Bug 1114157
| Summary: | SELinux is preventing /usr/sbin/ntpd access on under /var/spool/ntp/stats | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Sidney Sedlak <dev> |
| Component: | ntp | Assignee: | Miroslav Lichvar <mlichvar> |
| Status: | CLOSED NOTABUG | QA Contact: | qe-baseos-daemons |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.5 | CC: | dev, dwalsh, mgrepl, mlichvar, mmalik |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-07-31 16:40:12 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Is the /var/spool/ntp/stats/ directory used for this purpose by default? What about /var/lib/ntp/stats/ directory? What does # rpm -qf /var/spool/ntp/stats Hi, this is completely strange, because the command said that the /var/spool/ntp/stats is not owned by any package. The /var/lib/ntp/stats doesn't exist at all, the only item owned by the ntp package under /var/lib/ntp is an file called 'drift'. We use the /var/spool/ntp/stats as long as I remember and it worked, I never saw the SELinux error before. What's the recommended solution here? Shall we change the configuration to the /var/lib/ntp/stats as Milos proposes or could the /var/spool/ntp/stats used instead?? In one or another case, the directory should be maintained by the ntp package with correct SELinux context. BTW. What sounds more appropriate for stats files? /var/lib as the "application state" place or /var/spool as the "spool files for further processing" if we talk what's specified in FHS? To make the situation even more confusing :-)
# rpm -qf /var/log/ntpstats/
ntp-4.2.6p5-1.el6.x86_64
# matchpathcon /var/log/ntpstats/
/var/log/ntpstats system_u:object_r:ntpd_log_t:s0
# sesearch -s ntpd_t -t ntpd_log_t -c dir -A -C
Found 2 semantic av rules:
allow daemon logfile : dir { getattr search open } ;
allow ntpd_t ntpd_log_t : dir { ioctl read write getattr setattr lock add_name remove_name search open } ;
# sesearch -s ntpd_t -t ntpd_log_t -c file -A -C
Found 4 semantic av rules:
allow ntpd_t logfile : file { getattr append } ;
allow daemon logfile : file { ioctl getattr lock append open } ;
allow ntpd_t ntpd_log_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ;
allow application_domain_type logfile : file { getattr append } ;
#
SELinux wouldn't complain if the data files mentioned in comment#0 were created and stored in /var/log/ntpstats/ directory.
Miroslav, any idea why it tries to access /var/spool/ntp/stats? I guess "statsdir /var/spool/ntp/stats/" is present in their ntp.conf. The compiled-in default value is /var/spool/ntpstats/. I'm not sure if it makes sense to try to support non-default locations. Correction, the compiled-in default value is actually /var/log/ntp/stats. This didn't change for a very long time. Erm, it's /var/log/ntpstats/, no slash between ntp and stats. Sorry for the noise.
It's set in ntp.spec by this line:
echo '#define NTP_VAR "%{_localstatedir}/log/ntpstats/"' >> config.h
Thas't correct that the spool path is set in our ntp.conf, yet without any issues until now. To be honest, I would understand the /var/lib or /var/spool, but why /var/log/? And I checked the upstream and they use /var/log/ntp for the statsfiles, to make it even more confusing. So, back to my question - shall we change to the officially supported /var/log/ntpstats or do you think it may be worth to check a bit further what the standard location is? We changed stats location to /var/log/ntpstats/ and it's working, so this ticket may be closed. Ok, let's close this. The upstream default value for statsdir is /var/NTP, but that would not be a very good place for the files. It seems /var/log/ntpstats was used for this in various Linux distributions for a very long time now. |
Description of problem: Version-Release number of selected component (if applicable):4.2.6p5 How reproducible: Set SELinux to enforcing and restart ntpd or watch /var/log/messages Steps to Reproduce: 1. setenforce 1 2. service ntpd restart 3. tail -f /var/log/messages Actual results: ntpd[29411]: stat(/var/spool/ntp/stats/peerstats.dat) failed: Permission denied ntpd[29411]: can't open /var/spool/ntp/stats/peerstats.dat.20140627: Permission denied ntpd[29411]: stat(/var/spool/ntp/stats/loopstats.dat) failed: Permission denied ntpd[29411]: can't open /var/spool/ntp/stats/loopstats.dat.20140627: Permission denied ntpd[29411]: stat(/var/spool/ntp/stats/rawstats.dat) failed: Permission denied ntpd[29411]: can't open /var/spool/ntp/stats/rawstats.dat.20140627: Permission denied ntpd[29411]: stat(/var/spool/ntp/stats/peerstats.dat) failed: Permission denied ntpd[29411]: can't open /var/spool/ntp/stats/peerstats.dat.20140627: Permission denied ntpd[29411]: stat(/var/spool/ntp/stats/rawstats.dat) failed: Permission denied ntpd[29411]: can't open /var/spool/ntp/stats/rawstats.dat.20140627: Permission denied ntpd[29411]: stat(/var/spool/ntp/stats/peerstats.dat) failed: Permission denied ntpd[29411]: can't open /var/spool/ntp/stats/peerstats.dat.20140627: Permission denied ntpd[29411]: stat(/var/spool/ntp/stats/rawstats.dat) failed: Permission denied ntpd[29411]: can't open /var/spool/ntp/stats/rawstats.dat.20140627: Permission denied Expected results: No permission denied messages and the statistics data are created under /car/spool/ntp/stats Additional info: Audit2allow reports this: # cat /var/log/audit/audit.log |audit2allow -m ntpd module ntpd 1.0; require { type ntpd_t; type var_spool_t; class dir { write remove_name add_name }; class file { rename link create open }; } #============= ntpd_t ============== #!!!! The source type 'ntpd_t' can write to a 'dir' of the following types: # tmpfs_t, ntp_drift_t, ntpd_tmpfs_t, var_run_t, var_log_t, ntpd_var_run_t, ntpd_tmp_t, ntpd_log_t, tmp_t, cluster_var_lib_t, cluster_var_run_t, root_t, cluster_conf_t allow ntpd_t var_spool_t:dir { write remove_name add_name }; allow ntpd_t var_spool_t:file { rename open create link };