Bug 242384

Summary: many selinux policy errors
Product: [Fedora] Fedora Reporter: Alvin Thompson <alvin>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: high Docs Contact:
Priority: low    
Version: 7CC: dwalsh, k.georgiou, webmaster
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-08-22 14:09:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
policy errors none

Description Alvin Thompson 2007-06-03 21:39:54 UTC
see attached.

Comment 1 Alvin Thompson 2007-06-03 21:39:54 UTC
Created attachment 156037 [details]
policy errors

Comment 2 David 2007-06-03 22:13:03 UTC
I can add to this there is a missing policy for ntpd.  In FC6 under selinux, you
could disable selinux on the ntpd daemon.  So if you used gpsd with a gps, ntpd
would then use the gpsd time reference for the clock.

In f7 there is simply no ntpd policy in selinux, so you have to drop selinux
completely from enforcing to permissive.

We need all the old options that were in fc6 under selinux added to f7 ASAP.

Comment 3 Alvin Thompson 2007-06-03 22:16:33 UTC
David, can you attach the policy alerts?  I'm using ntpd with no problem.  Did
you try relabeling the entire system?


Comment 4 David 2007-06-04 08:22:01 UTC
Hi Alvin,
I am using gpsd with a gps to provide system time.  If I set selinux to
enforcing a ntpq -p does not show GPS and GPS1 as time sources.

In FC6 you have to specifically disable selinux on the ntpd daemon.

In F7 there is no ntpd policy control.

selinux policy for f7 needs to be updated to allow you to disable it against ntpd.



Comment 5 Alvin Thompson 2007-06-04 08:27:54 UTC
That's all Greek to me, so I'll take your word for it.

Comment 6 Daniel Walsh 2007-06-04 18:00:13 UTC
David, you can easily customize your policy with audit2allow in F-7.

# grep ntpd /var/log/audit/audit.log | audit2allow -M myntpd 
# semodule -i myntpd.pp

We have dropped the disable_trans booleans, because it is easy to customize
local policy and disable_trans often caused other domains to get into trouble. 
IE a domain that was relying on ntpd to be running with the correct context.

The attached log did not contain any references to ntpd, please submit your
audit.log and I will update policy.


You also need to relabel /root
restorecon -R -v /root



Comment 7 David 2007-06-05 09:39:59 UTC
dwalsh,

Thanks for the note, but it did not work :(

[root@primary ~]# grep ntp /var/log/audit/audit.log | audit2allow -M my ntp
grep: /var/log/audit/audit.log: No such file or directory
compilation failed:
sh: /usr/bin/checkmodule: No such file or directory
[root@primary ~]# semodule -i myntp.pp
semodule:  Could not read file 'myntp.pp':
[root@primary ~]#

Comment 8 David 2007-06-09 08:50:50 UTC
I got it working properly under selinux enforcing.  The key was the semodule
command is semodule -i my.pp


grep ntpd /var/log/messages | audit2allow -M my ntpd
semodule -i my.pp

Again as above here are the AVC messages to include in the policy..

Jun  6 21:35:51 primary ntpd[8171]: kernel time sync status 0040
Jun  6 21:35:51 primary kernel: audit(1181129750.578:20): avc:  denied  {
unix_read unix_write } for  pid=8171 comm="ntpd" key=1314148400
scontext=root:system_r:ntpd_t:s0 tcontext=system_u:system_r:ntpd_t:s0 tclass=shm
Jun  6 21:35:51 primary kernel: audit(1181129750.578:21): avc:  denied  {
associate } for  pid=8171 comm="ntpd" key=1314148400
scontext=root:system_r:ntpd_t:s0 tcontext=system_u:system_r:ntpd_t:s0 tclass=shm
Jun  6 21:35:51 primary kernel: audit(1181129750.578:22): avc:  denied  { read
write } for  pid=8171 comm="ntpd" key=1314148400
scontext=root:system_r:ntpd_t:s0 tcontext=system_u:system_r:ntpd_t:s0 tclass=shm
Jun  6 21:35:53 primary ntpd[8171]: frequency initialized 188.729 PPM from
/var/lib/ntp/drift

Cheers,
David

Comment 9 Daniel Walsh 2007-06-11 13:58:22 UTC
Fixed in selinux-policy-2.6.4-14

Comment 10 David 2007-06-11 23:08:37 UTC
Hi Daniel,

Thanks for the fix!
Once I see the new policy loaded, can I then semodule -r ntpd and I assume I
will find the ntpd policy to apply in the selinux management gui?

Cheers,
David

Comment 11 Daniel Walsh 2007-08-22 14:09:18 UTC
Closing as fixes are in the current release