chaning files with selinux and policy targeted enabled

[Daniel J Walsh]

Aleksandar Milivojevic wrote:

> I'm not sure if this is bug in SELinux, or if I'm simply doing 
> something wrong (I don't have much experience with SELinux).
>
> I install very basic Fedora Core 3 system using ks.cfg file.  From 
> %post portion of ks.cfg, I replaced couple of configuration files at 
> the end of install process (basically, they all got new inode 
> number).  One of them is ntp.conf.
>
> Now, every time I want to start ntpd, I'm getting errors from SELinux 
> and ntpd is denied access to ntp.conf file.
>
> If I delete ntp.conf file and create new one while the system is 
> running, everything seems to be working.  Ntpd can read this "new" 
> ntp.conf.
>
> It looks as if SELinux remembers the inode of the file across the 
> reboots, and uses inode (not file name) to grant or deny access to 
> files.  So if inode changes while SELinux is not running (for example 
> during installation, or when booted in rescue mode from CD I guess), 
> it will remember what was the old inode number and block application's 
> access to the file based on that (and if some other file is assigned 
> (now free) inode number of the old ntp.conf file, SELinux will allow 
> application to access it, altough it shouldn't).
>
> Is above paragraph correct?  Is that the way SELinux works?
>
> Couple of questions.  How to instruct SELinux portion of Linux that 
> some inodes had changed outside of its controll, so it should update 
> its internal databases?  Am I to expect this every time I boot from CD 
> in rescue mode and change something?
>
The problem is the file context of the ntp.conf file.  If you add 
restorecon /etc/ntp.conf you should fix the problem.

Dan