Bug 155855 - avc denied for dhclient, ntp.conf and step-tickers
avc denied for dhclient, ntp.conf and step-tickers
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-04-24 16:40 EDT by Ville Skyttä
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: 1.25.4-10.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-15 11:56:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ville Skyttä 2005-04-24 16:40:47 EDT
Up to date Rawhide as of today (ntp-4.2.0.a.20040617-8,
selinux-policy-targeted-1.23.12-4, dhclient-3.0.2-9):
dhclient tries to update ntp.conf and step-tickers based on the info it gets
from the DHCP server, but SELinux doesn't seem happy with that:

Apr 24 05:42:48 gk012 dhclient: DHCPREQUEST on eth1 to 192.168.2.41 port 67
Apr 24 05:42:48 gk012 dhclient: DHCPACK from 192.168.2.41
Apr 24 05:42:48 gk012 kernel: audit(1114310568.830:7359154): avc:  denied  {
unlink } for  pid=18276 exe=/bin/mv name=ntp.conf.predhclient dev=hda2
ino=5816838 scontext=user_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_t
tclass=file
Apr 24 05:42:48 gk012 kernel: audit(1114310568.830:7359154): syscall=38 exit=-13
a0=bffbdc1d a1=bffbdc2b a2=8057284 a3=0 items=2 pid=18276 loginuid=-1 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
Apr 24 05:42:48 gk012 kernel: audit(1114310568.830:7359154): item=0
name=/etc/ntp.conf inode=5815617 dev=03:02 mode=040755 uid=0 gid=0 rdev=00:00
Apr 24 05:42:48 gk012 kernel: audit(1114310568.830:7359154): item=1
name=/etc/ntp.conf.predhclient inode=5815617 dev=03:02 mode=040755 uid=0 gid=0
rdev=00:00
Apr 24 05:42:49 gk012 kernel: audit(1114310569.013:7359724): avc:  denied  {
unlink } for  pid=18281 exe=/bin/mv name=step-tickers.predhclient dev=hda2
ino=5817166 scontext=user_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_t
tclass=file
Apr 24 05:42:49 gk012 kernel: audit(1114310569.013:7359724): syscall=38 exit=-13
a0=bf94fc0d a1=bf94fc23 a2=8057284 a3=0 items=2 pid=18281 loginuid=-1 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
Apr 24 05:42:49 gk012 kernel: audit(1114310569.013:7359724): item=0
name=/etc/ntp/step-tickers inode=5816664 dev=03:02 mode=040755 uid=0 gid=0
rdev=00:00
Apr 24 05:42:49 gk012 kernel: audit(1114310569.013:7359724): item=1
name=/etc/ntp/step-tickers.predhclient inode=5816664 dev=03:02 mode=040755 uid=0
gid=0 rdev=00:00
Apr 24 05:42:49 gk012 dhclient: bound to 192.168.2.248 -- renewal in 8383 seconds.
Comment 1 Daniel Walsh 2005-04-25 10:53:40 EDT
You have some badly labeled files.

restorecon -R -v /etc

Should clear this up.

Dan
Comment 2 Ville Skyttä 2005-04-25 12:32:55 EDT
I have done "/sbin/fixfiles relabel /" as well as "touch /.autorelabel &&
reboot" every now and then but after a while, the problem just seems to
resurface.  No these avc denied messages today after doing the latter
(/.autorelabel) operation some 7 hours ago though, will keep an eye on it.
Comment 3 Ville Skyttä 2005-05-02 14:17:27 EDT
It's been a week since I've seen these messages, so assuming fixed.
Comment 4 Ville Skyttä 2005-05-04 14:43:05 EDT
Well, there you go, the problem has resurfaced.  Should have knocked wood.

I saw these errors again on shutdown, and at reboot, after "starting xinitd", an
message from awk scrolled by, saying /etc/ntp.conf doesn't exist.

And behold, I no longer have /etc/ntp.conf or /etc/ntp/step-tickers.  Only
/etc/ntp.conf.predhclient and /etc/ntp/step-tickers.predhclient are there.

ntp-4.2.0.a.20040617-8
dhclient-3.0.2-11
selinux-policy-targeted-1.23.14-2
Comment 5 Daniel Walsh 2005-05-10 11:34:20 EDT
What avc messages did you get?

I have not seen this.

Dan
Comment 6 Ville Skyttä 2005-05-10 11:58:23 EDT
See the initial comment in this bug report for the avc messages.
Comment 7 Daniel Walsh 2005-05-10 12:03:54 EDT
So the question is how did step-tickers.predhclient get mislabeled again?

Looks like you did somekind of relabel.  
There is a bug in file context 

1.23.15-4 will have the fix.


< --- nsapolicy/file_contexts/program/ntpd.fc   2005-02-24 14:51:09.000000000 -0500
< +++ policy-1.23.15/file_contexts/program/ntpd.fc      2005-05-10
12:00:21.000000000 -0400
< @@ -1,7 +1,7 @@
<  /var/lib/ntp(/.*)?                   system_u:object_r:ntp_drift_t
<  /etc/ntp/data(/.*)?                  system_u:object_r:ntp_drift_t
<  /etc/ntp(d)?\.conf(.sv)?     --      system_u:object_r:net_conf_t
< -/etc/ntp/step-tickers                --      system_u:object_r:net_conf_t
< +/etc/ntp/step-tickers.*              --      system_u:object_r:net_conf_t
<  /usr/sbin/ntpd                       --      system_u:object_r:ntpd_exec_t
<  /usr/sbin/ntpdate            --      system_u:object_r:ntpdate_exec_t
<  /var/log/ntpstats(/.*)?                      system_u:object_r:ntpd_log_t
Comment 8 Ville Skyttä 2005-05-10 12:38:18 EDT
Note that this problem occurs with /etc/ntp.conf(.predhclient) too.  Also,
should the "." in ".sv" be backslashed?  Or, to follow the step-tickers change,
more generally, just:

  /etc/ntp(d)?\.conf.*

Note You need to log in before you can comment on or make changes to this bug.