From Bugzilla Helper: User-Agent: Mozilla/5.0 (OS/2; U; Warp 4.5; en-US; rv:1.7.5) Gecko/20050523 Description of problem: When /etc/selinux/config is set to SELINUX=enforcing, an attempt to start ntpd returns these entries in /var/log/messages: ntpd[27438]: Cannot find group `ntp' kernel: audit(1123945220.414:0): avc: denied { read } for pid=27438 comm=ntpd name=group dev=sda2 ino=7913575 scontext=root:system_r:ntpd_t context=root:object_r:tmp_t tclass=file and the ntpd dies. When SELINUX=permissive, an attempt to start ntpd returns: kernel: audit(1123945396.535:0): avc: denied { read } for pid=27492 comm=ntpd name=group dev=sda2 ino=7913575 scontext=root:system_r:ntpd_t tcontext=root:object_r:tmp_t tclass=file tempor02 kernel: audit(1123945396.535:0): avc: denied { getattr } for pid=27492 comm=ntpd path=/etc/group dev=sda2 ino=7913575 scontext=root:system_r:ntpd_t tcontext=root:object_r:tmp_t tclass=file but at least the ntpd is running. The bug is not dependent on the UID and GID of /etc/ntp. The group 'ntp' of course exists. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. setenforce Enforcing 2. service ntpd restart 3. Actual Results: ntpd is dead Expected Results: ntpd should be running Additional info: System is Quad Opteron. All RHEL4 updates installed.
Somehow the /etc/group file got the wrong context on it. Did you edit/create it in /tmp and the mv it to /etc? restorecon /etc/group should fix the problem.
Yes, I have a script that does that. I recently ported it (the script) from RH7.3. Your suggestion works. Thanks a bunch!