Bug 491585

Summary: Problem with (ntpd_t).
Product: [Fedora] Fedora Reporter: Tenshi <tenshi.lvrz>
Component: ntpAssignee: Miroslav Lichvar <mlichvar>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 10CC: dwalsh, mgrepl, mlichvar, pertusus
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-11-18 13:40:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tenshi 2009-03-23 06:59:48 UTC 
This is an error that showed up in the "SE Linux Troubleshooter"... The error has not happened again, so far, but maybe is a good idea to send it to you guys to make Linux better than it already is. Linux ROCKS Windows DROOLS!



Summary:

SELinux is preventing ntpd (ntpd_t) "read write" unconfined_t.

Detailed Description:

SELinux denied access requested by ntpd. It is not expected that this access is
required by ntpd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:ntpd_t:s0
Target Context                unconfined_u:unconfined_r:unconfined_t:s0
Target Objects                socket [ unix_stream_socket ]
Source                        ntpd
Source Path                   /usr/sbin/ntpd
Port                          <Unknown>
Host                          angel.laptop
Source RPM Packages           ntp-4.2.4p6-1.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-46.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     angel.laptop
Platform                      Linux angel.laptop 2.6.27.19-170.2.35.fc10.x86_64
                              #1 SMP Mon Feb 23 13:00:23 EST 2009 x86_64 x86_64
Alert Count                   1
First Seen                    Sun 08 Mar 2009 05:07:54 PM CDT
Last Seen                     Sun 08 Mar 2009 05:07:54 PM CDT
Local ID                      c281bdd8-a086-46d3-af37-5d08303f5446
Line Numbers                  

Raw Audit Messages            

node=angel.laptop type=AVC msg=audit(1236550074.471:89): avc:  denied  { read write } for  pid=9016 comm="ntpd" path="socket:[164570]" dev=sockfs ino=164570 scontext=unconfined_u:system_r:ntpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket

node=angel.laptop type=SYSCALL msg=audit(1236550074.471:89): arch=c000003e syscall=59 success=yes exit=0 a0=12fc4d0 a1=12fb360 a2=12fccb0 a3=8 items=0 ppid=9015 pid=9016 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=8 comm="ntpd" exe="/usr/sbin/ntpd" subj=unconfined_u:system_r:ntpd_t:s0 key=(null)
Comment 1 Daniel Walsh 2009-03-31 15:06:38 UTC 
Are you using Konsole?  Kde is leaking file descriptors, if you ran a command like service ntpd restart or run an rpm/yum transaction from a Konsole that restarted ntpd you could see an AVC like this.  

I will reassign to kde if you confirm you used the Konsole.
Comment 2 Tenshi 2009-04-01 17:14:38 UTC 
I use GNOME.
Comment 3 Daniel Walsh 2009-04-01 19:01:53 UTC 
Most likely happened when using a gui or consolehelper.


Miroslav add

In init.te 
userdom_dontaudit_rw_stream(daemon)


In userdomain.if

########################################
## <summary>
##	Do not audit attempts to read and write
##	unserdomain stream.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`userdom_dontaudit_rw_stream',`
	gen_require(`
		attribute userdomain;
	')

	dontaudit $1 userdomain:unix_stream_socket rw_file_perms;
')
Comment 4 Bug Zapper 2009-11-18 12:47:53 UTC 
This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '10'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 10's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 10 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 5 Miroslav Grepl 2009-11-18 13:40:30 UTC 
I have already fix this in F10 selinux-policy.