Bug 1074067

Summary: SELinux is preventing /usr/sbin/ntpd from 'read' accesses on the directory .
Product: [Fedora] Fedora Reporter: Martin Gregorie <martin>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: dominick.grift, dwalsh, lvrabec, martin, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Unspecified   
Whiteboard: abrt_hash:7202d066c44d36109d4a24a48dd890c264d159757a72d6338af42c5815235811
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-03-25 12:17:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
This is /etc/profile.d/java.sh on my system
none
'find' output as requested. none

Description Martin Gregorie 2014-03-07 20:31:03 UTC 
Description of problem:
Enabled ntpd and started it.
SELinux is preventing /usr/sbin/ntpd from 'read' accesses on the directory .

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that ntpd should be allowed read access on the  directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep ntpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:ntpd_t:s0
Target Context                system_u:object_r:home_bin_t:s0
Target Objects                 [ dir ]
Source                        ntpd
Source Path                   /usr/sbin/ntpd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           ntp-4.2.6p5-18.fc20.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-122.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.13.5-202.fc20.i686+PAE #1 SMP
                              Mon Mar 3 19:26:26 UTC 2014 i686 i686
Alert Count                   1
First Seen                    2014-03-07 16:56:00 GMT
Last Seen                     2014-03-07 16:56:00 GMT
Local ID                      320d191c-815c-4144-a666-72481a826310

Raw Audit Messages
type=AVC msg=audit(1394211360.770:399): avc:  denied  { read } for  pid=1998 comm="ntpd" name="bin" dev="sda5" ino=1499138 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:home_bin_t:s0 tclass=dir


type=SYSCALL msg=audit(1394211360.770:399): arch=i386 syscall=openat success=yes exit=ESRCH a0=ffffff9c a1=bff3274b a2=98800 a3=0 items=0 ppid=1 pid=1998 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=ntpd exe=/usr/sbin/ntpd subj=system_u:system_r:ntpd_t:s0 key=(null)

Hash: ntpd,ntpd_t,home_bin_t,dir,read

Additional info:
reporter:       libreport-2.1.12
hashmarkername: setroubleshoot
kernel:         3.13.5-202.fc20.i686+PAE
type:           libreport
Comment 1 Daniel Walsh 2014-03-07 22:06:32 UTC 
Why would ntpd_t be reading a binary file in the home dir?  home_bin_t?
Comment 2 Martin Gregorie 2014-03-07 22:39:38 UTC 
ntpd is started under user ntp. 
A glance at /etc/passwd shows that ntpd's home directory is /etc/ntp
The crash report shows its trying to open the directory /etc/ntp/.
presumably in an attempt to see what's there. In fact the content is:

# ls -la /etc/ntp
total 28
drwxr-xr-x.   3 root root  4096 Jan 25 17:33 .
drwxr-xr-x. 150 root root 12288 Mar  7 16:50 ..
drwxr-x---.   2 root ntp   4096 Jan 25 17:33 crypto
-rw-------.   1 root root    86 Dec  9 16:23 keys
-rw-r--r--.   1 root root    74 Dec  9 16:23 step-tickers

On that basis I'd say its entirely reasonable that it wants to know whats in the files crypto/pw, keys and step-tickers. In this case all the files have their default contents, i.e. there is nothing but comments in 'crypto/pw' and 'keys' but 'step-tickers contains the three lines between the dashes:

==============start of step-tickers===============
# List of NTP servers used by the ntpdate service.

0.fedora.pool.ntp.org
===============end of step-tickers================
Comment 3 Miroslav Grepl 2014-03-10 08:59:40 UTC 
Well the AVC is about name="bin" labeled as home_bin_t which means a binary file in the home dir.

Or are you getting additional AVCs?
Comment 4 Martin Gregorie 2014-03-10 12:28:00 UTC 
I read the last line of the original report, 

"SELinux is preventing /usr/sbin/ntpd from 'read' accesses on the directory .",

as meaning that ntpd was reading '.' in order to see what is in its home directory. opendir() returns a stream and, as readdir() returns dirent structs, which contain binary values, its very likely that it is reading the directory as a binary file.

Additional AVCs? Not as far as I know.
Comment 5 Daniel Walsh 2014-03-16 22:14:58 UTC 
ls -lZ /usr/bin

Is that labeled as home_bin_t?  Or is the a directory in your homedir named bin?

ls -lZ ~/bin

It could be ntpd reading the directories listed in your $PATH if you have ~/bin in the path?
Comment 6 Martin Gregorie 2014-03-17 00:05:17 UTC 
Here's what I see under ~ntp, which is where systemd is starting ntpd:

# ls -alZ
drwxr-xr-x. root root system_u:object_r:etc_t:s0       .
drwxr-xr-x. root root system_u:object_r:etc_t:s0       ..
drwxr-x---. root ntp  system_u:object_r:ntpd_key_t:s0  crypto
-rw-------. root root system_u:object_r:ntpd_key_t:s0  keys
-rw-r--r--. root root system_u:object_r:ntp_conf_t:s0  step-tickers

This is as close as I can come to what I think you mean by "ls -lZ /usr/bin" since the /etc/passwd entry for ntp is:

# grep ntp  /etc/passwd
ntp:x:38:38::/etc/ntp:/sbin/nologin

I don't know why you're asking about my homedir, since that is not where ntpd is being run. The only thing I can think of to add is that $PATH probably contains:

# echo $PATH
/usr/java/ant/bin:/usr/java/sdk/bin:/usr/lib/ccache:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/java/jmf/bin:/usr/X11R6/bin:/root/bin

because I use Java from all personally created logins on this box and so have added the /etc/profile.d/java.sh file (attached) so it will be applied to the ntpd user as well.
Comment 7 Martin Gregorie 2014-03-17 00:07:34 UTC 
Created attachment 875260 [details]
This is /etc/profile.d/java.sh on my system
Comment 8 Miroslav Grepl 2014-03-17 13:06:22 UTC 
The point is we would like to know which dir is labeled as bin_home_t. Then we can say it is a bad labeling or there is a bug in ntpd which tries to access something what is not needed.

# find  / -context "*home_bin_t*" -printf "%p %Z\n"
Comment 9 Martin Gregorie 2014-03-17 13:45:19 UTC 
Gotcha. 'find' output is attached as a separate file.

/home/kiwi and /home/reference are two regular login directories which both have bin directories containing scripts.

/home/local/bin is different. It is, in fact part of the /usr/local directory structure, created by the commands "cd /home; mv /usr/local ." and then relinked by the commands "cd /usr; ln -s /home/local local" so it works as usual. I did this because /home is mounted in its own separate partition for faster clean installs when a new version of Fedora is released. This partition is not reformatted and, after the install has completed, its only necessary to run 
"cd /usr; rm -rf local; ln -s /home/local local;" to make locally developed programs and scripts available again.

Of these, only /home/local/bin should be in $PATH under its alias of /usr/local/bin when ntpd is starting up.
Comment 10 Martin Gregorie 2014-03-17 13:48:04 UTC 
Created attachment 875494 [details]
'find' output as requested.
Comment 11 Daniel Walsh 2014-03-25 12:17:31 UTC 
# semanage fcontext -a -e /usr /home/local
# restorecon -R -v /home/local

Should fix the labeling.