Description of problem: selinux precludes ntpd from allocating shared memory (shmget), which is necessary for instance for operation with gpsd (for getting time information from an external GPS receiver) Version-Release number of selected component (if applicable): 2.4.6-75.fc6 How reproducible: always Steps to Reproduce: 1. Insert into /etc/ntp.conf, as recommended by gpsd documentation: # GPS server 127.127.28.0 minpoll 4 maxpoll 4 fudge 127.127.28.0 time1 0.420 refid GPS server 127.127.28.1 minpoll 4 maxpoll 4 prefer fudge 127.127.28.1 refid GPS1 2. Start ntpd 3. Actual results: in /var/log/messages SHM shmget (unit 0): Permission denied configuration of 127.127.28.0 failed SHM shmget (unit 1): Permission denied configuration of 127.127.28.1 failed Expected results: Should have started without warnings, and ntpq -p should show .GPS. entries. If running gpsd, those entries should get input from gps. Additional info: This setup works ok if SELinux is set to permissive.
Please attach the avc messages from /var/log/audit/audit.log or /var/log/messages
By the way you can add the rules by executing grep ntp /var/log/audit/audit.log | audit2allow -M myntp semodule -i myntp.pp
Jul 16 20:42:55 localhost kernel: audit(1184643775.492:8): avc: denied { create } for pid=2964 comm="ntpd" key=1314148400 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:system_r:ntpd_t:s0 tclass=shm Jul 16 20:42:55 localhost kernel: audit(1184643775.492:9): avc: denied { create } for pid=2964 comm="ntpd" key=1314148401 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:system_r:ntpd_t:s0 tclass=shm Jul 16 20:45:48 localhost kernel: audit(1184643948.310:8): avc: denied { create } for pid=3097 comm="ntpd" key=1314148400 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:system_r:ntpd_t:s0 tclass=shm Jul 16 20:45:48 localhost kernel: audit(1184643948.311:9): avc: denied { create } for pid=3097 comm="ntpd" key=1314148401 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:system_r:ntpd_t:s0 tclass=shm Jul 17 08:59:03 localhost kernel: audit(1184687943.293:8): avc: denied { create } for pid=3225 comm="ntpd" key=1314148400 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:system_r:ntpd_t:s0 tclass=shm Jul 17 08:59:03 localhost kernel: audit(1184687943.293:9): avc: denied { create } for pid=3225 comm="ntpd" key=1314148401 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:system_r:ntpd_t:s0 tclass=shm
grep ntp /var/log/audit/audit.log | audit2allow -M myntp semodule -i myntp.pp worked for me! If I restart ntpd I get: $ sudo /usr/sbin/ntpq -p remote refid st t when poll reach delay offset jitter ============================================================================== SHM(0) .GPS. 0 l - 16 0 0.000 0.000 0.002 SHM(1) .GPS1. 0 l - 16 0 0.000 0.000 0.002 LOCAL(0) .LOCL. 10 l 33 64 1 0.000 0.000 0.002 Note the two SHM entries.
Fixed in selinux-policy-2.4.6-80
Fix does not work. Using selinux-policy-2.4.6-80 and selinux-policy-targeted-2.4.6-80: Jul 18 11:06:02 dhcp-69-157 ntpd[3101]: SHM shmat (unit 0): Permission denied Jul 18 11:06:02 dhcp-69-157 kernel: audit(1184781962.056:8): avc: denied { read write } for pid=3101 comm="ntpd" name="SYSV4e545030" dev=tmpfs ino=32768 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file Jul 18 11:06:02 dhcp-69-157 ntpd[3101]: configuration of 127.127.28.0 failed Jul 18 11:06:02 dhcp-69-157 ntpd[3101]: SHM shmat (unit 1): Permission denied Jul 18 11:06:02 dhcp-69-157 kernel: audit(1184781962.140:9): avc: denied { read write } for pid=3101 comm="ntpd" name="SYSV4e545031" dev=tmpfs ino=65537 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file
Ok I will add those rules to selinux-policy-2.4.6-81
Fedora apologizes that these issues have not been resolved yet. We're sorry it's taken so long for your bug to be properly triaged and acted on. We appreciate the time you took to report this issue and want to make sure no important bugs slip through the cracks. If you're currently running a version of Fedora Core between 1 and 6, please note that Fedora no longer maintains these releases. We strongly encourage you to upgrade to a current Fedora release. In order to refocus our efforts as a project we are flagging all of the open bugs for releases which are no longer maintained and closing them. http://fedoraproject.org/wiki/LifeCycle/EOL If this bug is still open against Fedora Core 1 through 6, thirty days from now, it will be closed 'WONTFIX'. If you can reporduce this bug in the latest Fedora version, please change to the respective version. If you are unable to do this, please add a comment to this bug requesting the change. Thanks for your help, and we apologize again that we haven't handled these issues to this point. The process we are following is outlined here: http://fedoraproject.org/wiki/BugZappers/F9CleanUp We will be following the process here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this doesn't happen again. And if you'd like to join the bug triage team to help make things better, check out http://fedoraproject.org/wiki/BugZappers