Bug 141345 - ntpd avc denied with selinux targeted policy
ntpd avc denied with selinux targeted policy
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2004-11-30 11:20 EST by Jerome Brock
Modified: 2007-11-30 17:10 EST (History)
2 users (show)

See Also:
Fixed In Version: 1.25.4-10.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-09-15 11:57:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jerome Brock 2004-11-30 11:20:14 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041118 Firefox/1.0

Description of problem:
I get the following avc denied messages when starting ntpd with
selinux enforcing the targeted policy:

Nov 30 09:17:13 somemachine kernel: audit(1101824233.152:0): avc: 
denied  { net_admin  } for  pid=4144 exe=/usr/sbin/ntpd capability=12
scontext=root:system_r:ntpd_t tcontext=root:system_r:ntpd_t
Nov 30 09:17:13 somemachine kernel: audit(1101824233.158:0): avc: 
denied  { read } fo r  pid=4144 exe=/usr/sbin/ntpd name=cert.pem
dev=sda3 ino=13239728 scontext=root :system_r:ntpd_t
tcontext=system_u:object_r:usr_t tclass=lnk_file

Version-Release number of selected component (if applicable):
ntp-4.2.0.a.20040617-4, selinux-policy-targeted-1.17.30-2.34

How reproducible:

Steps to Reproduce:
1. /etc/init.d/ntpd start

Actual Results:  I get the two avc messages listed above, but ntpd
seems to communicate with the server it is trying to connect to.

Expected Results:  No avc denied messages.

Additional info:
Comment 1 Harald Hoyer 2004-11-30 11:21:36 EST
Comment 2 Daniel Walsh 2004-11-30 11:58:27 EST
Fixed in selinux-policy-targeted-1_17_30-2_38
Comment 3 Steve Snyder 2005-04-01 08:00:29 EST
Either this problem has not been totally fixed, or I have a very similar
problem.  On RHEL4 I got this today on the monthly rotation of my ntpd.log file:

Apr  1 03:04:38 nemesis kernel: audit(1112342678.470:0): avc:  denied  { associa
te } for  pid=8156 exe=/usr/sbin/logrotate name=logrotate.mWsc2L scontext=root:o
bject_r:ntpd_log_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem
Apr  1 03:04:38 nemesis logrotate: ALERT exited abnormally with [1]

This resulted in the log file being rotated correctly (ntpd.log --> ntpd.log.1
and a new ntpd.log created), but the NTPD service refusing to restart.  Besides
the logrorate notice above I was send an e-mail informing me of the postrotate

# cat /etc/logrotate.d/ntp
/var/log/ntp.log {
        service ntpd restart

This with a fully updated RHEL4 system, including package

When I ran the "service ntpd restart" service manually no problems were seen.
Comment 4 Daniel Walsh 2005-04-01 14:13:50 EST
This looks like logrotate tried to write the log file to a tmpfs file system.
Which policy does not allow.   Any idea what it is trying to do?

Comment 5 Orion Poplawski 2005-05-16 12:31:33 EDT
I'm seeing the logrotat issue as well.  On our systems /tmp is a tmpfs
filesystem.  Surely logrotate should be able to write to /tmp?  Perhaps a
boolean is needed?
Comment 6 Daniel Walsh 2005-05-16 14:41:28 EDT
Could you update to the latest policy and see if this fixes the problem
Comment 7 Jerome Brock 2005-05-16 15:00:02 EDT
My original issue has been resolved.
Now using selinux-policy-targeted-1.17.30-2.96
Comment 8 Orion Poplawski 2005-05-16 15:22:31 EDT
I'm running selinux-policy-targeted-1.17.30-3.2 on FC3 which I believe is the
latest for FC3.  Sorry to continue to hijack the original bug.
Comment 9 Daniel Walsh 2005-05-16 17:53:20 EDT
What avc messages are you seeing?

Comment 10 Orion Poplawski 2005-05-16 19:24:30 EDT
Similar to comment #3

May 15 04:31:18 wind kernel: audit(1116153078.592:0): avc:  denied  { associate
} for  pid=19837 exe=/usr/sbin/logrotate name=logrotate.EZ3Wrp
scontext=user_u:object_r:var_log_t tcontext=system_u:object_r:tmpfs_t
May 15 04:31:24 wind kernel: audit(1116153084.039:0): avc:  denied  { associate
} for  pid=19837 exe=/usr/sbin/logrotate name=logrotate.SUopOx
scontext=user_u:object_r:var_log_t tcontext=system_u:object_r:tmpfs_t
May 15 04:31:24 wind kernel: audit(1116153084.051:0): avc:  denied  { associate
} for  pid=19837 exe=/usr/sbin/logrotate name=logrotate.Ew8It8
scontext=system_u:object_r:mysqld_log_t tcontext=system_u:object_r:tmpfs_t

Note You need to log in before you can comment on or make changes to this bug.