Bug 966253
Summary: | SELinux is preventing /usr/sbin/ntpdate from read, write access on the chr_file /dev/mapper/control. | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | markleeuw | ||||||
Component: | anaconda | Assignee: | Brian Lane <bcl> | ||||||
Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 19 | CC: | anaconda-maint-list, awilliam, BobLfoot, daniel.bossert, dan.mashal, dominick.grift, dshea, dwalsh, g.kaviyarasu, hdegoede, john.sincock, jonathan, mgrepl, mkolman, munawar.ahmed, NandishBhatt.143, pertusus, ryanj, sbueno, vanmeeuwen+fedora | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | x86_64 | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | abrt_hash:cdc02a6698222e8c88077c552f998186bd15314937e314a2515426b5a04b58ef AcceptedFreezeException | ||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2014-02-01 01:14:43 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | |||||||||
Bug Blocks: | 834091 | ||||||||
Attachments: |
|
Description
markleeuw
2013-05-22 21:07:04 UTC
Description of problem: This was caused by enabling ntpdate through the F19 installation GUI, plus manually typing in "clock.redhat.com" as an NTP source. Which, now I look at it, seems to have been dropped on the floor. :( Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.4-300.fc19.x86_64 type: libreport Hello I did not entering anything manually as an additional NTP source. This must have been automatically. Regards Daniel Are you doing a live install? I see these AVC's logged in a boot.iso install, but we run with selinux permissive so they are not fatal. Either ntpdate need to stop trying to touch /dev/mapper/control (why would they need to?) or the selinux rules need to be updated. Description of problem: Fresh Install F19-i386-Final-TC1 Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.4-300.fc19.i686.PAE type: libreport Nominating for freeze exception. If this was in a release blocking DE it would be a final release blocker, thus it qualifies as freeze exception. ntpdate doesn't touch /dev/mapper/control and its code hasn't changed in a long time. This looks more like a leaked file descriptor coming from the process which runs ntpdate. Reassigning back to anaconda. Yes this has nothing to do with ntpdate other then it is being passed a fd open to /dev/mapper/control and SELinux is shutting it down. This is probably the lvm code used in anaconda leaking a file descriptor Discussed at 2013-06-10 blocker review meeting: http://meetbot.fedoraproject.org/fedora-blocker-review/2013-06-10/f19final-blocker-review-4.2013-06-10-16.01.log.txt . If this occurred on a GNOME or KDE (release-blocking desktop) live install on a fairly 'normal' path through the installer it may well constitute a release blocking issue, so if anyone can reliably reproduce on GNOME or KDE, please speak up. For now we did a quick test of a TC2 GNOME install and did not hit the AVC. With the number of reports on this bug, though, we at least accept it as a freeze exception issue; AVCs during install look really bad and should be fixed when possible. If the fix is too complex, though, we may have to live with it. The way the date/time spoke is written currently depends on using os.system for the ntpdate call. This isn't likely to be changed this late in F19. Created attachment 760338 [details]
stop leaking file descriptors
Created attachment 760339 [details]
stop using os.system
This patch causes problems with the date/time screen. it blocks on completion of the ntpdate execution. We need to rethink how we're doing things in this spoke.
Description of problem: fresh install of fedora 19 with MATE wm produces SELinux errors Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.2-301.fc19.x86_64 type: libreport Description of problem: Installed F-19 tc2 arm, enabled ntp, logged into an xfce session, then had this selinux alert waiting for me. Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.4.43.sun5i+ type: libreport Description of problem: during compiling a java library simple-xml 2.7.1 (http://simple.sourceforge.net/) Additional info: reporter: libreport-2.1.6 hashmarkername: setroubleshoot kernel: 3.10.9-200.fc19.i686 type: libreport We no longer use ntpdate. Brilliant. Please allow me to withdraw all my past criticism of Red Hat's bug resolution methodology. I see from this bug report, that in fact, if you ignore a problem for long enough it actually may just go away. Red Hat's approach is vindicated. I am humbled & apologetic. Well done everybody. |