] ...
hwclock: Cannot access the Hardware Clock via any known method.
hwclock: Use the --debug option to see the details of our search for an access method.
 * Failed to sync clocks                                                  [ !! ]
 * ERROR: hwclock failed to stop


Enforcing:

Mar 11 20:49:11 lain kernel: [32006.811496] type=1400 audit(1363031351.069:10978): avc:  denied  { read } for  pid=12058 comm="hwclock" name="rtc0" dev="devtmpfs" ino=2133 scontext=system_u:system_r:hwclock_t tcontext=system_u:object_r:device_t tclass=chr_file



# /etc/init.d/hwclock restart
Authenticating root.
Password: 
 * WARNING: you are stopping a boot service
 * Setting hardware clock using the system clock [UTC] ...                [ ok ]
 * Setting system clock using the hardware clock [UTC] ...                [ ok ]

Permissive:

Mar 11 20:49:26 lain kernel: [32021.888335] type=1400 audit(1363031366.176:10983): avc:  denied  { read } for  pid=12126 comm="hwclock" name="rtc0" dev="devtmpfs" ino=2133 scontext=system_u:system_r:hwclock_t tcontext=system_u:object_r:device_t tclass=chr_file
Mar 11 20:49:26 lain kernel: [32021.888347] type=1400 audit(1363031366.176:10984): avc:  denied  { open } for  pid=12126 comm="hwclock" path="/dev/rtc0" dev="devtmpfs" ino=2133 scontext=system_u:system_r:hwclock_t tcontext=system_u:object_r:device_t tclass=chr_file
Mar 11 20:49:26 lain kernel: [32022.210031] type=1400 audit(1363031366.499:10985): avc:  denied  { ioctl } for  pid=12126 comm="hwclock" path="/dev/rtc0" dev="devtmpfs" ino=2133 scontext=system_u:system_r:hwclock_t tcontext=system_u:object_r:device_t tclass=chr_file
Mar 11 20:49:27 lain kernel: [32022.725502] type=1400 audit(1363031367.008:10986): avc:  denied  { search } for  pid=12143 comm="cgroup-release-" name="/" dev="tmpfs" ino=3302 scontext=system_u:system_r:openrc_cgroup_release_t tcontext=system_u:object_r:tmpfs_t tclass=dir


Reproducible: Always

Comment 1 Amadeusz Sławiński 2013-03-11 20:00:49 UTC

It starts fine with:

module hwclock 1.0;

require {
	type hwclock_t;
	type device_t;
	class chr_file { read ioctl open };
}

#============= hwclock_t ==============
allow hwclock_t device_t:chr_file ioctl;

allow hwclock_t device_t:chr_file { read open };

Comment 2 Sven Vermeulen (RETIRED) gentoo-dev

2013-03-16 15:33:16 UTC

Can you first run restorecon against the rtc0 device? it should be clock_device_t instead of device_t.

Comment 3 Amadeusz Sławiński 2013-03-16 15:51:26 UTC

Ah, yes it seems to be incorrectly labeled on boot, when I restorecon it, hwclock starts correctly.