F7 : ntpd and selinux

Mon Jun 11 18:02:21 UTC 2007

Skunk Worx wrote:
> Daniel J Walsh wrote:
>> Skunk Worx wrote:
>>> Daniel J Walsh wrote:
>>>> Skunk Worx wrote:
>>>>> I can see similar comments in bugzilla, so I think this is already 
>>>>> being worked.
>>>>> ---
>>>>> John
>>>>>
>>>>> > avc: denied { sys_time } for comm="ntpdate" egid=38 euid=38
>>>>>
>>>> Please attach the log file to show what is causing these messages. 
>>>> I can't generate rules from just this info.
>>>>
>>> SELinux is preventing /usr/sbin/ntpdate (dhcpc_t) "sys_time" to 
>>> <Unknown> (dhcpc_t).
>>>
>>> If this is not useful could you provide a command line and sample 
>>> expected output?
>>>
>>> ---
>>> John
>>>
>> grep ntp /var/log/audit/audit.log
>>
>
> Thanks.
>
> type=AVC msg=audit(1181102914.825:33): avc:  denied  { getattr } for 
> pid=3514 comm="ntpd" name="ntpd" dev=dm-0 ino=16581960 
> scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:object_r:var_lock_t:s0 tclass=file
> type=SYSCALL msg=audit(1181102914.825:33): arch=40000003 syscall=195 
> success=yes exit=0 a0=9d87298 a1=bfee9f78 a2=978ff4 a3=9d87298 items=0 
> ppid=3507 pid=3514 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 
> egid=0 sgid=0 fsgid=0 tty=(none) comm="ntpd" exe="/bin/bash" 
> subj=system_u:system_r:dhcpc_t:s0 key=(null)
> type=AVC_PATH msg=audit(1181102914.825:33):  path="/var/lock/subsys/ntpd"
> type=AVC msg=audit(1181102914.825:34): avc:  denied  { getattr } for 
> pid=3514 comm="ntpd" name="ntpd.pid" dev=dm-0 ino=16581959 
> scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:object_r:ntpd_var_run_t:s0 tclass=file
> type=SYSCALL msg=audit(1181102914.825:34): arch=40000003 syscall=195 
> success=yes exit=0 a0=9da3ce8 a1=bfee7b48 a2=978ff4 a3=9da3ce8 items=0 
> ppid=3507 pid=3514 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 
> egid=0 sgid=0 fsgid=0 tty=(none) comm="ntpd" exe="/bin/bash" 
> subj=system_u:system_r:dhcpc_t:s0 key=(null)
> type=AVC_PATH msg=audit(1181102914.825:34):  path="/var/run/ntpd.pid"
> type=AVC msg=audit(1181102914.825:35): avc:  denied  { read } for 
> pid=3514 comm="ntpd" name="ntpd.pid" dev=dm-0 ino=16581959 
> scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:object_r:ntpd_var_run_t:s0 tclass=file
> type=SYSCALL msg=audit(1181102914.825:35): arch=40000003 syscall=5 
> success=yes exit=3 a0=9da3d00 a1=8000 a2=0 a3=8000 items=0 ppid=3507 
> pid=3514 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
> sgid=0 fsgid=0 tty=(none) comm="ntpd" exe="/bin/bash" 
> subj=system_u:system_r:dhcpc_t:s0 key=(null)
> type=AVC msg=audit(1181102914.825:36): avc:  denied  { ioctl } for 
> pid=3514 comm="ntpd" name="ntpd.pid" dev=dm-0 ino=16581959 
> scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:object_r:ntpd_var_run_t:s0 tclass=file
> type=SYSCALL msg=audit(1181102914.825:36): arch=40000003 syscall=54 
> success=no exit=-25 a0=0 a1=5401 a2=bfee7258 a3=bfee7298 items=0 
> ppid=3507 pid=3514 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 
> egid=0 sgid=0 fsgid=0 tty=(none) comm="ntpd" exe="/bin/bash" 
> subj=system_u:system_r:dhcpc_t:s0 key=(null)
> type=AVC_PATH msg=audit(1181102914.825:36):  path="/var/run/ntpd.pid"
> type=AVC msg=audit(1181102914.825:37): avc:  denied  { kill } for 
> pid=3514 comm="ntpd" capability=5 
> scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:system_r:dhcpc_t:s0 tclass=capability
> type=AVC msg=audit(1181102914.825:37): avc:  denied  { signal } for 
> pid=3514 comm="ntpd" scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:system_r:ntpd_t:s0 tclass=process
> type=SYSCALL msg=audit(1181102914.825:37): arch=40000003 syscall=37 
> success=yes exit=0 a0=830 a1=f a2=830 a3=830 items=0 ppid=3507 
> pid=3514 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
> sgid=0 fsgid=0 tty=(none) comm="ntpd" exe="/bin/bash" 
> subj=system_u:system_r:dhcpc_t:s0 key=(null)
> type=AVC msg=audit(1181102914.825:38): avc:  denied  { unlink } for 
> pid=3520 comm="rm" name="ntpd.pid" dev=dm-0 ino=16581959 
> scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:object_r:ntpd_var_run_t:s0 tclass=file
> type=AVC msg=audit(1181102914.825:39): avc:  denied  { remove_name } 
> for  pid=3521 comm="rm" name="ntpd" dev=dm-0 ino=16581960 
> scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
> type=AVC msg=audit(1181102914.825:39): avc:  denied  { unlink } for 
> pid=3521 comm="rm" name="ntpd" dev=dm-0 ino=16581960 
> scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:object_r:var_lock_t:s0 tclass=file
> type=AVC msg=audit(1181102914.825:40): avc:  denied  { execute } for 
> pid=3528 comm="ntpd" name="ntpdate" dev=dm-0 ino=2733415 
> scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:object_r:ntpdate_exec_t:s0 tclass=file
> type=AVC msg=audit(1181102914.825:40): avc:  denied  { 
> execute_no_trans } for  pid=3528 comm="ntpd" name="ntpdate" dev=dm-0 
> ino=2733415 scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:object_r:ntpdate_exec_t:s0 tclass=file
> type=AVC msg=audit(1181102914.825:40): avc:  denied  { read } for 
> pid=3528 comm="ntpd" name="ntpdate" dev=dm-0 ino=2733415 
> scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:object_r:ntpdate_exec_t:s0 tclass=file
> type=SYSCALL msg=audit(1181102914.825:40): arch=40000003 syscall=11 
> success=yes exit=0 a0=9da1ac0 a1=9d82f60 a2=9d8fdd0 a3=0 items=0 
> ppid=3514 pid=3528 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 
> egid=0 sgid=0 fsgid=0 tty=(none) comm="ntpdate" 
> exe="/usr/sbin/ntpdate" subj=system_u:system_r:dhcpc_t:s0 key=(null)
> type=AVC_PATH msg=audit(1181102914.825:40):  path="/usr/sbin/ntpdate"
> type=AVC_PATH msg=audit(1181102914.825:40):  path="/usr/sbin/ntpdate"
> type=AVC msg=audit(1181102914.825:41): avc:  denied  { name_bind } for 
> pid=3528 comm="ntpdate" src=123 scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:object_r:ntp_port_t:s0 tclass=udp_socket
> type=SYSCALL msg=audit(1181102914.825:41): arch=40000003 syscall=102 
> success=yes exit=0 a0=2 a1=bfee8400 a2=8000f698 a3=0 items=0 ppid=3514 
> pid=3528 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
> sgid=0 fsgid=0 tty=(none) comm="ntpdate" exe="/usr/sbin/ntpdate" 
> subj=system_u:system_r:dhcpc_t:s0 key=(null)
> type=AVC msg=audit(1181102914.825:42): avc:  denied  { sys_nice } for 
> pid=3528 comm="ntpdate" capability=23 
> scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:system_r:dhcpc_t:s0 tclass=capability
> type=AVC msg=audit(1181102914.825:42): avc:  denied  { setsched } for 
> pid=3528 comm="ntpdate" scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:system_r:dhcpc_t:s0 tclass=process
> type=SYSCALL msg=audit(1181102914.825:42): arch=40000003 syscall=97 
> success=yes exit=0 a0=0 a1=0 a2=fffffff4 a3=2 items=0 ppid=3514 
> pid=3528 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
> sgid=0 fsgid=0 tty=(none) comm="ntpdate" exe="/usr/sbin/ntpdate" 
> subj=system_u:system_r:dhcpc_t:s0 key=(null)
> type=AVC msg=audit(1181102914.825:43): avc:  denied  { setgid } for 
> pid=3528 comm="ntpdate" capability=6 
> scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:system_r:dhcpc_t:s0 tclass=capability
> type=SYSCALL msg=audit(1181102914.825:43): arch=40000003 syscall=206 
> success=yes exit=0 a0=0 a1=0 a2=325ff4 a3=2 items=0 ppid=3514 pid=3528 
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
> fsgid=0 tty=(none) comm="ntpdate" exe="/usr/sbin/ntpdate" 
> subj=system_u:system_r:dhcpc_t:s0 key=(null)
> type=AVC msg=audit(1181102914.825:44): avc:  denied  { setuid } for 
> pid=3528 comm="ntpdate" capability=7 
> scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:system_r:dhcpc_t:s0 tclass=capability
> type=SYSCALL msg=audit(1181102914.825:44): arch=40000003 syscall=208 
> success=yes exit=0 a0=ffffffff a1=26 a2=ffffffff a3=2 items=0 
> ppid=3514 pid=3528 auid=4294967295 uid=0 gid=0 euid=38 suid=0 fsuid=38 
> egid=38 sgid=0 fsgid=38 tty=(none) comm="ntpdate" 
> exe="/usr/sbin/ntpdate" subj=system_u:system_r:dhcpc_t:s0 key=(null)
> type=AVC msg=audit(1181102914.825:45): avc:  denied  { setcap } for 
> pid=3528 comm="ntpdate" scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:system_r:dhcpc_t:s0 tclass=process
> type=SYSCALL msg=audit(1181102914.825:45): arch=40000003 syscall=185 
> success=yes exit=0 a0=801fd0fc a1=801fd104 a2=cd70f0 a3=801fd0fc 
> items=0 ppid=3514 pid=3528 auid=4294967295 uid=0 gid=0 euid=38 suid=0 
> fsuid=38 egid=38 sgid=0 fsgid=38 tty=(none) comm="ntpdate" 
> exe="/usr/sbin/ntpdate" subj=system_u:system_r:dhcpc_t:s0 key=(null)
> type=AVC msg=audit(1181102914.825:46): avc:  denied  { sys_time } for 
> pid=3528 comm="ntpdate" capability=25 
> scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:system_r:dhcpc_t:s0 tclass=capability
> type=SYSCALL msg=audit(1181102914.825:46): arch=40000003 syscall=124 
> success=yes exit=0 a0=bfee7e4c a1=0 a2=325ff4 a3=0 items=0 ppid=3514 
> pid=3528 auid=4294967295 uid=38 gid=38 euid=38 suid=38 fsuid=38 
> egid=38 sgid=38 fsgid=38 tty=(none) comm="ntpdate" 
> exe="/usr/sbin/ntpdate" subj=system_u:system_r:dhcpc_t:s0 key=(null)
> type=AVC msg=audit(1181102914.825:47): avc:  denied  { add_name } for 
> pid=3532 comm="touch" name="ntpd" 
> scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
> type=AVC msg=audit(1181102914.825:47): avc:  denied  { create } for 
> pid=3532 comm="touch" name="ntpd" 
> scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:object_r:var_lock_t:s0 tclass=file
> type=AVC msg=audit(1181102914.825:48): avc:  denied  { write } for 
> pid=3532 comm="touch" name="ntpd" dev=dm-0 ino=16581960 
> scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:object_r:var_lock_t:s0 tclass=file
> type=AVC msg=audit(1181112994.480:61): avc:  denied  { sys_nice } for 
> pid=4141 comm="ntpdate" capability=23 
> scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:system_r:dhcpc_t:s0 tclass=capability
> type=SYSCALL msg=audit(1181112994.480:61): arch=40000003 syscall=97 
> success=yes exit=0 a0=0 a1=0 a2=fffffff4 a3=2 items=0 ppid=4127 
> pid=4141 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
> sgid=0 fsgid=0 tty=(none) comm="ntpdate" exe="/usr/sbin/ntpdate" 
> subj=system_u:system_r:dhcpc_t:s0 key=(null)
> type=AVC msg=audit(1181112994.480:62): avc:  denied  { setgid } for 
> pid=4141 comm="ntpdate" capability=6 
> scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:system_r:dhcpc_t:s0 tclass=capability
> type=SYSCALL msg=audit(1181112994.480:62): arch=40000003 syscall=206 
> success=yes exit=0 a0=0 a1=0 a2=25fff4 a3=2 items=0 ppid=4127 pid=4141 
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
> fsgid=0 tty=(none) comm="ntpdate" exe="/usr/sbin/ntpdate" 
> subj=system_u:system_r:dhcpc_t:s0 key=(null)
> type=AVC msg=audit(1181112994.480:63): avc:  denied  { setuid } for 
> pid=4141 comm="ntpdate" capability=7 
> scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:system_r:dhcpc_t:s0 tclass=capability
> type=SYSCALL msg=audit(1181112994.480:63): arch=40000003 syscall=208 
> success=yes exit=0 a0=ffffffff a1=26 a2=ffffffff a3=2 items=0 
> ppid=4127 pid=4141 auid=4294967295 uid=0 gid=0 euid=38 suid=0 fsuid=38 
> egid=38 sgid=0 fsgid=38 tty=(none) comm="ntpdate" 
> exe="/usr/sbin/ntpdate" subj=system_u:system_r:dhcpc_t:s0 key=(null)
> type=AVC msg=audit(1181112994.480:64): avc:  denied  { sys_time } for 
> pid=4141 comm="ntpdate" capability=25 
> scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:system_r:dhcpc_t:s0 tclass=capability
> type=SYSCALL msg=audit(1181112994.480:64): arch=40000003 syscall=124 
> success=yes exit=0 a0=bf9ab91c a1=0 a2=25fff4 a3=0 items=0 ppid=4127 
> pid=4141 auid=4294967295 uid=38 gid=38 euid=38 suid=38 fsuid=38 
> egid=38 sgid=38 fsgid=38 tty=(none) comm="ntpdate" 
> exe="/usr/sbin/ntpdate" subj=system_u:system_r:dhcpc_t:s0 key=(null)
>
Added rules to allow this in selinux-policy-2.6.4-14