461401 – Selinux prevents ntpd from starting

Bug 461401 - Selinux prevents ntpd from starting

Summary: Selinux prevents ntpd from starting

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	9
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-09-07 10:02 UTC by Paul Smith
Modified:	2008-09-07 14:23 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-09-07 14:23:55 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Paul Smith 2008-09-07 10:02:31 UTC

The messages that I get are:

--------------------

Summary:

SELinux is preventing the ntpd from using potentially mislabeled files
(./services).

Detailed Description:

SELinux has denied ntpd access to potentially mislabeled file(s) (./services).
This means that SELinux will not allow ntpd to use these files. It is common for
users to edit files in their home directory or tmp directories and then move
(mv) them to system directories. The problem is that the files end up with the
wrong file context which confined applications are not allowed to access.

Allowing Access:

If you want ntpd to access this files, you need to relabel them using restorecon
-v './services'. You might want to relabel the entire directory using restorecon
-R -v '.'.

Additional Information:

Source Context                unconfined_u:system_r:ntpd_t:s0
Target Context                unconfined_u:object_r:rpm_script_tmp_t:s0
Target Objects                ./services [ file ]
Source                        ntpd
Source Path                   /usr/sbin/ntpd
Port                          <Unknown>
Host                          mypc
Source RPM Packages           ntp-4.2.4p4-7.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-84.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     mypc
Platform                      Linux mypc 2.6.25.14-108.fc9.i686 #1 SMP Mon Aug 4
                              14:08:11 EDT 2008 i686 i686
Alert Count                   9
First Seen                    Sun 07 Sep 2008 10:56:25 AM WEST
Last Seen                     Sun 07 Sep 2008 10:56:27 AM WEST
Local ID                      c66e6354-b26d-442a-bae7-c12aaa44acea
Line Numbers                  

Raw Audit Messages            

host=mypc type=AVC msg=audit(1220781387.527:58): avc:  denied  { read } for  pid=4798 comm="ntpd" name="services" dev=dm-0 ino=11649032 scontext=unconfined_u:system_r:ntpd_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=file

host=mypc type=SYSCALL msg=audit(1220781387.527:58): arch=40000003 syscall=5 success=no exit=-13 a0=457f06 a1=80000 a2=1b6 a3=80000 items=0 ppid=4797 pid=4798 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ntpd" exe="/usr/sbin/ntpd" subj=unconfined_u:system_r:ntpd_t:s0 key=(null)

--------------------

Paul

Comment 1 Paul Smith 2008-09-07 14:23:55 UTC

The problem was solved with a relabeling. So, it is not a bug, and I am going
to close it.

Paul

Note You need to log in before you can comment on or make changes to this bug.