Use temporary pid file for chronyd -q task

chrony is causing an SELinux denial because of chronyd
was not spawned using systemd and the command creates
a pidfile for unconfined proccess in /var/run with SELinux label:
unconfined_u:object_r:var_run_t:s0
Following chronyd daemon enablement with systemd will fail
due to mismatched SELinux labels on chronyd pidfile.
chronyd pidfile should be labeled with the following label:
system_u:object_r:chronyd_var_run_t:s0
This also changes bindcmdaddress to not touch /var/run/chrony.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
Tibor Dudlák 2018-05-02 12:58:44 +02:00 committed by Rob Crittenden
parent e16e5cd0a6
commit 5929d5d872

View File

@ -665,7 +665,8 @@ def sync_time(host, server):
host.run_command(['systemctl', 'stop', 'chronyd'])
host.run_command(['chronyd', '-q',
"server {srv} iburst".format(srv=server.hostname)])
"server {srv} iburst".format(srv=server.hostname),
'pidfile /tmp/chronyd.pid', 'bindcmdaddress /'])
def connect_replica(master, replica, domain_level=None):