Bug 162410 - execmem not allowed for ntpd_t
execmem not allowed for ntpd_t
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
3
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-07-04 06:49 EDT by Marco Colombo
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-07-08 05:03:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Marco Colombo 2005-07-04 06:49:59 EDT
Description of problem:
After upgrading to selinux-policy-targeted-1.17.30-3.15, ntpd fails to run.
I use to run it with -q as a replacement for ntpdate. I get the following log:
avc:  denied  { execmem } for  pid=9475 comm=ntpd scontext=root:system_r:ntpd_t
tcontext=root:system_r:ntpd_t tclass=process
(see below for the error message)


Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-3.15
ntp-4.2.0.a.20040617-4


How reproducible:
Always


Steps to Reproduce:
1. Just run:
ntpd -q -g

  
Actual results:
ntpd: error while loading shared libraries: libm.so.6: failed to map segment
from shared object: Permission denied


Expected results:
It should run just fine. It used to with the previous version of the policy
installed.


Additional info:
The policy is a slightly customized one. I installed it with:
make -C /etc/selinux/targeted/src/policy clean reload

Adding the following rule in the policy fixes the problem:
allow ntpd_t self:process execmem;

I also get another avc message, but this seems to be harmless (ntpd runs and
sets the date) and it was already present with previous versions of the policy:
avc:  denied  { execute } for  pid=9804 comm=ntpd path=/etc/ld.so.cache dev=md0
ino=4346 scontext=root:system_r:ntpd_t tcontext=system_u:object_r:ld_so_cache_t
tclass=file

Since I had to add the above rule, I added the following as well:
allow ntpd_t ld_so_cache_t:file execute;

None of the local customizations refer to ntpd_t or ld_so_cache_t at all. I can
provide them if more details are needed, but I'm sure they are not related to
the problem (we use to keep web contents and the PostgreSQL databases under
/home, and the policy has to be modified to allow that).

BTW, there should be a nice way for users to add local customizations to the
policy in the source. Right now, I'm using one file for the policy and one for
the file_contexts, like this:
/etc/selinux/targeted/src/policy/domains/misc/local.te
/etc/selinux/targeted/src/policy/file_contexts/misc/local.fc

This way I don't have to modify the source files (last time I tried, they were
not marked as %config(noreplace) in the rpm, I had to move things back in place
after an update). Is there a better place where to put site-specific additions
to the policy?

TIA,
.TM.
Comment 1 Daniel Walsh 2005-07-05 10:24:33 EDT
Changing to config(noreplace) in rawhide.

What kernel are you running?

Dan
Comment 2 Marco Colombo 2005-07-05 14:00:20 EDT
I'm running kernel-2.6.11-1.14_FC3smp (unmodified).

Both 1.27_FC3 and now 1.35_FC3 have been considered low priority updates here. I
installed the rpms but I haven't rebooted the system yet. If I get the changelog
right, we're not directly affected by the bugs they fix, so I'm just waiting for
a scheduled reboot. Meanwhile I'll try and reproduce the problem on another host
that runs the latest kernel.

For now, I've got the following line added to the policy (it fixes the problem
for now w/o a reboot):

allow ntpd_t self:process execmem;

If you confirm it's a kernel issue and a kernel update fixes it (but I still
have doubts, it seems to me it's ntpd doing something and it's SELinux blocking
it), feel free to mark the bug as solved. I'll just wait for the next reboot and
remove the extra rule I added.
Comment 3 Marco Colombo 2005-07-08 05:03:57 EDT
I've upgraded to 2.6.11-1.35_FC3smp, removed the extra lines in the policy and
everything is fine now. Thanks.

Note You need to log in before you can comment on or make changes to this bug.