Bug 1114157
Summary: | SELinux is preventing /usr/sbin/ntpd access on under /var/spool/ntp/stats | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Sidney Sedlak <dev> |
Component: | ntp | Assignee: | Miroslav Lichvar <mlichvar> |
Status: | CLOSED NOTABUG | QA Contact: | qe-baseos-daemons |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.5 | CC: | dev, dwalsh, mgrepl, mlichvar, mmalik |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-07-31 16:40:12 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Sidney Sedlak
2014-06-27 23:05:46 UTC
Is the /var/spool/ntp/stats/ directory used for this purpose by default? What about /var/lib/ntp/stats/ directory? What does # rpm -qf /var/spool/ntp/stats Hi, this is completely strange, because the command said that the /var/spool/ntp/stats is not owned by any package. The /var/lib/ntp/stats doesn't exist at all, the only item owned by the ntp package under /var/lib/ntp is an file called 'drift'. We use the /var/spool/ntp/stats as long as I remember and it worked, I never saw the SELinux error before. What's the recommended solution here? Shall we change the configuration to the /var/lib/ntp/stats as Milos proposes or could the /var/spool/ntp/stats used instead?? In one or another case, the directory should be maintained by the ntp package with correct SELinux context. BTW. What sounds more appropriate for stats files? /var/lib as the "application state" place or /var/spool as the "spool files for further processing" if we talk what's specified in FHS? To make the situation even more confusing :-) # rpm -qf /var/log/ntpstats/ ntp-4.2.6p5-1.el6.x86_64 # matchpathcon /var/log/ntpstats/ /var/log/ntpstats system_u:object_r:ntpd_log_t:s0 # sesearch -s ntpd_t -t ntpd_log_t -c dir -A -C Found 2 semantic av rules: allow daemon logfile : dir { getattr search open } ; allow ntpd_t ntpd_log_t : dir { ioctl read write getattr setattr lock add_name remove_name search open } ; # sesearch -s ntpd_t -t ntpd_log_t -c file -A -C Found 4 semantic av rules: allow ntpd_t logfile : file { getattr append } ; allow daemon logfile : file { ioctl getattr lock append open } ; allow ntpd_t ntpd_log_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; allow application_domain_type logfile : file { getattr append } ; # SELinux wouldn't complain if the data files mentioned in comment#0 were created and stored in /var/log/ntpstats/ directory. Miroslav, any idea why it tries to access /var/spool/ntp/stats? I guess "statsdir /var/spool/ntp/stats/" is present in their ntp.conf. The compiled-in default value is /var/spool/ntpstats/. I'm not sure if it makes sense to try to support non-default locations. Correction, the compiled-in default value is actually /var/log/ntp/stats. This didn't change for a very long time. Erm, it's /var/log/ntpstats/, no slash between ntp and stats. Sorry for the noise. It's set in ntp.spec by this line: echo '#define NTP_VAR "%{_localstatedir}/log/ntpstats/"' >> config.h Thas't correct that the spool path is set in our ntp.conf, yet without any issues until now. To be honest, I would understand the /var/lib or /var/spool, but why /var/log/? And I checked the upstream and they use /var/log/ntp for the statsfiles, to make it even more confusing. So, back to my question - shall we change to the officially supported /var/log/ntpstats or do you think it may be worth to check a bit further what the standard location is? We changed stats location to /var/log/ntpstats/ and it's working, so this ticket may be closed. Ok, let's close this. The upstream default value for statsdir is /var/NTP, but that would not be a very good place for the files. It seems /var/log/ntpstats was used for this in various Linux distributions for a very long time now. |