Description of problem: Summary SELinux is preventing /usr/sbin/ntpd (ntpd_t) "read write" access to /dev/ptmx (ptmx_t). Detailed Description SELinux denied access requested by /usr/sbin/ntpd. It is not expected that this access is required by /usr/sbin/ntpd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /dev/ptmx, restorecon -v /dev/ptmx. There is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can disable SELinux protection entirely for the application. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Changing the "ntpd_disable_trans" boolean to true will disable SELinux protection this application: "setsebool -P ntpd_disable_trans=1." The following command will allow this access: setsebool -P ntpd_disable_trans=1 Additional Information Source Context root:system_r:ntpd_t Target Context system_u:object_r:ptmx_t Target Objects /dev/ptmx [ chr_file ] Affected RPM Packages ntp-4.2.2p1-5.el5 [application] Policy RPM selinux-policy-2.4.6-30.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name plugins.disable_trans Host Name Rhel5.test.com Platform Linux Rhel5.test.com 2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:14 EST 2007 x86_64 x86_64 Alert Count 4 Line Numbers Raw Audit Messages avc: denied { read, write } for comm="ntpd" dev=tmpfs egid=0 euid=0 exe="/usr/sbin/ntpd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="ptmx" path="/dev/ptmx" pid=8086 scontext=root:system_r:ntpd_t:s0 sgid=0 subj=root:system_r:ntpd_t:s0 suid=0 tclass=chr_file tcontext=system_u:object_r:ptmx_t:s0 tty=(none) uid=0 Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: I have Xandros Bridgeways on RHEL5 (original release, no updates). I have enabled selinux in permissive mode. When i start the TimeServer from Bridgeways UI I get the above error. I don't believe this has anything to do with the product I have installed however.
Could you put this machine in permissive mode and then run ntpd to gather all of the avc messages. The attach them to this bugzilla setenforce 0 service ntpd restart setenforce 1 grep avc /var/log/audit/audit.log > /tmp/avc.txt
The report which i had pasted in this bug was with selinux enabled in permissive mode only. However when i start ntpd (/etc/init.d/ntpd start) from the command line on Plain Rhel5 system i couldn't reproduce this bug .But after installing Bridgeways on my Redhat system and starting Time Server thereafter from Bridgeways UI i'm getting this bug.
Fixed in selinux-policy-2.4.6-80 If you want to add these rules you can simply execute grep ntp /var/log/audit/audit.log | audit2allow -M myntp semodule -i myntp.pp
Does this mean that bug is with SeLinux Policy 2.4.6-30.el5??? or with BridgeWays Tool which I'm using on Rhel5???
SELinux policy is not allowing ntpd to communicated via shared memory with BridgeWays. So we will fix selinux-policy. It is arguable whether BridgeWays tool should use shared memory rather then some easier to control interprocess communications like namedpipes.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
QE ack for RHEL5.2. Reproducer in comment 0.
Manoj, could you please try the new policy available at the link below and reply whether the new packages solve your problem. The fix should be present in selinux-policy >= 2.4.6-104. Thank you. http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/
This is not reproducible on RHEL5.1 system which comes with policy 104 by default.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0465.html