Bug 242215 - Selinux no ntpd policy in F7
Selinux no ntpd policy in F7
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
7
i386 Linux
low Severity high
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-02 04:36 EDT by David
Modified: 2007-11-30 17:12 EST (History)
2 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-22 10:10:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David 2007-06-02 04:36:38 EDT
Description of problem:
Upgrade from FC6, there is no Selinux Management control in gnome, all you can
do is change the status of the whole selinux for the server, you can modify
individual services.

Also there is a missing control for ntpd, for if you use gpsd, you have to
disable selinux for ntpd, but if you do a getsebool -a there is not one.

Also the kernel unlike fc6 has not been properly compiled with the 1PPS option
for gpsd.

Version-Release number of selected component (if applicable):


How reproducible:
Completely

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 David 2007-06-02 06:29:52 EDT
If you yum install policycoreutils-gui this adds the missing selinux gui add in
missing from the upgrade to F7, this package needs to be installed by default on
an upgrade.

However there is no policy for disabling ntpd, so a gps via gpsd can set system
time.

Note also F7 i386 kernel needs to be recompiled to allow 1PPS for gpsd
applications.  FC6 kernel always supported 1PPS
Comment 2 Daniel Walsh 2007-06-04 16:11:35 EDT
It is better to customize the policy to allow the access you need then to
disable the transition, since other confined domains, might need access to
resources owned by ntpd.

grep ntp /var/log/audit/audit.log | audit2allow -M my ntp
semodule -i myntp.pp

will customize the policy.

Please attach avc messages so I can get them upstream.
Comment 3 David 2007-06-04 18:16:57 EDT
Hi Daniel,

I tried and got this:

[root@primary ~]# grep ntp /var/log/audit/audit.log | audit2allow -M my ntp
grep: /var/log/audit/audit.log: No such file or directory
compilation failed:
sh: /usr/bin/checkmodule: No such file or directory
[root@primary ~]# semodule -i myntp.pp
semodule:  Could not read file 'myntp.pp':
[root@primary ~]#
Comment 4 Daniel Walsh 2007-06-05 08:03:01 EDT
# yum install checkpolicy 


Please attach the audit.log so I can see what permissions are needed for ntp to
use gpsd.
Comment 5 David 2007-06-05 19:05:42 EDT
Hi Daniel,
I installed checkpolicy, however I don't have a audit.log file

Selinux is running in permissive mode, I have verified this, but I dont have a
audit.log, I even searched for it anywhere.

Next idea?
Comment 6 Daniel Walsh 2007-06-06 11:53:40 EDT
In that case the avc messages should be in /var/log/messages
Comment 7 David 2007-06-06 18:02:41 EDT
Hi Daniel,

Okay I did:
grep ntp /var/log/messages | audit2allow -M my ntp
semodule -i myntp.pp

It then modified the policy, I went back to enforcing and ntp is taking time
from gpsd :) thanks!

Attached is some dumps from the messages.log for you.


Jun  6 21:35:51 primary ntpd[8171]: kernel time sync status 0040
Jun  6 21:35:51 primary kernel: audit(1181129750.578:20): avc:  denied  {
unix_read unix_write } for  pid=8171 comm="ntpd" key=1314148400
scontext=root:system_r:ntpd_t:s0 tcontext=system_u:system_r:ntpd_t:s0 tclass=shm
Jun  6 21:35:51 primary kernel: audit(1181129750.578:21): avc:  denied  {
associate } for  pid=8171 comm="ntpd" key=1314148400
scontext=root:system_r:ntpd_t:s0 tcontext=system_u:system_r:ntpd_t:s0 tclass=shm
Jun  6 21:35:51 primary kernel: audit(1181129750.578:22): avc:  denied  { read
write } for  pid=8171 comm="ntpd" key=1314148400
scontext=root:system_r:ntpd_t:s0 tcontext=system_u:system_r:ntpd_t:s0 tclass=shm
Jun  6 21:35:53 primary ntpd[8171]: frequency initialized 188.729 PPM from
/var/lib/ntp/drift



Comment 8 David 2007-06-06 18:37:18 EDT
Can you let me know when it will make it into a selinux-policy update please? 
Also is anything required once it does get included in selinux-policy to reset
the servers policy, or did the above fix do this already?

Thanks again!
Comment 9 David 2007-06-06 19:59:40 EDT
Ah actually it did not work.  I restarted ntpd and it wont come up.  I had to go
back to selinux permissive mode and restarted ntpd again.

So that does NOT allow it to work under enforcing!
Comment 10 David 2007-06-09 04:50:09 EDT
I got it working properly under selinux enforcing.  The key was the semodule
command is semodule -i my.pp


grep ntpd /var/log/messages | audit2allow -M my ntpd
semodule -i my.pp

Again as above here are the AVC messages to include in the policy..

Jun  6 21:35:51 primary ntpd[8171]: kernel time sync status 0040
Jun  6 21:35:51 primary kernel: audit(1181129750.578:20): avc:  denied  {
unix_read unix_write } for  pid=8171 comm="ntpd" key=1314148400
scontext=root:system_r:ntpd_t:s0 tcontext=system_u:system_r:ntpd_t:s0 tclass=shm
Jun  6 21:35:51 primary kernel: audit(1181129750.578:21): avc:  denied  {
associate } for  pid=8171 comm="ntpd" key=1314148400
scontext=root:system_r:ntpd_t:s0 tcontext=system_u:system_r:ntpd_t:s0 tclass=shm
Jun  6 21:35:51 primary kernel: audit(1181129750.578:22): avc:  denied  { read
write } for  pid=8171 comm="ntpd" key=1314148400
scontext=root:system_r:ntpd_t:s0 tcontext=system_u:system_r:ntpd_t:s0 tclass=shm
Jun  6 21:35:53 primary ntpd[8171]: frequency initialized 188.729 PPM from
/var/lib/ntp/drift

Cheers,
David
Comment 11 Daniel Walsh 2007-06-11 08:13:06 EDT
Fixed in selinux-policy-2.6.4-14
Comment 12 David 2007-06-11 19:08:32 EDT
Hi Daniel,

Thanks for the fix!
Once I see the new policy loaded, can I then semodule -r ntpd and I assume I
will find the ntpd policy to apply in the selinux management gui?

Cheers,
David
Comment 13 Daniel Walsh 2007-08-22 10:10:25 EDT
Closing as fixes are in the current release

Note You need to log in before you can comment on or make changes to this bug.