Up to date Rawhide as of today (ntp-4.2.0.a.20040617-8, selinux-policy-targeted-1.23.12-4, dhclient-3.0.2-9): dhclient tries to update ntp.conf and step-tickers based on the info it gets from the DHCP server, but SELinux doesn't seem happy with that: Apr 24 05:42:48 gk012 dhclient: DHCPREQUEST on eth1 to 192.168.2.41 port 67 Apr 24 05:42:48 gk012 dhclient: DHCPACK from 192.168.2.41 Apr 24 05:42:48 gk012 kernel: audit(1114310568.830:7359154): avc: denied { unlink } for pid=18276 exe=/bin/mv name=ntp.conf.predhclient dev=hda2 ino=5816838 scontext=user_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_t tclass=file Apr 24 05:42:48 gk012 kernel: audit(1114310568.830:7359154): syscall=38 exit=-13 a0=bffbdc1d a1=bffbdc2b a2=8057284 a3=0 items=2 pid=18276 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 Apr 24 05:42:48 gk012 kernel: audit(1114310568.830:7359154): item=0 name=/etc/ntp.conf inode=5815617 dev=03:02 mode=040755 uid=0 gid=0 rdev=00:00 Apr 24 05:42:48 gk012 kernel: audit(1114310568.830:7359154): item=1 name=/etc/ntp.conf.predhclient inode=5815617 dev=03:02 mode=040755 uid=0 gid=0 rdev=00:00 Apr 24 05:42:49 gk012 kernel: audit(1114310569.013:7359724): avc: denied { unlink } for pid=18281 exe=/bin/mv name=step-tickers.predhclient dev=hda2 ino=5817166 scontext=user_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_t tclass=file Apr 24 05:42:49 gk012 kernel: audit(1114310569.013:7359724): syscall=38 exit=-13 a0=bf94fc0d a1=bf94fc23 a2=8057284 a3=0 items=2 pid=18281 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 Apr 24 05:42:49 gk012 kernel: audit(1114310569.013:7359724): item=0 name=/etc/ntp/step-tickers inode=5816664 dev=03:02 mode=040755 uid=0 gid=0 rdev=00:00 Apr 24 05:42:49 gk012 kernel: audit(1114310569.013:7359724): item=1 name=/etc/ntp/step-tickers.predhclient inode=5816664 dev=03:02 mode=040755 uid=0 gid=0 rdev=00:00 Apr 24 05:42:49 gk012 dhclient: bound to 192.168.2.248 -- renewal in 8383 seconds.
You have some badly labeled files. restorecon -R -v /etc Should clear this up. Dan
I have done "/sbin/fixfiles relabel /" as well as "touch /.autorelabel && reboot" every now and then but after a while, the problem just seems to resurface. No these avc denied messages today after doing the latter (/.autorelabel) operation some 7 hours ago though, will keep an eye on it.
It's been a week since I've seen these messages, so assuming fixed.
Well, there you go, the problem has resurfaced. Should have knocked wood. I saw these errors again on shutdown, and at reboot, after "starting xinitd", an message from awk scrolled by, saying /etc/ntp.conf doesn't exist. And behold, I no longer have /etc/ntp.conf or /etc/ntp/step-tickers. Only /etc/ntp.conf.predhclient and /etc/ntp/step-tickers.predhclient are there. ntp-4.2.0.a.20040617-8 dhclient-3.0.2-11 selinux-policy-targeted-1.23.14-2
What avc messages did you get? I have not seen this. Dan
See the initial comment in this bug report for the avc messages.
So the question is how did step-tickers.predhclient get mislabeled again? Looks like you did somekind of relabel. There is a bug in file context 1.23.15-4 will have the fix. < --- nsapolicy/file_contexts/program/ntpd.fc 2005-02-24 14:51:09.000000000 -0500 < +++ policy-1.23.15/file_contexts/program/ntpd.fc 2005-05-10 12:00:21.000000000 -0400 < @@ -1,7 +1,7 @@ < /var/lib/ntp(/.*)? system_u:object_r:ntp_drift_t < /etc/ntp/data(/.*)? system_u:object_r:ntp_drift_t < /etc/ntp(d)?\.conf(.sv)? -- system_u:object_r:net_conf_t < -/etc/ntp/step-tickers -- system_u:object_r:net_conf_t < +/etc/ntp/step-tickers.* -- system_u:object_r:net_conf_t < /usr/sbin/ntpd -- system_u:object_r:ntpd_exec_t < /usr/sbin/ntpdate -- system_u:object_r:ntpdate_exec_t < /var/log/ntpstats(/.*)? system_u:object_r:ntpd_log_t
Note that this problem occurs with /etc/ntp.conf(.predhclient) too. Also, should the "." in ".sv" be backslashed? Or, to follow the step-tickers change, more generally, just: /etc/ntp(d)?\.conf.*