ntpd vs selinux

Mon Jul 3 14:52:19 UTC 2006

Paul Howarth wrote:
> Gene Heskett wrote:
>> Paul Howarth wrote:
>>> On Fri, 2006-06-30 at 22:58 -0500, Gene Heskett wrote:
>>>> Greetings;
>>>>
>>>> It appears that the last selinux update has killed ntpd, as shown 
>>>> from my messages log:
>>>>
>>>> Jun 30 22:37:14 diablo ntpd[1936]: sendto(194.145.249.108): Invalid 
>>>> argument
>>>> Jun 30 22:38:01 diablo ntpd[1936]: sendto(194.102.249.64): Invalid 
>>>> argument
>>>> Jun 30 22:42:04 diablo ntpd[1936]: sendto(193.40.133.134): Invalid 
>>>> argument
>>>>
>>>> I have several pages of the above.
>>>>
>>>> So to get a clean restart, I did a restart, and this error was logged.
>>>>
>>>> Jun 30 22:52:34 diablo ntpd[1936]: ntpd exiting on signal 15
>>>> Jun 30 22:52:35 diablo kernel: audit(1151725955.188:14): avc:  
>>>> denied  { read } for  pid=23841 comm="ntpd" name=".fonts.cache-2" 
>>>> dev=hda5 ino=11556042 scontext=root:system_r:ntpd_t:s0 
>>>> tcontext=root:object_r:user_home_t:s0 tclass=file
>>>
>>> This avc is about ntpd being refused access to a .fonts.cache-2 file in
>>> someone's home directory. Why it would be trying to access that I don't
>>> know, but it has no business doing so.
>>>
>>>> Jun 30 22:52:35 diablo ntpd[23842]: ntpd 4.2.0a at 1.1196-r Thu May 11 
>>>> 09:19:35 EDT 2006 (1)
>>>> Jun 30 22:52:35 diablo ntpd[23842]: precision = 6.000 usec
>>>> Jun 30 22:52:35 diablo ntpd[23842]: Listening on interface wildcard, 
>>>> 0.0.0.0#123
>>>> Jun 30 22:52:35 diablo ntpd[23842]: Listening on interface wildcard, 
>>>> ::#123
>>>> Jun 30 22:52:35 diablo ntpd[23842]: Listening on interface lo, 
>>>> 127.0.0.1#123
>>>> Jun 30 22:52:35 diablo ntpd[23842]: Listening on interface wlan0, 
>>>> 192.168.1.105#123
>>>> Jun 30 22:52:35 diablo ntpd[23842]: kernel time sync status 0040
>>>> Jun 30 22:52:36 diablo ntpd[23842]: frequency initialized -14.140 
>>>> PPM from /var/lib/ntp/drift
>>>
>>> It would appears that the avc did not prevent the startup of ntpd in any
>>> case.
>>>
>>>> I assume something in yesterdays selinux update has done this, but 
>>>> I've now forgotten the magic phrase to invoke from the cli to cause 
>>>> a fix.
>>>>
>>>> Can someone refresh my memory?
>>>
>>> Try switching to permissive mode and restart ntpd:
>>>
>>> # setenforce 0
>>> # service ntpd restart
>>>
>>> If ntpd is still not working, the problem lies elsewhere than SELinux.
>>>
>>> Try re-enabling enforcing mode:
>>>
>>> # setenforce 1
>>>
>>> This may or may not make a difference, depending on whether:
>>> 1. It was an SELinux issue in the first place,
>>> 2. It was a startup issue, or
>>> 3. It was a regular runtime issue.
>>>
>>> Paul.
>>>
>> Whatever it was Paul, it appears that the restart was sufficient to 
>> fix it, those messages are no longer being logged. Shortly after that 
>> snippet was pasted, I got this:
>> Jun 30 22:55:53 diablo ntpd[23842]: synchronized to LOCAL(0), stratum 10
>> Jun 30 22:55:53 diablo ntpd[23842]: kernel time sync disabled 0041
>> Jun 30 22:56:57 diablo ntpd[23842]: synchronized to 194.146.145.193, 
>> stratum 2
>> Jun 30 23:02:18 diablo ntpd[23842]: kernel time sync enabled 0001
>> Jun 30 23:11:12 diablo kernel: audit(1151727072.318:15): avc:  denied  
>> { execmod } for  pid=23946 comm="firefox-bin" name="libflashplayer.so" 
>> dev=hda5 ino=11686771 
>> scontext=root:system_r:unconfined_t:s0-s0:c0.c255 
>> tcontext=root:object_r:user_home_t:s0 tclass=file
>>
>> But as I'd  fired up firefox to do my nightly tour, it did log the 
>> above  over the flashplayer lib.  Whats the fix there?
> 
> Do you have libflashplayer.so installed somewhere under your home 
> directory? That would cause this issue. /usr/local/lib would be a better 
> place.
> 
> Wherever it is, try this:
> # chcon -t textrel_shlib_t libflashplayer.so
> 
> Paul.
> 
Actually, there were several copies installed (including old copies in 
old firefox installs), so I did:
chcon -t textrel_shlib_t `locate libflashplayer.so`
which seems to have resolved that issue just fine.

Thanks again.

-- 
Cheers, Gene