ntpd vs selinux
Gene Heskett
gene.heskett at verizon.net
Mon Jul 3 14:52:19 UTC 2006
Paul Howarth wrote:
> Gene Heskett wrote:
>> Paul Howarth wrote:
>>> On Fri, 2006-06-30 at 22:58 -0500, Gene Heskett wrote:
>>>> Greetings;
>>>>
>>>> It appears that the last selinux update has killed ntpd, as shown
>>>> from my messages log:
>>>>
>>>> Jun 30 22:37:14 diablo ntpd[1936]: sendto(194.145.249.108): Invalid
>>>> argument
>>>> Jun 30 22:38:01 diablo ntpd[1936]: sendto(194.102.249.64): Invalid
>>>> argument
>>>> Jun 30 22:42:04 diablo ntpd[1936]: sendto(193.40.133.134): Invalid
>>>> argument
>>>>
>>>> I have several pages of the above.
>>>>
>>>> So to get a clean restart, I did a restart, and this error was logged.
>>>>
>>>> Jun 30 22:52:34 diablo ntpd[1936]: ntpd exiting on signal 15
>>>> Jun 30 22:52:35 diablo kernel: audit(1151725955.188:14): avc:
>>>> denied { read } for pid=23841 comm="ntpd" name=".fonts.cache-2"
>>>> dev=hda5 ino=11556042 scontext=root:system_r:ntpd_t:s0
>>>> tcontext=root:object_r:user_home_t:s0 tclass=file
>>>
>>> This avc is about ntpd being refused access to a .fonts.cache-2 file in
>>> someone's home directory. Why it would be trying to access that I don't
>>> know, but it has no business doing so.
>>>
>>>> Jun 30 22:52:35 diablo ntpd[23842]: ntpd 4.2.0a at 1.1196-r Thu May 11
>>>> 09:19:35 EDT 2006 (1)
>>>> Jun 30 22:52:35 diablo ntpd[23842]: precision = 6.000 usec
>>>> Jun 30 22:52:35 diablo ntpd[23842]: Listening on interface wildcard,
>>>> 0.0.0.0#123
>>>> Jun 30 22:52:35 diablo ntpd[23842]: Listening on interface wildcard,
>>>> ::#123
>>>> Jun 30 22:52:35 diablo ntpd[23842]: Listening on interface lo,
>>>> 127.0.0.1#123
>>>> Jun 30 22:52:35 diablo ntpd[23842]: Listening on interface wlan0,
>>>> 192.168.1.105#123
>>>> Jun 30 22:52:35 diablo ntpd[23842]: kernel time sync status 0040
>>>> Jun 30 22:52:36 diablo ntpd[23842]: frequency initialized -14.140
>>>> PPM from /var/lib/ntp/drift
>>>
>>> It would appears that the avc did not prevent the startup of ntpd in any
>>> case.
>>>
>>>> I assume something in yesterdays selinux update has done this, but
>>>> I've now forgotten the magic phrase to invoke from the cli to cause
>>>> a fix.
>>>>
>>>> Can someone refresh my memory?
>>>
>>> Try switching to permissive mode and restart ntpd:
>>>
>>> # setenforce 0
>>> # service ntpd restart
>>>
>>> If ntpd is still not working, the problem lies elsewhere than SELinux.
>>>
>>> Try re-enabling enforcing mode:
>>>
>>> # setenforce 1
>>>
>>> This may or may not make a difference, depending on whether:
>>> 1. It was an SELinux issue in the first place,
>>> 2. It was a startup issue, or
>>> 3. It was a regular runtime issue.
>>>
>>> Paul.
>>>
>> Whatever it was Paul, it appears that the restart was sufficient to
>> fix it, those messages are no longer being logged. Shortly after that
>> snippet was pasted, I got this:
>> Jun 30 22:55:53 diablo ntpd[23842]: synchronized to LOCAL(0), stratum 10
>> Jun 30 22:55:53 diablo ntpd[23842]: kernel time sync disabled 0041
>> Jun 30 22:56:57 diablo ntpd[23842]: synchronized to 194.146.145.193,
>> stratum 2
>> Jun 30 23:02:18 diablo ntpd[23842]: kernel time sync enabled 0001
>> Jun 30 23:11:12 diablo kernel: audit(1151727072.318:15): avc: denied
>> { execmod } for pid=23946 comm="firefox-bin" name="libflashplayer.so"
>> dev=hda5 ino=11686771
>> scontext=root:system_r:unconfined_t:s0-s0:c0.c255
>> tcontext=root:object_r:user_home_t:s0 tclass=file
>>
>> But as I'd fired up firefox to do my nightly tour, it did log the
>> above over the flashplayer lib. Whats the fix there?
>
> Do you have libflashplayer.so installed somewhere under your home
> directory? That would cause this issue. /usr/local/lib would be a better
> place.
>
> Wherever it is, try this:
> # chcon -t textrel_shlib_t libflashplayer.so
>
> Paul.
>
Actually, there were several copies installed (including old copies in
old firefox installs), so I did:
chcon -t textrel_shlib_t `locate libflashplayer.so`
which seems to have resolved that issue just fine.
Thanks again.
--
Cheers, Gene
More information about the fedora-list
mailing list