From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040211 Firefox/0.8 Description of problem: In the ntpd init script it does: /usr/sbin/ntpdate $dropstr -s -b -p 8 $tickers 2>/dev/null >/dev/null The $drop string contains: -U ntp This works fine on the standard Redhat kernel. On a kernel without SE Linux turned on it fails. debug.5:May 25 17:36:11 smirl ntpdate[3384]: cap_set_proc failed. debug.5:May 25 17:36:12 smirl ntpd[3389]: cap_set_proc failed. Workaround is to remove $dropstr on non-SE kernels. Version-Release number of selected component (if applicable): ntp-4.2.0-8 How reproducible: Always
IIRC, this can be done with a non-selinux-enabled kernel, but CAP_SETPCAP may need to have been unmasked in the kernel source (include/linux/capability.h iirc) If you test, you'll probably want to test for the presense of capability flags, rather than for specific patches.
does loading the 'capability' module solve your problem?
see #101393
I believe the 'capabilities' module is a 2.4 feature. I looked around in the 2.6 tree can couldn't find anything by that name. I have the 'default' security model turned on. If I turn on 'selinux' the problem goes away. The problem is still there with kernel 2.6.8-rc1. I suspect ntpd -U is using a SELinux feature that is not there in a standard kernel. To change your kernel security mode, make xconfig, select security, select enable different security mode, pick default instead of se.
capabilites are present in the kernel 2.6 and are essential for Red Hat's security model. Without capabilities ntp cannot drop root rights, so you have to remove the command line parameters yourself. sorry!