Description of problem: I have a script in /etc/NetworkManager/dispatcher.d/ntpd-script set to start ntpd on connection to a network (see http://www.ces.clemson.edu/linux/nm.shtml ) The latest release of selinux-policy-targeted has stopped this from working - it was ok previously. The script is in /etc, ls -aZ shows: -rwx------ root root system_u:object_r:etc_t:s0 ntpd-script setroubleshoot suggests setting context to bin_t - is this the right thing to do? Raw Audit Messages :avc: denied { execute } for comm=sh dev=dm-1 egid=0 euid=0 exe=/bin/bash exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=ntpd-script pid=17255 scontext=system_u:system_r:NetworkManager_t:s0 sgid=0 subj=system_u:system_r:NetworkManager_t:s0 suid=0 tclass=file tcontext=system_u:object_r:etc_t:s0 tty=(none) uid=0 Version-Release number of selected component (if applicable): selinux-policy-targeted-3.0.8-73.fc8
It needs to be labeled bin_t to work. Why did you move this out of /etc/NetworkManager/dispatcher.d/ntpd-script matchpathcon /etc/NetworkManager/dispatcher.d/ntpd-script /etc/NetworkManager/dispatcher.d/ntpd-script system_u:object_r:bin_t If you move it to this directory and run restorecon on it, the script will be labeled bin_t and be executable. If you must have it in /etc (not recommended), you need to fix the labeling by executing # semanage fcontext -a -t bin_t /etc/ntpd-script # restorecon /etc/ntpd-script
Ah, sorry, I fouled up cut'n'paste on the second reference to the file - it is, and always has been, in /etc/NetworkManager/dispatcher.d/ restorecon doesn't label it bin_t : # restorecon /etc/NetworkManager/dispatcher.d/ntpd-script # ls -aZ /etc/NetworkManager/dispatcher.d/ntpd-script -rwx------ root root system_u:object_r:etc_t:s0 /etc/NetworkManager/dispatcher.d/ntpd-script and # matchpathcon /etc/NetworkManager/dispatcher.d/ntpd-script /etc/NetworkManager/dispatcher.d/ntpd-script system_u:object_r:etc_t:s0 which is different to your output in comment #1. I guess, from your matchpathcon output, that you're running a newer policy - is a specific version I should try?
Fixed in selinux-policy-3.0.8-76.fc8
Same problem in F7 with selinux-policy-2.6.4-67.fc7.
Confirmed that the original issue is resolved for me in -76.fc8, now just for F7.
Fixed in selinux-policy-3.6.4-70.fc7
(In reply to comment #6) > Fixed in selinux-policy-3.6.4-70.fc7 Looks good to me.
Original block is fixed, but with the same script I now get: SELinux is preventing ntpd-script (NetworkManager_t) "getattr" to /var/run/ntpd.pid (ntpd_var_run_t). Policy RPM: selinux-policy-3.0.8-76.fc8 Raw Audit Messages : avc: denied { getattr } for comm=ntpd-script dev=dm-1 egid=0 euid=0 exe=/bin/bash exit=-13 fsgid=0 fsuid=0 gid=0 items=0 path=/var/run/ntpd.pid pid=5635 scontext=system_u:system_r:NetworkManager_t:s0 sgid=0 subj=system_u:system_r:NetworkManager_t:s0 suid=0 tclass=file tcontext=system_u:object_r:ntpd_var_run_t:s0 tty=(none) uid=0
I saw similar with my script and /var/lock. I fixed it by using the "service" command instead of trying to manipulate /var/lock directly. E.g.: /sbin/service ntp status /sbin/service ntp start
So your dispatcher script is doing a service ntp start ?
For these type of local customizations, I think you are going to have to write your own policy for now. In Rawhide, we have begun breaking out initrc scripts into separate types. So I can add ntp_script_domtrans(NetworkManager_t) Which allows NetworkManager to turn on and off ntp.
I can start and stop ntp (and ypbind and autofs) just fine using "/sbin/service" in my dispatcher scripts. I'm assuming that that handles the appropriate transitions. I don't think the dispatcher scripts should manipulate /var/run and /var/lock directly. No idea what Kevin's script is doing, so maybe he's having a different problem.
Yes currently policy has init_domtrans_script(NetworkManager_t) Which is probably to broad. THis allows NetworkManager to run any initrc script. I would like to get to the point where it would only be able to start and stop network services scripts. Not iptables for example.
(In reply to comment #10) > So your dispatcher script is doing a service ntp start ? Yes, and a restart again if the interface is changed. With ntpd in a normal runlevel init has to wait for ntpd to time out when there (often) isn't any network on boot. The script (taken from the link in comment #0) was checking for - but not changing - /var/run/ntpd.pid to find whether ntpd was active. I changed this to call "/sbin/service/ntpd status" and it's no longer blocked by selinux (with the current policy, at least). Thanks! As for the future, I'd expect (hope!?) with the move to Upstart, and NetworkManager replacing the network init script in F9, that the NetworkManager dispatcher will become the default mechanism to start any services which require a network connection.