Bug 430470 - s-p-t seems to be blocking ntpd
Summary: s-p-t seems to be blocking ntpd
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 8
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-01-28 11:03 UTC by David Timms
Modified: 2008-02-27 13:16 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2008-02-26 22:09:40 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description David Timms 2008-01-28 11:03:59 UTC
Description of problem:
setroubleshooter browser showing warning as time update is attempted.

Version-Release number of selected component (if applicable):
ntp-4.2.4p2-6.fc8
selinux-policy-targeted-3.0.8-76.fc8
setroubleshoot-1.10.7-1.fc8
setroubleshoot-plugins-1.10.4-1.fc8
setroubleshoot-server-1.10.7-1.fc8

How reproducible:
occurs in job run by cron

Actual results:
Summary
    SELinux is preventing the /usr/sbin/ntpd from using potentially mislabeled
    files (<Unknown>).

Detailed Description
    SELinux has denied /usr/sbin/ntpd access to potentially mislabeled file(s)
    (<Unknown>).  This means that SELinux will not allow /usr/sbin/ntpd to use
    these files.  It is common for users to edit files in their home directory
    or tmp directories and then move (mv) them to system directories.  The
    problem is that the files end up with the wrong file context which confined
    applications are not allowed to access.

Allowing Access
    If you want /usr/sbin/ntpd to access this files, you need to relabel them
    using restorecon -v <Unknown>.  You might want to relabel the entire
    directory using restorecon -R -v <Unknown>.

Additional Information        

Source Context                system_u:system_r:ntpd_t
Target Context                unconfined_u:object_r:rpm_script_tmp_t
Target Objects                None [ file ]
Affected RPM Packages         ntp-4.2.4p2-6.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-76.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.home_tmp_bad_labels
Host Name                     davidtdesktop
Platform                      Linux davidtdesktop 2.6.23.14-107.fc8 #1 SMP Mon
                              Jan 14 21:37:30 EST 2008 i686 athlon
Alert Count                   2
First Seen                    Mon 28 Jan 2008 09:54:21 EST
Last Seen                     Mon 28 Jan 2008 18:32:37 EST
Local ID                      1fcbc517-4487-4bf4-944c-d2b6033d2394
Line Numbers                  

Raw Audit Messages            

avc: denied { read } for comm=ntpd dev=dm-0 egid=0 euid=0 exe=/usr/sbin/ntpd
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=services pid=2142
scontext=system_u:system_r:ntpd_t:s0 sgid=0 subj=system_u:system_r:ntpd_t:s0
suid=0 tclass=file tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tty=(none)
uid=0

Additional info:
The note says to restorecon <unknown> - that's a bit tricky ;-)
# ls -lZ /etc/nt*
-rw-r--r--  root root system_u:object_r:net_conf_t     /etc/ntp.conf
-rw-r--r--  root root system_u:object_r:net_conf_t     /etc/ntp.conf.rpmnew

/etc/ntp:
drwxr-x---  root ntp  system_u:object_r:ntpd_key_t     crypto
-rw-------  root root system_u:object_r:ntpd_key_t     keys
-rw-r--r--  root root system_u:object_r:etc_t          ntpservers
-rw-r--r--  root root system_u:object_r:net_conf_t     step-tickers

# restorecon -v /etc/nt*
did not appear to change any contexts.

Comment 1 Daniel Walsh 2008-02-26 22:09:40 UTC
restorecon /etc/services

will fix.

This is caused by a bug in vmware.

Comment 2 David Timms 2008-02-27 13:16:23 UTC
Correct.
Installing the vmware-server rpm changes the context of /etc/services as shown by:
ls -lZ /etc/serv*, that causes at least ntp, and sendmail to stop working.
Thanks.


Note You need to log in before you can comment on or make changes to this bug.