Denied despite permissive mode?
Andrew Ziem
ahziem1 at mailbolt.com
Sat Apr 21 05:34:45 UTC 2007
Stephen Smalley wrote:
> On Wed, 2007-04-18 at 09:19 -0600, Andrew Ziem wrote:
>
>> Hi,
>>
>> 1. Should I be getting denied in permissive mode?
>>
>
> No.
>
>
>> 2. How do I get ntpd working? (Also, smartd has the same problem, but
>> they both used to work some months ago.)
>>
>> [root at z ~]# getsebool -a | grep exec
>> allow_execheap --> on
>> allow_execmem --> on
>> allow_execmod --> on
>> allow_execstack --> on
>> allow_java_execstack --> off
>> httpd_ssi_exec --> on
>> httpd_suexec_disable_trans --> off
>> [root at z ~]# getenforce
>> Permissive
>> [root at z ~]# /sbin/service ntpd start
>> Starting ntpd: SELinux denied execmem.
>>
>
> Hmm...that's interesting. What is generating that message ("SELinux
> denied execmem")? A SELinux denial only manifests as an audit message
> (in /var/log/messages or /var/log/audit/audit.log) and as an error
> return from the kernel (with errno EACCES, but not distinguished from
> other potential reasons for permission denied there), so some userland
> component is displaying that message for you, not SELinux itself.
>
> I'd guess that the application or script is getting an error and
> incorrectly assuming that it was SELinux that was the culprit, as
> permissive mode shouldn't deny anything.
>
Apparently, the binaries were corrupt. The problem was solved by:
rpm -e --nodeps ntp hal-cups-utils; yum -y install ntp hal-cups-utils
(Also affected was cups-config-daemon in hal-cups-utils.)
Anyway, sorry for the noise.
Andrew
More information about the fedora-selinux-list
mailing list