From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041118 Firefox/1.0 Description of problem: I get the following avc denied messages when starting ntpd with selinux enforcing the targeted policy: Nov 30 09:17:13 somemachine kernel: audit(1101824233.152:0): avc: denied { net_admin } for pid=4144 exe=/usr/sbin/ntpd capability=12 scontext=root:system_r:ntpd_t tcontext=root:system_r:ntpd_t tclass=capability Nov 30 09:17:13 somemachine kernel: audit(1101824233.158:0): avc: denied { read } fo r pid=4144 exe=/usr/sbin/ntpd name=cert.pem dev=sda3 ino=13239728 scontext=root :system_r:ntpd_t tcontext=system_u:object_r:usr_t tclass=lnk_file Version-Release number of selected component (if applicable): ntp-4.2.0.a.20040617-4, selinux-policy-targeted-1.17.30-2.34 How reproducible: Always Steps to Reproduce: 1. /etc/init.d/ntpd start 2. 3. Actual Results: I get the two avc messages listed above, but ntpd seems to communicate with the server it is trying to connect to. Expected Results: No avc denied messages. Additional info:
reassigning
Fixed in selinux-policy-targeted-1_17_30-2_38
Either this problem has not been totally fixed, or I have a very similar problem. On RHEL4 I got this today on the monthly rotation of my ntpd.log file: Apr 1 03:04:38 nemesis kernel: audit(1112342678.470:0): avc: denied { associa te } for pid=8156 exe=/usr/sbin/logrotate name=logrotate.mWsc2L scontext=root:o bject_r:ntpd_log_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem Apr 1 03:04:38 nemesis logrotate: ALERT exited abnormally with [1] This resulted in the log file being rotated correctly (ntpd.log --> ntpd.log.1 and a new ntpd.log created), but the NTPD service refusing to restart. Besides the logrorate notice above I was send an e-mail informing me of the postrotate failure. # cat /etc/logrotate.d/ntp /var/log/ntp.log { monthly postrotate service ntpd restart endscript } This with a fully updated RHEL4 system, including package selinux-policy-targeted-1.17.30.2.52.1. When I ran the "service ntpd restart" service manually no problems were seen.
This looks like logrotate tried to write the log file to a tmpfs file system. Which policy does not allow. Any idea what it is trying to do? Dan
I'm seeing the logrotat issue as well. On our systems /tmp is a tmpfs filesystem. Surely logrotate should be able to write to /tmp? Perhaps a boolean is needed?
Could you update to the latest policy and see if this fixes the problem
My original issue has been resolved. Now using selinux-policy-targeted-1.17.30-2.96
I'm running selinux-policy-targeted-1.17.30-3.2 on FC3 which I believe is the latest for FC3. Sorry to continue to hijack the original bug.
What avc messages are you seeing? Dan
Similar to comment #3 May 15 04:31:18 wind kernel: audit(1116153078.592:0): avc: denied { associate } for pid=19837 exe=/usr/sbin/logrotate name=logrotate.EZ3Wrp scontext=user_u:object_r:var_log_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem May 15 04:31:24 wind kernel: audit(1116153084.039:0): avc: denied { associate } for pid=19837 exe=/usr/sbin/logrotate name=logrotate.SUopOx scontext=user_u:object_r:var_log_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem May 15 04:31:24 wind kernel: audit(1116153084.051:0): avc: denied { associate } for pid=19837 exe=/usr/sbin/logrotate name=logrotate.Ew8It8 scontext=system_u:object_r:mysqld_log_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem