Bug 155580

Summary: selinux targetted policy prevents ntpd from operating
Product: Red Hat Enterprise Linux 4 Reporter: Gordon Farquharson <gordonf>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0   
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-04-21 16:57:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gordon Farquharson 2005-04-21 16:00:15 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050322 Firefox/1.0.2 Red Hat/1.0.2-1.4.1

Description of problem:
When ntpd is started (e.g. as root /etc/init.d/ntpd start), /var/log/messages reports

Apr 21 09:57:59 streamer kernel: audit(1114099079.319:0): avc:  denied  { read } for  pid=17680 exe=/usr/sbin/ntpd name=group dev=dm-0 ino=8405041 scontext=root:system_r:ntpd_t tcontext=root:object_r:tmp_t tclass=file


Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.52.1

How reproducible:
Always

Steps to Reproduce:
1. /etc/init.d/ntpd start (as root or sudo)
2. look at /var/log/messages
3.
  

Actual Results:  In /var/log/messages:

Apr 21 09:57:59 streamer kernel: audit(1114099079.319:0): avc:  denied  { read } for  pid=17680 exe=/usr/sbin/ntpd name=group dev=dm-0 ino=8405041 scontext=root:system_r:ntpd_t tcontext=root:object_r:tmp_t tclass=file

and the ntpd daemon is killed.

Expected Results:  ntpd should be running.

Additional info:

Comment 1 Daniel Walsh 2005-04-21 16:15:43 UTC
Did you create a file in /tmp named group and then move it somewhere. 

tmp_t is the default context for files in /tmp if you use the mv command it will
retain the context.  

So say you created an /etc/group file in /tmp and then
moved it to /etc
mv /tmp/group /etc/group

You would have the wrong context on the file.  You can fix the context using
restorecon /etc/group

If you want to look at the context of a file you can use ls

ls -Z /etc/group

Dan

Comment 2 Gordon Farquharson 2005-04-21 16:48:39 UTC
Hi Dan

Yes, this was done by our site configuration script. I restored /etc/group
context  using restorecon as you suggested, and now ntpd runs.

Thanks very much for the help. selinux is going to take a while to learn.

Gordon