Bug 979708

Summary: SELinux is preventing /usr/sbin/ntpd from remove_name access on the directory /var/log/ntpstats/loopstats.
Product: [Fedora] Fedora Reporter: Niki Guldbrand <niki.guldbrand>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: dominick.grift, dwalsh, mgrepl, stepglenn
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-59.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-07-07 01:32:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Niki Guldbrand 2013-06-29 18:11:49 UTC 
SELinux is preventing /usr/sbin/ntpd from remove_name access on the directory /var/log/ntpstats/loopstats.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that ntpd should be allowed remove_name access on the loopstats directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep ntpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:ntpd_t:s0
Target Context                system_u:object_r:ntpd_log_t:s0
Target Objects                /var/log/ntpstats/loopstats [ dir ]
Source                        ntpd
Source Path                   /usr/sbin/ntpd
Port                          <Unknown>
Host                          ipa
Source RPM Packages           ntp-4.2.6p5-11.fc19.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-54.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ipa
Platform                      Linux ipa 3.9.6-200.fc18.i686.PAE #1 SMP Thu Jun
                              13 19:19:30 UTC 2013 i686 i686
Alert Count                   1
First Seen                    2013-06-29 08:35:56 CEST
Last Seen                     2013-06-29 08:35:56 CEST
Local ID                      1706b8ad-af02-472f-9736-6087c60280ef

Raw Audit Messages
type=AVC msg=audit(1372487756.709:60): avc:  denied  { remove_name } for  pid=651 comm="ntpd" name="loopstats" dev="dm-1" ino=524580 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntpd_log_t:s0 tclass=dir


type=SYSCALL msg=audit(1372487756.709:60): arch=i386 syscall=unlink success=no exit=EACCES a0=b81ebee0 a1=bffc3a58 a2=b7776b4c a3=b81ebee0 items=0 ppid=1 pid=651 auid=4294967295 uid=38 gid=38 euid=38 suid=38 fsuid=38 egid=38 sgid=38 fsgid=38 ses=4294967295 tty=(none) comm=ntpd exe=/usr/sbin/ntpd subj=system_u:system_r:ntpd_t:s0 key=(null)

Hash: ntpd,ntpd_t,ntpd_log_t,dir,remove_name
Comment 1 Niki Guldbrand 2013-06-29 18:14:02 UTC 
All so got this related on:

Subject: [SELinux AVC Alert] SELinux is preventing /usr/sbin/ntpd from remove_name access on the directory /var/log/ntpstats/peerstats

SELinux is preventing /usr/sbin/ntpd from remove_name access on the directory /var/log/ntpstats/peerstats.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that ntpd should be allowed remove_name access on the peerstats directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep ntpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:ntpd_t:s0
Target Context                system_u:object_r:ntpd_log_t:s0
Target Objects                /var/log/ntpstats/peerstats [ dir ]
Source                        ntpd
Source Path                   /usr/sbin/ntpd
Port                          <Unknown>
Host                          ipa
Source RPM Packages           ntp-4.2.6p5-11.fc19.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-54.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ipa
Platform                      Linux ipa 3.9.6-200.fc18.i686.PAE #1 SMP Thu Jun
                              13 19:19:30 UTC 2013 i686 i686
Alert Count                   1
First Seen                    2013-06-29 08:53:58 CEST
Last Seen                     2013-06-29 08:53:58 CEST
Local ID                      af2cb2db-8417-4ee4-8394-066a1b65a6ad

Raw Audit Messages
type=AVC msg=audit(1372488838.622:65): avc:  denied  { remove_name } for  pid=670 comm="ntpd" name="peerstats" dev="dm-1" ino=524534 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntpd_log_t:s0 tclass=dir


type=SYSCALL msg=audit(1372488838.622:65): arch=i386 syscall=unlink success=no exit=EACCES a0=b86f6ee0 a1=bfa7a368 a2=b7798b4c a3=b86f6ee0 items=0 ppid=1 pid=670 auid=4294967295 uid=38 gid=38 euid=38 suid=38 fsuid=38 egid=38 sgid=38 fsgid=38 ses=4294967295 tty=(none) comm=ntpd exe=/usr/sbin/ntpd subj=system_u:system_r:ntpd_t:s0 key=(null)

Hash: ntpd,ntpd_t,ntpd_log_t,dir,remove_name
Comment 2 Niki Guldbrand 2013-06-29 18:25:35 UTC 
And another one:

SELinux is preventing /usr/sbin/ntpd from link access on the file clockstats.20130629.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that ntpd should be allowed link access on the clockstats.20130629 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep ntpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:ntpd_t:s0
Target Context                system_u:object_r:ntpd_log_t:s0
Target Objects                clockstats.20130629 [ file ]
Source                        ntpd
Source Path                   /usr/sbin/ntpd
Port                          <Unknown>
Host                          ipa
Source RPM Packages           ntp-4.2.6p5-11.fc19.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-54.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ipa
Platform                      Linux ipa 3.9.6-301.fc19.i686.PAE #1 SMP Mon Jun
                              17 14:38:10 UTC 2013 i686 i686
Alert Count                   1
First Seen                    2013-06-29 19:58:06 CEST
Last Seen                     2013-06-29 19:58:06 CEST
Local ID                      d994195f-2524-47c1-93b9-5d1154e8739b

Raw Audit Messages
type=AVC msg=audit(1372528686.420:831): avc:  denied  { link } for  pid=3279 comm="ntpd" name="clockstats.20130629" dev="dm-1" ino=525489 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntpd_log_t:s0 tclass=file


type=SYSCALL msg=audit(1372528686.420:831): arch=i386 syscall=link success=no exit=EACCES a0=b8693cc8 a1=b8693fc8 a2=b773fb4c a3=b8693fc8 items=0 ppid=1 pid=3279 auid=4294967295 uid=38 gid=38 euid=38 suid=38 fsuid=38 egid=38 sgid=38 fsgid=38 ses=4294967295 tty=(none) comm=ntpd exe=/usr/sbin/ntpd subj=system_u:system_r:ntpd_t:s0 key=(null)

Hash: ntpd,ntpd_t,ntpd_log_t,file,link
Comment 3 Niki Guldbrand 2013-06-29 18:49:41 UTC 
This is the current policy module I'm using right now to fix this.

module net.guldbrand.ipa_ntpd 1.0;

require {
        type ntpd_t;
        type ntpd_log_t;
        class dir remove_name;
        class file { unlink link };
}

#============= ntpd_t ==============

allow ntpd_t ntpd_log_t:dir remove_name;
allow ntpd_t ntpd_log_t:file unlink;
allow ntpd_t ntpd_log_t:file link;
Comment 4 Fedora Update System 2013-07-03 19:49:44 UTC 
selinux-policy-3.12.1-59.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-59.fc19
Comment 5 Fedora Update System 2013-07-05 02:13:26 UTC 
Package selinux-policy-3.12.1-59.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-59.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-12373/selinux-policy-3.12.1-59.fc19
then log in and leave karma (feedback).
Comment 6 stepglenn 2013-07-06 01:36:07 UTC 
(In reply to Niki Guldbrand from comment #3)
I also needed a similar policy module, BUT with these additionals:

require {
	type ntpd_t;
	type ntpd_log_t;
	class dir remove_name;
	class file { read write unlink link };
}

#============= ntpd_t ==============
allow ntpd_t ntpd_log_t:dir remove_name;
allow ntpd_t ntpd_log_t:file { read write unlink link };


> This is the current policy module I'm using right now to fix this.
> 
> module net.guldbrand.ipa_ntpd 1.0;
> 
> require {
>         type ntpd_t;
>         type ntpd_log_t;
>         class dir remove_name;
>         class file { unlink link };
> }
> 
> #============= ntpd_t ==============
> 
> allow ntpd_t ntpd_log_t:dir remove_name;
> allow ntpd_t ntpd_log_t:file unlink;
> allow ntpd_t ntpd_log_t:file link;
Comment 7 stepglenn 2013-07-06 01:46:18 UTC 
The selinux-policy-3.12.1-59.fc19 testing update seems to fix all my issues with this issue. No need for a "local" policy module.
Comment 8 Fedora Update System 2013-07-07 01:32:42 UTC 
selinux-policy-3.12.1-59.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.