Description of problem: Upgrade from FC6, there is no Selinux Management control in gnome, all you can do is change the status of the whole selinux for the server, you can modify individual services. Also there is a missing control for ntpd, for if you use gpsd, you have to disable selinux for ntpd, but if you do a getsebool -a there is not one. Also the kernel unlike fc6 has not been properly compiled with the 1PPS option for gpsd. Version-Release number of selected component (if applicable): How reproducible: Completely Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
If you yum install policycoreutils-gui this adds the missing selinux gui add in missing from the upgrade to F7, this package needs to be installed by default on an upgrade. However there is no policy for disabling ntpd, so a gps via gpsd can set system time. Note also F7 i386 kernel needs to be recompiled to allow 1PPS for gpsd applications. FC6 kernel always supported 1PPS
It is better to customize the policy to allow the access you need then to disable the transition, since other confined domains, might need access to resources owned by ntpd. grep ntp /var/log/audit/audit.log | audit2allow -M my ntp semodule -i myntp.pp will customize the policy. Please attach avc messages so I can get them upstream.
Hi Daniel, I tried and got this: [root@primary ~]# grep ntp /var/log/audit/audit.log | audit2allow -M my ntp grep: /var/log/audit/audit.log: No such file or directory compilation failed: sh: /usr/bin/checkmodule: No such file or directory [root@primary ~]# semodule -i myntp.pp semodule: Could not read file 'myntp.pp': [root@primary ~]#
# yum install checkpolicy Please attach the audit.log so I can see what permissions are needed for ntp to use gpsd.
Hi Daniel, I installed checkpolicy, however I don't have a audit.log file Selinux is running in permissive mode, I have verified this, but I dont have a audit.log, I even searched for it anywhere. Next idea?
In that case the avc messages should be in /var/log/messages
Hi Daniel, Okay I did: grep ntp /var/log/messages | audit2allow -M my ntp semodule -i myntp.pp It then modified the policy, I went back to enforcing and ntp is taking time from gpsd :) thanks! Attached is some dumps from the messages.log for you. Jun 6 21:35:51 primary ntpd[8171]: kernel time sync status 0040 Jun 6 21:35:51 primary kernel: audit(1181129750.578:20): avc: denied { unix_read unix_write } for pid=8171 comm="ntpd" key=1314148400 scontext=root:system_r:ntpd_t:s0 tcontext=system_u:system_r:ntpd_t:s0 tclass=shm Jun 6 21:35:51 primary kernel: audit(1181129750.578:21): avc: denied { associate } for pid=8171 comm="ntpd" key=1314148400 scontext=root:system_r:ntpd_t:s0 tcontext=system_u:system_r:ntpd_t:s0 tclass=shm Jun 6 21:35:51 primary kernel: audit(1181129750.578:22): avc: denied { read write } for pid=8171 comm="ntpd" key=1314148400 scontext=root:system_r:ntpd_t:s0 tcontext=system_u:system_r:ntpd_t:s0 tclass=shm Jun 6 21:35:53 primary ntpd[8171]: frequency initialized 188.729 PPM from /var/lib/ntp/drift
Can you let me know when it will make it into a selinux-policy update please? Also is anything required once it does get included in selinux-policy to reset the servers policy, or did the above fix do this already? Thanks again!
Ah actually it did not work. I restarted ntpd and it wont come up. I had to go back to selinux permissive mode and restarted ntpd again. So that does NOT allow it to work under enforcing!
I got it working properly under selinux enforcing. The key was the semodule command is semodule -i my.pp grep ntpd /var/log/messages | audit2allow -M my ntpd semodule -i my.pp Again as above here are the AVC messages to include in the policy.. Jun 6 21:35:51 primary ntpd[8171]: kernel time sync status 0040 Jun 6 21:35:51 primary kernel: audit(1181129750.578:20): avc: denied { unix_read unix_write } for pid=8171 comm="ntpd" key=1314148400 scontext=root:system_r:ntpd_t:s0 tcontext=system_u:system_r:ntpd_t:s0 tclass=shm Jun 6 21:35:51 primary kernel: audit(1181129750.578:21): avc: denied { associate } for pid=8171 comm="ntpd" key=1314148400 scontext=root:system_r:ntpd_t:s0 tcontext=system_u:system_r:ntpd_t:s0 tclass=shm Jun 6 21:35:51 primary kernel: audit(1181129750.578:22): avc: denied { read write } for pid=8171 comm="ntpd" key=1314148400 scontext=root:system_r:ntpd_t:s0 tcontext=system_u:system_r:ntpd_t:s0 tclass=shm Jun 6 21:35:53 primary ntpd[8171]: frequency initialized 188.729 PPM from /var/lib/ntp/drift Cheers, David
Fixed in selinux-policy-2.6.4-14
Hi Daniel, Thanks for the fix! Once I see the new policy loaded, can I then semodule -r ntpd and I assume I will find the ntpd policy to apply in the selinux management gui? Cheers, David
Closing as fixes are in the current release