Bug 662523

Summary: SELinux is preventing /usr/sbin/ntpd "read" access on /etc/samba/smb.conf.
Product: [Fedora] Fedora Reporter: Rodolfo Ferrari <rferrari>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 14CC: dwalsh, mgrepl, mlichvar, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:5a95b647b9ff002ad12e9a13e1f796b1b840ca664409b5b6565ef64525cde0ac
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-27 08:50:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
ntp.conf configuration file.
none
ntpd read access on samba.conf alert message
none
ntpd strace output none

Description Rodolfo Ferrari 2010-12-13 01:04:27 UTC
Summary:

SELinux is preventing /usr/sbin/ntpd "read" access on /etc/samba/smb.conf.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by ntpd. It is not expected that this access is
required by ntpd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:ntpd_t:s0
Target Context                system_u:object_r:samba_etc_t:s0
Target Objects                /etc/samba/smb.conf [ file ]
Source                        ntpd
Source Path                   /usr/sbin/ntpd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           ntp-4.2.6p3-0.1.rc10.fc14
Target RPM Packages           samba-common-3.5.6-71.fc14
Policy RPM                    selinux-policy-3.9.7-16.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.35.9-64.fc14.i686 #1 SMP Fri Dec 3 12:35:42
                              UTC 2010 i686 i686
Alert Count                   10
First Seen                    Sun 12 Dec 2010 11:05:25 AM MST
Last Seen                     Sun 12 Dec 2010 04:59:14 PM MST
Local ID                      03178ac0-1ad8-4772-a6a3-76c9293173c3
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1292198354.842:10): avc:  denied  { read } for  pid=1598 comm="ntpd" name="smb.conf" dev=dm-0 ino=395518 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:samba_etc_t:s0 tclass=file

node=(removed) type=AVC msg=audit(1292198354.842:10): avc:  denied  { open } for  pid=1598 comm="ntpd" name="smb.conf" dev=dm-0 ino=395518 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:samba_etc_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1292198354.842:10): arch=40000003 syscall=5 success=yes exit=5 a0=be2780 a1=8000 a2=0 a3=0 items=0 ppid=1 pid=1598 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ntpd" exe="/usr/sbin/ntpd" subj=system_u:system_r:ntpd_t:s0 key=(null)



Hash String generated from  catchall,ntpd,ntpd_t,samba_etc_t,file,read
audit2allow suggests:

#============= ntpd_t ==============
allow ntpd_t samba_etc_t:file { read open };

Comment 1 Miroslav Grepl 2010-12-13 14:26:24 UTC
Did you setup ntp and samba to work together?

Could you attach your ntp.conf?

Comment 2 Rodolfo Ferrari 2010-12-13 19:26:12 UTC
Created attachment 468460 [details]
ntp.conf configuration file.

(In reply to comment #1)
> Did you setup ntp and samba to work together?
> 
> Could you attach your ntp.conf?

No, I just checked off "Synchronize date and time over the network" on the "Adjust Date and Time" tab.

The error appeared right away, later on, I added a new NTP server (my LAN's Windows 2003 DC) since I configured Winbind and join the Linux workstation with AD.

Attached is the ntp.conf file.

Comment 3 Miroslav Grepl 2010-12-14 13:12:12 UTC
Mirku,
what do you think? It looks legitimate.

Comment 4 Miroslav Lichvar 2010-12-14 13:30:23 UTC
I don't see where is this coming from, ntpd doesn't seem to have any code that would read smb.conf.

Can you please attach output of ntpd started in strace for few minutes?

strace -eopen /usr/sbin/ntpd -n -u ntp:ntp

Comment 5 Daniel Walsh 2010-12-14 13:53:46 UTC
Winbind?

Comment 6 Simo Sorce 2010-12-14 14:28:29 UTC
not necessarily, today ntpd comes with code to allow it to sign packets, needed for samba4 AD servers.
nss_winbindd and pam_winbindd iirc do not read smb.conf directly.
Let me check the code, I'll get back to you if I find anything relevant.

Comment 7 Rodolfo Ferrari 2010-12-15 03:42:09 UTC
Created attachment 468759 [details]
ntpd read access on samba.conf alert message

Not sure if this is related to this bug, this error has happened a couple of times.

Comment 8 Rodolfo Ferrari 2010-12-15 03:45:33 UTC
Created attachment 468760 [details]
ntpd strace output

As requested, attached is the output of the ntpd's strace.   I gave it 5 mins .. it only opened files during the first minute after that there was no more output.

Let me know if we need the log for a longer period of time.

Comment 9 Daniel Walsh 2011-05-26 20:25:28 UTC
Is this fixed in the current release.