Red Hat Bugzilla – Bug 430470
s-p-t seems to be blocking ntpd
Last modified: 2008-02-27 08:16:23 EST
Description of problem: setroubleshooter browser showing warning as time update is attempted. Version-Release number of selected component (if applicable): ntp-4.2.4p2-6.fc8 selinux-policy-targeted-3.0.8-76.fc8 setroubleshoot-1.10.7-1.fc8 setroubleshoot-plugins-1.10.4-1.fc8 setroubleshoot-server-1.10.7-1.fc8 How reproducible: occurs in job run by cron Actual results: Summary SELinux is preventing the /usr/sbin/ntpd from using potentially mislabeled files (<Unknown>). Detailed Description SELinux has denied /usr/sbin/ntpd access to potentially mislabeled file(s) (<Unknown>). This means that SELinux will not allow /usr/sbin/ntpd to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access If you want /usr/sbin/ntpd to access this files, you need to relabel them using restorecon -v <Unknown>. You might want to relabel the entire directory using restorecon -R -v <Unknown>. Additional Information Source Context system_u:system_r:ntpd_t Target Context unconfined_u:object_r:rpm_script_tmp_t Target Objects None [ file ] Affected RPM Packages ntp-4.2.4p2-6.fc8 [application] Policy RPM selinux-policy-3.0.8-76.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.home_tmp_bad_labels Host Name davidtdesktop Platform Linux davidtdesktop 2.6.23.14-107.fc8 #1 SMP Mon Jan 14 21:37:30 EST 2008 i686 athlon Alert Count 2 First Seen Mon 28 Jan 2008 09:54:21 EST Last Seen Mon 28 Jan 2008 18:32:37 EST Local ID 1fcbc517-4487-4bf4-944c-d2b6033d2394 Line Numbers Raw Audit Messages avc: denied { read } for comm=ntpd dev=dm-0 egid=0 euid=0 exe=/usr/sbin/ntpd exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=services pid=2142 scontext=system_u:system_r:ntpd_t:s0 sgid=0 subj=system_u:system_r:ntpd_t:s0 suid=0 tclass=file tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tty=(none) uid=0 Additional info: The note says to restorecon <unknown> - that's a bit tricky ;-) # ls -lZ /etc/nt* -rw-r--r-- root root system_u:object_r:net_conf_t /etc/ntp.conf -rw-r--r-- root root system_u:object_r:net_conf_t /etc/ntp.conf.rpmnew /etc/ntp: drwxr-x--- root ntp system_u:object_r:ntpd_key_t crypto -rw------- root root system_u:object_r:ntpd_key_t keys -rw-r--r-- root root system_u:object_r:etc_t ntpservers -rw-r--r-- root root system_u:object_r:net_conf_t step-tickers # restorecon -v /etc/nt* did not appear to change any contexts.
restorecon /etc/services will fix. This is caused by a bug in vmware.
Correct. Installing the vmware-server rpm changes the context of /etc/services as shown by: ls -lZ /etc/serv*, that causes at least ntp, and sendmail to stop working. Thanks.