Bug 242384 - many selinux policy errors
many selinux policy errors
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
7
All Linux
low Severity high
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-03 17:39 EDT by Alvin Thompson
Modified: 2007-11-30 17:12 EST (History)
3 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-22 10:09:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
policy errors (43.86 KB, text/plain)
2007-06-03 17:39 EDT, Alvin Thompson
no flags Details

  None (edit)
Description Alvin Thompson 2007-06-03 17:39:54 EDT
see attached.
Comment 1 Alvin Thompson 2007-06-03 17:39:54 EDT
Created attachment 156037 [details]
policy errors
Comment 2 David 2007-06-03 18:13:03 EDT
I can add to this there is a missing policy for ntpd.  In FC6 under selinux, you
could disable selinux on the ntpd daemon.  So if you used gpsd with a gps, ntpd
would then use the gpsd time reference for the clock.

In f7 there is simply no ntpd policy in selinux, so you have to drop selinux
completely from enforcing to permissive.

We need all the old options that were in fc6 under selinux added to f7 ASAP.
Comment 3 Alvin Thompson 2007-06-03 18:16:33 EDT
David, can you attach the policy alerts?  I'm using ntpd with no problem.  Did
you try relabeling the entire system?
Comment 4 David 2007-06-04 04:22:01 EDT
Hi Alvin,
I am using gpsd with a gps to provide system time.  If I set selinux to
enforcing a ntpq -p does not show GPS and GPS1 as time sources.

In FC6 you have to specifically disable selinux on the ntpd daemon.

In F7 there is no ntpd policy control.

selinux policy for f7 needs to be updated to allow you to disable it against ntpd.

Comment 5 Alvin Thompson 2007-06-04 04:27:54 EDT
That's all Greek to me, so I'll take your word for it.
Comment 6 Daniel Walsh 2007-06-04 14:00:13 EDT
David, you can easily customize your policy with audit2allow in F-7.

# grep ntpd /var/log/audit/audit.log | audit2allow -M myntpd 
# semodule -i myntpd.pp

We have dropped the disable_trans booleans, because it is easy to customize
local policy and disable_trans often caused other domains to get into trouble. 
IE a domain that was relying on ntpd to be running with the correct context.

The attached log did not contain any references to ntpd, please submit your
audit.log and I will update policy.


You also need to relabel /root
restorecon -R -v /root

Comment 7 David 2007-06-05 05:39:59 EDT
dwalsh,

Thanks for the note, but it did not work :(

[root@primary ~]# grep ntp /var/log/audit/audit.log | audit2allow -M my ntp
grep: /var/log/audit/audit.log: No such file or directory
compilation failed:
sh: /usr/bin/checkmodule: No such file or directory
[root@primary ~]# semodule -i myntp.pp
semodule:  Could not read file 'myntp.pp':
[root@primary ~]#
Comment 8 David 2007-06-09 04:50:50 EDT
I got it working properly under selinux enforcing.  The key was the semodule
command is semodule -i my.pp


grep ntpd /var/log/messages | audit2allow -M my ntpd
semodule -i my.pp

Again as above here are the AVC messages to include in the policy..

Jun  6 21:35:51 primary ntpd[8171]: kernel time sync status 0040
Jun  6 21:35:51 primary kernel: audit(1181129750.578:20): avc:  denied  {
unix_read unix_write } for  pid=8171 comm="ntpd" key=1314148400
scontext=root:system_r:ntpd_t:s0 tcontext=system_u:system_r:ntpd_t:s0 tclass=shm
Jun  6 21:35:51 primary kernel: audit(1181129750.578:21): avc:  denied  {
associate } for  pid=8171 comm="ntpd" key=1314148400
scontext=root:system_r:ntpd_t:s0 tcontext=system_u:system_r:ntpd_t:s0 tclass=shm
Jun  6 21:35:51 primary kernel: audit(1181129750.578:22): avc:  denied  { read
write } for  pid=8171 comm="ntpd" key=1314148400
scontext=root:system_r:ntpd_t:s0 tcontext=system_u:system_r:ntpd_t:s0 tclass=shm
Jun  6 21:35:53 primary ntpd[8171]: frequency initialized 188.729 PPM from
/var/lib/ntp/drift

Cheers,
David
Comment 9 Daniel Walsh 2007-06-11 09:58:22 EDT
Fixed in selinux-policy-2.6.4-14
Comment 10 David 2007-06-11 19:08:37 EDT
Hi Daniel,

Thanks for the fix!
Once I see the new policy loaded, can I then semodule -r ntpd and I assume I
will find the ntpd policy to apply in the selinux management gui?

Cheers,
David
Comment 11 Daniel Walsh 2007-08-22 10:09:18 EDT
Closing as fixes are in the current release

Note You need to log in before you can comment on or make changes to this bug.