Bug 242384
Summary: | many selinux policy errors | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Alvin Thompson <alvin> | ||||
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | low | ||||||
Version: | 7 | CC: | dwalsh, k.georgiou, webmaster | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Current | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2007-08-22 14:09:18 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Alvin Thompson
2007-06-03 21:39:54 UTC
Created attachment 156037 [details]
policy errors
I can add to this there is a missing policy for ntpd. In FC6 under selinux, you could disable selinux on the ntpd daemon. So if you used gpsd with a gps, ntpd would then use the gpsd time reference for the clock. In f7 there is simply no ntpd policy in selinux, so you have to drop selinux completely from enforcing to permissive. We need all the old options that were in fc6 under selinux added to f7 ASAP. David, can you attach the policy alerts? I'm using ntpd with no problem. Did you try relabeling the entire system? Hi Alvin, I am using gpsd with a gps to provide system time. If I set selinux to enforcing a ntpq -p does not show GPS and GPS1 as time sources. In FC6 you have to specifically disable selinux on the ntpd daemon. In F7 there is no ntpd policy control. selinux policy for f7 needs to be updated to allow you to disable it against ntpd. That's all Greek to me, so I'll take your word for it. David, you can easily customize your policy with audit2allow in F-7. # grep ntpd /var/log/audit/audit.log | audit2allow -M myntpd # semodule -i myntpd.pp We have dropped the disable_trans booleans, because it is easy to customize local policy and disable_trans often caused other domains to get into trouble. IE a domain that was relying on ntpd to be running with the correct context. The attached log did not contain any references to ntpd, please submit your audit.log and I will update policy. You also need to relabel /root restorecon -R -v /root dwalsh, Thanks for the note, but it did not work :( [root@primary ~]# grep ntp /var/log/audit/audit.log | audit2allow -M my ntp grep: /var/log/audit/audit.log: No such file or directory compilation failed: sh: /usr/bin/checkmodule: No such file or directory [root@primary ~]# semodule -i myntp.pp semodule: Could not read file 'myntp.pp': [root@primary ~]# I got it working properly under selinux enforcing. The key was the semodule command is semodule -i my.pp grep ntpd /var/log/messages | audit2allow -M my ntpd semodule -i my.pp Again as above here are the AVC messages to include in the policy.. Jun 6 21:35:51 primary ntpd[8171]: kernel time sync status 0040 Jun 6 21:35:51 primary kernel: audit(1181129750.578:20): avc: denied { unix_read unix_write } for pid=8171 comm="ntpd" key=1314148400 scontext=root:system_r:ntpd_t:s0 tcontext=system_u:system_r:ntpd_t:s0 tclass=shm Jun 6 21:35:51 primary kernel: audit(1181129750.578:21): avc: denied { associate } for pid=8171 comm="ntpd" key=1314148400 scontext=root:system_r:ntpd_t:s0 tcontext=system_u:system_r:ntpd_t:s0 tclass=shm Jun 6 21:35:51 primary kernel: audit(1181129750.578:22): avc: denied { read write } for pid=8171 comm="ntpd" key=1314148400 scontext=root:system_r:ntpd_t:s0 tcontext=system_u:system_r:ntpd_t:s0 tclass=shm Jun 6 21:35:53 primary ntpd[8171]: frequency initialized 188.729 PPM from /var/lib/ntp/drift Cheers, David Fixed in selinux-policy-2.6.4-14 Hi Daniel, Thanks for the fix! Once I see the new policy loaded, can I then semodule -r ntpd and I assume I will find the ntpd policy to apply in the selinux management gui? Cheers, David Closing as fixes are in the current release |