Bug 732180
Summary: | ntpd + selinux + gps = problems. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Maciej Żenczykowski <zenczykowski> |
Component: | ntp | Assignee: | Miroslav Lichvar <mlichvar> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 15 | CC: | dwalsh, mgrepl, mlichvar, pertusus |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-10-27 11:33:10 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Maciej Żenczykowski
2011-08-20 09:55:53 UTC
It would appear that: # ls -alZ /dev/gps1 /dev/ttyS1 lrwxrwxrwx. ntp ntp system_u:object_r:tty_device_t:s0 /dev/gps1 -> ttyS1 crw-rw-rw-. ntp ntp system_u:object_r:tty_device_t:s0 /dev/ttyS1 along with: module mazentp 1.0; require { type ntpd_t; type tty_device_t; class lnk_file read; class chr_file { open read write ioctl }; } #============= ntpd_t ============== allow ntpd_t tty_device_t:lnk_file read; allow ntpd_t tty_device_t:chr_file { open read write ioctl }; is enough to get ntp to start with a GPS_NMEA(1) clock source. Although of course this is a total security nightmare setup, and this should probably be done in some different way. (I still can't actually get it to synchronize, but that's probably a totally unrelated problem) Okay, I got it working, turns out you need access to the serial device for the NMEA 0183 data stream, and access to the LinuxPPS device for the PPS signal. Hence I needed: /etc/ntp.conf includes: server 127.127.20.0 mode 32 version 4 prefer minpoll 4 maxpoll 4 fudge 127.127.20.0 time1 0.000 time2 0.500 stratum 1 refid GPS flag1 1 flag2 0 # ls -alZ /dev/gps0 /dev/ttyS1 /dev/gpspps0 /dev/pps0 lrwxrwxrwx. ntp ntp system_u:object_r:tty_device_t:s0 /dev/gps0 -> ttyS1 crw-rw-rw-. ntp ntp system_u:object_r:tty_device_t:s0 /dev/ttyS1 lrwxrwxrwx. ntp ntp system_u:object_r:clock_device_t:s0 /dev/gpspps0 -> pps0 crw-rw-rw-. ntp ntp system_u:object_r:clock_device_t:s0 /dev/pps0 # cat /root/mazentp/mazentp.te module mazentp 1.0; require { type clock_device_t; type ntpd_t; type tty_device_t; class lnk_file read; class chr_file { open read write ioctl }; } #============= ntpd_t ============== allow ntpd_t tty_device_t:lnk_file read; allow ntpd_t tty_device_t:chr_file { open read write ioctl }; allow ntpd_t clock_device_t:lnk_file read; allow ntpd_t clock_device_t:chr_file { open read write ioctl }; Still not clear on what the permissions on those 2 symlinks and 2 devices should be... Looks like the symlinks could possibly be: lrwxrwxrwx. root root system_u:object_r:device_t:s0 gps0 -> ttyS1 lrwxrwxrwx. root root system_u:object_r:device_t:s0 gpspps0 -> pps0 And the device nodes should perhaps be: crw-rw----. root ntp system_u:object_r:tty_device_t:s0 /dev/ttyS1 crw-rw----. root ntp system_u:object_r:clock_device_t:s0 /dev/pps0 Which of course would imply a slightly different selinux configuration. Perhaps there should be an 'ntp_tty_device_t' or 'gps_tty_device_t' or 'ntp_clock_device_t' types??? I see the errors too. With gpsd (drivers 28 and 22) it should work, but ldattach has to be started after gpsd or gpsd has to use the -N option. (that is a bug in the gpsd privilege dropping code) Also, it shouldn't be necessary to chown the devices to the ntp group, ntpd opens them before it drops root privileges. But we still need the SELinux permissions? F16 has dev_rw_realtime_clock(ntpd_t) so all we need to add is term_use_unallocated_ttys(ntpd_t) And then back port to F15 and RHEL6. Added to selinux-policy-3.9.16-39.fc15 |