Bug 488864

Summary: selinux is preventing ntpd access to /etc/ntp.conf
Product: [Fedora] Fedora Reporter: David Cantrell <dcantrell>
Component: dhcpAssignee: David Cantrell <dcantrell>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: dcantrell, dwalsh, jkubin, mgrepl, mlichvar, pertusus, quentin, wwoods
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 488470 Environment:
Last Closed: 2009-03-11 19:14:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 488470    
Bug Blocks:    

Description David Cantrell 2009-03-06 00:49:12 UTC 
The /etc/dhcp/dhclient.d/ntp.sh file needs to be updated with the changes referenced in this patch.

+++ This bug was initially created as a clone of Bug #488470 +++

Description of problem:
ntpd fails to synchronize to any ntp servers, since it is denied access to /etc/ntp.conf

Version-Release number of selected component (if applicable):
selinux-policy-3.6.6.-8

How reproducible:
Always

Steps to Reproduce:
1. Run selinux in enforcing mode
2. /etc/init.d/ntpd restart
3.
  
Actual results:
ntpq -p returns:
No association ID's returned

Expected results:
ntpq -p returns:
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 sites.urchin.ea 193.201.201.18   4 u   11   64    1   35.835   -1.872   0.002
 scarlett.lon.re 192.36.144.23    2 u   10   64    1   36.961   -2.837   0.002
 ntp1.arse.org   .INIT.          16 u    -   64    0    0.000    0.000   0.000
 lyla.preshweb.c 130.88.200.6     3 u    8   64    1   34.037   -2.130   0.002
 ntp4.ja.net     .DCFa.           1 u    7   64    1   37.139   -1.534   0.002

or something similar

Additional info:
node=samson.armitage.org.uk type=AVC msg=audit(1236177107.657:553): avc: denied { getattr } for pid=6697 comm="ntpd" path="/etc/ntp.conf" dev=dm-0 ino=1039455 scontext=unconfined_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=file node=samson.armitage.org.uk type=SYSCALL msg=audit(1236177107.657:553): arch=40000003 syscall=197 success=yes exit=0 a0=4 a1=bf9f5730 a2=46fff4 a3=29ac548 items=0 ppid=6696 pid=6697 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ntpd" exe="/usr/sbin/ntpd" subj=unconfined_u:system_r:ntpd_t:s0 key=(null) 

and also

node=samson.armitage.org.uk type=AVC msg=audit(1236177107.629:552): avc: denied { read } for pid=6697 comm="ntpd" name="ntp.conf" dev=dm-0 ino=1039455 scontext=unconfined_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=file node=samson.armitage.org.uk type=AVC msg=audit(1236177107.629:552): avc: denied { open } for pid=6697 comm="ntpd" name="ntp.conf" dev=dm-0 ino=1039455 scontext=unconfined_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=file node=samson.armitage.org.uk type=SYSCALL msg=audit(1236177107.629:552): arch=40000003 syscall=5 success=yes exit=4 a0=bb5b1a a1=0 a2=1b6 a3=0 items=0 ppid=6696 pid=6697 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ntpd" exe="/usr/sbin/ntpd" subj=unconfined_u:system_r:ntpd_t:s0 key=(null)

--- Additional comment from dwalsh on 2009-03-04 10:31:33 EDT ---

This looks like this file was created by dhclient? in the /var/lib/dhclient directory and then moved into /etc/ntp.conf.  If dhclient is doing this it should run restorecon on the file when  it is done.

restorecon -R -v /etc/ntp.conf 

Will fix.

--- Additional comment from dwalsh on 2009-03-04 10:33:04 EDT ---

Created an attachment (id=334005)
Patch to run restorecon on all files created by dhclient
Comment 1 Miroslav Lichvar 2009-03-09 15:38:10 UTC 
Is this something that needs to be fixed in ntp package? The /etc/dhcp/dhclient.d/ntp.sh script calls restorecon.

Anyway, /sbin/dhclient-script needs the following patch to actually call the functions from the ntp script.

@@ -364,7 +364,9 @@
         for f in /etc/dhcp/dhclient.d/*.sh ; do
             if [ -x ${f} ]; then
                 subsystem="${f%.sh}"
-                . ${f} "${subsystem}_config"
+                subsystem="${subsystem##*/}"
+                . ${f}
+                "${subsystem}_config"
             fi
         done
     fi
@@ -490,7 +492,9 @@
             for f in /etc/dhcp/dhclient.d/*.sh ; do
                 if [ -x ${f} ]; then
                     subsystem="${f%.sh}"
-                    . ${f} "${subsystem}_restore"
+                    subsystem="${subsystem##*/}"
+                    . ${f}
+                    "${subsystem}_restore"
                 fi
             done
         fi
Comment 2 David Cantrell 2009-03-09 20:30:47 UTC 
(In reply to comment #1)
> Is this something that needs to be fixed in ntp package? The
> /etc/dhcp/dhclient.d/ntp.sh script calls restorecon.

No, you don't need to change anything in ntp.sh if it calls restorecon already.  I created this bug so you'd check ntp.sh and change it if necessary.

> Anyway, /sbin/dhclient-script needs the following patch to actually call the
> functions from the ntp script.
> 
> @@ -364,7 +364,9 @@
>          for f in /etc/dhcp/dhclient.d/*.sh ; do
>              if [ -x ${f} ]; then
>                  subsystem="${f%.sh}"
> -                . ${f} "${subsystem}_config"
> +                subsystem="${subsystem##*/}"
> +                . ${f}
> +                "${subsystem}_config"
>              fi
>          done
>      fi
> @@ -490,7 +492,9 @@
>              for f in /etc/dhcp/dhclient.d/*.sh ; do
>                  if [ -x ${f} ]; then
>                      subsystem="${f%.sh}"
> -                    . ${f} "${subsystem}_restore"
> +                    subsystem="${subsystem##*/}"
> +                    . ${f}
> +                    "${subsystem}_restore"
>                  fi
>              done
>          fi  

The following line:

    subsystem="${f%.sh}"

Does the same as:

    subsystem="${subsystem##*/}"

The '.' and call to the config and restore functions are on the same line in the current script, but you break it out in to separate lines.  Does this matter?
Comment 3 David Cantrell 2009-03-09 20:32:14 UTC 
Correction,

    subsystem="${f%.sh}"

Gives $subsystem "ntp" as the value.  Why do I need:

    subsystem="${subsystem##*/}"

?
Comment 4 Miroslav Lichvar 2009-03-10 08:59:47 UTC 
%.sh removes only the .sh suffix, ##*/ will remove /etc/dhcp/dhclient.d/ from the beginning. Using subsystem=$(basename "$f" .sh) should do the same.

As for the . command, I'm not sure what exactly is the syntax, but it doesn't work for me without the patch.
Comment 5 David Cantrell 2009-03-11 19:14:50 UTC 
Thanks for the clarification.  Fixed in dhcp-4.1.0-12.fc11