ntpd drift.TEMP file
Lars Gullik Bjønnes
larsbj at gullik.net
Sun Mar 6 21:45:27 UTC 2005
"Chuck R. Anderson" <cra at WPI.EDU> writes:
| On Sun, Mar 06, 2005 at 07:03:26PM +0100, Lars Gullik Bjønnes wrote:
>> I have the drift file in /var/lib/ntp/drift, but I get selinux errors
>> for drift.TEMP:
>>
>> Mar 6 18:51:26 slabber ntpd[26387]: can't open
>> /var/lib/ntp/drift.TEMP: Permission denied
>> Mar 6 18:51:26 slabber kernel: audit(1110131486.894:0): avc: denied
>> { dac_override } for pid=26387 exe=/usr/sbin/ntpd capability=1
>> scontext=root:system_r:ntpd_t tcontext=root:system_r:ntpd_t
>> tclass=capability
>>
>> This is an updated FC3 system.
>
| What are the DAC unix permissions bits and owner/group on the file?
Of the directory you mean? It is creating the file in the first place
that fails.
ls -la /var/lib/ntp/
total 24
drwxr-xr-x 2 ntp ntp 4096 Mar 6 22:20 .
drwxr-xr-x 14 root root 4096 Feb 22 17:38 ..
-rw-r--r-- 1 ntp ntp 7 Mar 6 22:20 drift
| I
| am no expert in SELinux, but that AVC sounds to me like the standard
| unix permissions are disallowing access to the file.
>From /etc/selinux/targeted/contexts/file_contexts it seems this should
be allowed. But I am not familiar with the format:
grep -nr drift *
files/file_contexts.pre:676:/var/lib/ntp(/.*)?
system_u:object_r:ntp_drift_t
files/file_contexts.pre:677:/etc/ntp/data(/.*)?
system_u:object_r:ntp_drift_t
files/file_contexts:676:/var/lib/ntp(/.*)?
system_u:object_r:ntp_drift_t
files/file_contexts:677:/etc/ntp/data(/.*)?
system_u:object_r:ntp_drift_t
--
Lgb
More information about the fedora-selinux-list
mailing list