217550 – ntpd generates avc denials

Bug 217550 - ntpd generates avc denials

Summary: ntpd generates avc denials

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	6
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-11-28 16:11 UTC by Steve Friedman
Modified:	2007-11-30 22:11 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-11-28 16:57:35 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Steve Friedman 2006-11-28 16:11:06 UTC

Description of problem:
Latest versions of ntpd and selinux-policy generate avc denials in the log.
(selinux configured for permissive mode).

Version-Release number of selected component (if applicable):
ntp-4.2.2p1-3
selinux-policy-2.4.3-10.fc6

How reproducible:
Every time.

Steps to Reproduce:
1.  Install FC6.
2.  Update to latest released version (not test).
3.  Inspect /var/log/messages
  
Actual results:
Nov 28 10:36:27 GSI10 kernel: audit(1164728187.753:543): avc:  denied  { write }
for  pid=3379 comm="ntpd" name="ntp" dev=dm-0 ino=5374373
scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir
Nov 28 10:36:27 GSI10 kernel: audit(1164728187.753:544): avc:  denied  {
add_name } for  pid=3379 comm="ntpd" name="drift.TEMP"
scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir
Nov 28 10:36:27 GSI10 kernel: audit(1164728187.753:545): avc:  denied  { create
} for  pid=3379 comm="ntpd" name="drift.TEMP"
scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
Nov 28 10:36:27 GSI10 kernel: audit(1164728187.753:546): avc:  denied  { write }
for  pid=3379 comm="ntpd" name="drift.TEMP" dev=dm-0 ino=5374817
scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
Nov 28 10:36:27 GSI10 kernel: audit(1164728187.753:547): avc:  denied  {
remove_name } for  pid=3379 comm="ntpd" name="drift.TEMP" dev=dm-0 ino=5374817
scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir
Nov 28 10:36:27 GSI10 kernel: audit(1164728187.753:548): avc:  denied  { rename
} for  pid=3379 comm="ntpd" name="drift.TEMP" dev=dm-0 ino=5374817
scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
Nov 28 10:36:27 GSI10 kernel: audit(1164728187.753:549): avc:  denied  { unlink
} for  pid=3379 comm="ntpd" name="drift" dev=dm-0 ino=5375847
scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file



Expected results:
Nothing in log file.

Additional info:

Comment 1 Daniel Walsh 2006-11-28 16:57:35 UTC

drift files should be written to /var/lib/ntp  not the /etc directory.

Note You need to log in before you can comment on or make changes to this bug.