1114157 – SELinux is preventing /usr/sbin/ntpd access on under /var/spool/ntp/stats

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1114157 - SELinux is preventing /usr/sbin/ntpd access on under /var/spool/ntp/stats

Summary: SELinux is preventing /usr/sbin/ntpd access on under /var/spool/ntp/stats

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ntp
Sub Component:
Version:	6.5
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Lichvar
QA Contact:	qe-baseos-daemons
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-06-27 23:05 UTC by Sidney Sedlak
Modified:	2014-07-31 16:40 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-07-31 16:40:12 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Sidney Sedlak 2014-06-27 23:05:46 UTC

Description of problem:


Version-Release number of selected component (if applicable):4.2.6p5


How reproducible: Set SELinux to enforcing and restart ntpd or watch /var/log/messages


Steps to Reproduce:
1. setenforce 1
2. service ntpd restart
3. tail -f /var/log/messages

Actual results:
ntpd[29411]: stat(/var/spool/ntp/stats/peerstats.dat) failed: Permission denied
ntpd[29411]: can't open /var/spool/ntp/stats/peerstats.dat.20140627: Permission denied
ntpd[29411]: stat(/var/spool/ntp/stats/loopstats.dat) failed: Permission denied
ntpd[29411]: can't open /var/spool/ntp/stats/loopstats.dat.20140627: Permission denied
ntpd[29411]: stat(/var/spool/ntp/stats/rawstats.dat) failed: Permission denied
ntpd[29411]: can't open /var/spool/ntp/stats/rawstats.dat.20140627: Permission denied
ntpd[29411]: stat(/var/spool/ntp/stats/peerstats.dat) failed: Permission denied
ntpd[29411]: can't open /var/spool/ntp/stats/peerstats.dat.20140627: Permission denied
ntpd[29411]: stat(/var/spool/ntp/stats/rawstats.dat) failed: Permission denied
ntpd[29411]: can't open /var/spool/ntp/stats/rawstats.dat.20140627: Permission denied
ntpd[29411]: stat(/var/spool/ntp/stats/peerstats.dat) failed: Permission denied
ntpd[29411]: can't open /var/spool/ntp/stats/peerstats.dat.20140627: Permission denied
ntpd[29411]: stat(/var/spool/ntp/stats/rawstats.dat) failed: Permission denied
ntpd[29411]: can't open /var/spool/ntp/stats/rawstats.dat.20140627: Permission denied


Expected results:
No permission denied messages and the statistics data are created under /car/spool/ntp/stats

Additional info:
Audit2allow reports this:
# cat /var/log/audit/audit.log |audit2allow -m ntpd

module ntpd 1.0;

require {
        type ntpd_t;
        type var_spool_t;
        class dir { write remove_name add_name };
        class file { rename link create open };
}

#============= ntpd_t ==============
#!!!! The source type 'ntpd_t' can write to a 'dir' of the following types:
# tmpfs_t, ntp_drift_t, ntpd_tmpfs_t, var_run_t, var_log_t, ntpd_var_run_t, ntpd_tmp_t, ntpd_log_t, tmp_t, cluster_var_lib_t, cluster_var_run_t, root_t, cluster_conf_t

allow ntpd_t var_spool_t:dir { write remove_name add_name };
allow ntpd_t var_spool_t:file { rename open create link };

Comment 2 Milos Malik 2014-06-30 10:03:56 UTC

Is the /var/spool/ntp/stats/ directory used for this purpose by default? What about /var/lib/ntp/stats/ directory?

Comment 3 Miroslav Grepl 2014-06-30 10:34:59 UTC

What does

# rpm -qf /var/spool/ntp/stats

Comment 5 Sidney Sedlak 2014-06-30 19:42:11 UTC

Hi,

this is completely strange, because the command said that the /var/spool/ntp/stats is not owned by any package. The /var/lib/ntp/stats doesn't exist at all, the only item owned by the ntp package under /var/lib/ntp is an file called 'drift'.

We use the /var/spool/ntp/stats as long as I remember and it worked, I never saw the SELinux error before.

What's the recommended solution here? Shall we change the configuration to the /var/lib/ntp/stats as Milos proposes or could the /var/spool/ntp/stats used instead?? In one or another case, the directory should be maintained by the ntp package with correct SELinux context.

BTW. What sounds more appropriate for stats files? /var/lib as the "application state" place or /var/spool as the "spool files for further processing" if we talk what's specified in FHS?

Comment 6 Milos Malik 2014-07-01 07:50:39 UTC

To make the situation even more confusing :-)

# rpm -qf /var/log/ntpstats/
ntp-4.2.6p5-1.el6.x86_64
# matchpathcon /var/log/ntpstats/
/var/log/ntpstats	system_u:object_r:ntpd_log_t:s0
# sesearch -s ntpd_t -t ntpd_log_t -c dir -A -C
Found 2 semantic av rules:
   allow daemon logfile : dir { getattr search open } ; 
   allow ntpd_t ntpd_log_t : dir { ioctl read write getattr setattr lock add_name remove_name search open } ; 
# sesearch -s ntpd_t -t ntpd_log_t -c file -A -C
Found 4 semantic av rules:
   allow ntpd_t logfile : file { getattr append } ; 
   allow daemon logfile : file { ioctl getattr lock append open } ; 
   allow ntpd_t ntpd_log_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow application_domain_type logfile : file { getattr append } ; 
#

SELinux wouldn't complain if the data files mentioned in comment#0 were created and stored in /var/log/ntpstats/ directory.

Comment 7 Miroslav Grepl 2014-07-01 08:48:49 UTC

Miroslav,
any idea why it tries to access /var/spool/ntp/stats?

Comment 8 Miroslav Lichvar 2014-07-01 09:49:53 UTC

I guess "statsdir /var/spool/ntp/stats/" is present in their ntp.conf. The compiled-in default value is /var/spool/ntpstats/.

I'm not sure if it makes sense to try to support non-default locations.

Comment 9 Miroslav Lichvar 2014-07-01 09:55:16 UTC

Correction, the compiled-in default value is actually /var/log/ntp/stats. This didn't change for a very long time.

Comment 10 Miroslav Lichvar 2014-07-01 09:57:47 UTC

Erm, it's /var/log/ntpstats/, no slash between ntp and stats. Sorry for the noise.

It's set in ntp.spec by this line:

echo '#define NTP_VAR "%{_localstatedir}/log/ntpstats/"' >> config.h

Comment 11 Sidney Sedlak 2014-07-01 11:28:13 UTC

Thas't correct that the spool path is set in our ntp.conf, yet without any issues until now.

To be honest, I would understand the /var/lib or /var/spool, but why /var/log/? And I checked the upstream and they use /var/log/ntp for the statsfiles, to make it even more confusing.

So, back to my question - shall we change to the officially supported /var/log/ntpstats or do you think it may be worth to check a bit further what the standard location is?

Comment 12 Sidney Sedlak 2014-07-31 14:14:27 UTC

We changed stats location to /var/log/ntpstats/ and it's working, so this ticket may be closed.

Comment 13 Miroslav Lichvar 2014-07-31 16:40:12 UTC

Ok, let's close this.

The upstream default value for statsdir is /var/NTP, but that would not be a very good place for the files. It seems /var/log/ntpstats was used for this in various Linux distributions for a very long time now.

Note You need to log in before you can comment on or make changes to this bug.