Bug 155855 - avc denied for dhclient, ntp.conf and step-tickers
Summary: avc denied for dhclient, ntp.conf and step-tickers
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-04-24 20:40 UTC by Ville Skyttä
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version: 1.25.4-10.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-09-15 15:56:39 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Ville Skyttä 2005-04-24 20:40:47 UTC
Up to date Rawhide as of today (ntp-4.2.0.a.20040617-8,
selinux-policy-targeted-1.23.12-4, dhclient-3.0.2-9):
dhclient tries to update ntp.conf and step-tickers based on the info it gets
from the DHCP server, but SELinux doesn't seem happy with that:

Apr 24 05:42:48 gk012 dhclient: DHCPREQUEST on eth1 to 192.168.2.41 port 67
Apr 24 05:42:48 gk012 dhclient: DHCPACK from 192.168.2.41
Apr 24 05:42:48 gk012 kernel: audit(1114310568.830:7359154): avc:  denied  {
unlink } for  pid=18276 exe=/bin/mv name=ntp.conf.predhclient dev=hda2
ino=5816838 scontext=user_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_t
tclass=file
Apr 24 05:42:48 gk012 kernel: audit(1114310568.830:7359154): syscall=38 exit=-13
a0=bffbdc1d a1=bffbdc2b a2=8057284 a3=0 items=2 pid=18276 loginuid=-1 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
Apr 24 05:42:48 gk012 kernel: audit(1114310568.830:7359154): item=0
name=/etc/ntp.conf inode=5815617 dev=03:02 mode=040755 uid=0 gid=0 rdev=00:00
Apr 24 05:42:48 gk012 kernel: audit(1114310568.830:7359154): item=1
name=/etc/ntp.conf.predhclient inode=5815617 dev=03:02 mode=040755 uid=0 gid=0
rdev=00:00
Apr 24 05:42:49 gk012 kernel: audit(1114310569.013:7359724): avc:  denied  {
unlink } for  pid=18281 exe=/bin/mv name=step-tickers.predhclient dev=hda2
ino=5817166 scontext=user_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_t
tclass=file
Apr 24 05:42:49 gk012 kernel: audit(1114310569.013:7359724): syscall=38 exit=-13
a0=bf94fc0d a1=bf94fc23 a2=8057284 a3=0 items=2 pid=18281 loginuid=-1 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
Apr 24 05:42:49 gk012 kernel: audit(1114310569.013:7359724): item=0
name=/etc/ntp/step-tickers inode=5816664 dev=03:02 mode=040755 uid=0 gid=0
rdev=00:00
Apr 24 05:42:49 gk012 kernel: audit(1114310569.013:7359724): item=1
name=/etc/ntp/step-tickers.predhclient inode=5816664 dev=03:02 mode=040755 uid=0
gid=0 rdev=00:00
Apr 24 05:42:49 gk012 dhclient: bound to 192.168.2.248 -- renewal in 8383 seconds.

Comment 1 Daniel Walsh 2005-04-25 14:53:40 UTC
You have some badly labeled files.

restorecon -R -v /etc

Should clear this up.

Dan

Comment 2 Ville Skyttä 2005-04-25 16:32:55 UTC
I have done "/sbin/fixfiles relabel /" as well as "touch /.autorelabel &&
reboot" every now and then but after a while, the problem just seems to
resurface.  No these avc denied messages today after doing the latter
(/.autorelabel) operation some 7 hours ago though, will keep an eye on it.

Comment 3 Ville Skyttä 2005-05-02 18:17:27 UTC
It's been a week since I've seen these messages, so assuming fixed.

Comment 4 Ville Skyttä 2005-05-04 18:43:05 UTC
Well, there you go, the problem has resurfaced.  Should have knocked wood.

I saw these errors again on shutdown, and at reboot, after "starting xinitd", an
message from awk scrolled by, saying /etc/ntp.conf doesn't exist.

And behold, I no longer have /etc/ntp.conf or /etc/ntp/step-tickers.  Only
/etc/ntp.conf.predhclient and /etc/ntp/step-tickers.predhclient are there.

ntp-4.2.0.a.20040617-8
dhclient-3.0.2-11
selinux-policy-targeted-1.23.14-2


Comment 5 Daniel Walsh 2005-05-10 15:34:20 UTC
What avc messages did you get?

I have not seen this.

Dan

Comment 6 Ville Skyttä 2005-05-10 15:58:23 UTC
See the initial comment in this bug report for the avc messages.

Comment 7 Daniel Walsh 2005-05-10 16:03:54 UTC
So the question is how did step-tickers.predhclient get mislabeled again?

Looks like you did somekind of relabel.  
There is a bug in file context 

1.23.15-4 will have the fix.


< --- nsapolicy/file_contexts/program/ntpd.fc   2005-02-24 14:51:09.000000000 -0500
< +++ policy-1.23.15/file_contexts/program/ntpd.fc      2005-05-10
12:00:21.000000000 -0400
< @@ -1,7 +1,7 @@
<  /var/lib/ntp(/.*)?                   system_u:object_r:ntp_drift_t
<  /etc/ntp/data(/.*)?                  system_u:object_r:ntp_drift_t
<  /etc/ntp(d)?\.conf(.sv)?     --      system_u:object_r:net_conf_t
< -/etc/ntp/step-tickers                --      system_u:object_r:net_conf_t
< +/etc/ntp/step-tickers.*              --      system_u:object_r:net_conf_t
<  /usr/sbin/ntpd                       --      system_u:object_r:ntpd_exec_t
<  /usr/sbin/ntpdate            --      system_u:object_r:ntpdate_exec_t
<  /var/log/ntpstats(/.*)?                      system_u:object_r:ntpd_log_t


Comment 8 Ville Skyttä 2005-05-10 16:38:18 UTC
Note that this problem occurs with /etc/ntp.conf(.predhclient) too.  Also,
should the "." in ".sv" be backslashed?  Or, to follow the step-tickers change,
more generally, just:

  /etc/ntp(d)?\.conf.*



Note You need to log in before you can comment on or make changes to this bug.