The /etc/dhcp/dhclient.d/ntp.sh file needs to be updated with the changes referenced in this patch. +++ This bug was initially created as a clone of Bug #488470 +++ Description of problem: ntpd fails to synchronize to any ntp servers, since it is denied access to /etc/ntp.conf Version-Release number of selected component (if applicable): selinux-policy-3.6.6.-8 How reproducible: Always Steps to Reproduce: 1. Run selinux in enforcing mode 2. /etc/init.d/ntpd restart 3. Actual results: ntpq -p returns: No association ID's returned Expected results: ntpq -p returns: remote refid st t when poll reach delay offset jitter ============================================================================== sites.urchin.ea 193.201.201.18 4 u 11 64 1 35.835 -1.872 0.002 scarlett.lon.re 192.36.144.23 2 u 10 64 1 36.961 -2.837 0.002 ntp1.arse.org .INIT. 16 u - 64 0 0.000 0.000 0.000 lyla.preshweb.c 130.88.200.6 3 u 8 64 1 34.037 -2.130 0.002 ntp4.ja.net .DCFa. 1 u 7 64 1 37.139 -1.534 0.002 or something similar Additional info: node=samson.armitage.org.uk type=AVC msg=audit(1236177107.657:553): avc: denied { getattr } for pid=6697 comm="ntpd" path="/etc/ntp.conf" dev=dm-0 ino=1039455 scontext=unconfined_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=file node=samson.armitage.org.uk type=SYSCALL msg=audit(1236177107.657:553): arch=40000003 syscall=197 success=yes exit=0 a0=4 a1=bf9f5730 a2=46fff4 a3=29ac548 items=0 ppid=6696 pid=6697 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ntpd" exe="/usr/sbin/ntpd" subj=unconfined_u:system_r:ntpd_t:s0 key=(null) and also node=samson.armitage.org.uk type=AVC msg=audit(1236177107.629:552): avc: denied { read } for pid=6697 comm="ntpd" name="ntp.conf" dev=dm-0 ino=1039455 scontext=unconfined_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=file node=samson.armitage.org.uk type=AVC msg=audit(1236177107.629:552): avc: denied { open } for pid=6697 comm="ntpd" name="ntp.conf" dev=dm-0 ino=1039455 scontext=unconfined_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=file node=samson.armitage.org.uk type=SYSCALL msg=audit(1236177107.629:552): arch=40000003 syscall=5 success=yes exit=4 a0=bb5b1a a1=0 a2=1b6 a3=0 items=0 ppid=6696 pid=6697 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ntpd" exe="/usr/sbin/ntpd" subj=unconfined_u:system_r:ntpd_t:s0 key=(null) --- Additional comment from dwalsh on 2009-03-04 10:31:33 EDT --- This looks like this file was created by dhclient? in the /var/lib/dhclient directory and then moved into /etc/ntp.conf. If dhclient is doing this it should run restorecon on the file when it is done. restorecon -R -v /etc/ntp.conf Will fix. --- Additional comment from dwalsh on 2009-03-04 10:33:04 EDT --- Created an attachment (id=334005) Patch to run restorecon on all files created by dhclient
Is this something that needs to be fixed in ntp package? The /etc/dhcp/dhclient.d/ntp.sh script calls restorecon. Anyway, /sbin/dhclient-script needs the following patch to actually call the functions from the ntp script. @@ -364,7 +364,9 @@ for f in /etc/dhcp/dhclient.d/*.sh ; do if [ -x ${f} ]; then subsystem="${f%.sh}" - . ${f} "${subsystem}_config" + subsystem="${subsystem##*/}" + . ${f} + "${subsystem}_config" fi done fi @@ -490,7 +492,9 @@ for f in /etc/dhcp/dhclient.d/*.sh ; do if [ -x ${f} ]; then subsystem="${f%.sh}" - . ${f} "${subsystem}_restore" + subsystem="${subsystem##*/}" + . ${f} + "${subsystem}_restore" fi done fi
(In reply to comment #1) > Is this something that needs to be fixed in ntp package? The > /etc/dhcp/dhclient.d/ntp.sh script calls restorecon. No, you don't need to change anything in ntp.sh if it calls restorecon already. I created this bug so you'd check ntp.sh and change it if necessary. > Anyway, /sbin/dhclient-script needs the following patch to actually call the > functions from the ntp script. > > @@ -364,7 +364,9 @@ > for f in /etc/dhcp/dhclient.d/*.sh ; do > if [ -x ${f} ]; then > subsystem="${f%.sh}" > - . ${f} "${subsystem}_config" > + subsystem="${subsystem##*/}" > + . ${f} > + "${subsystem}_config" > fi > done > fi > @@ -490,7 +492,9 @@ > for f in /etc/dhcp/dhclient.d/*.sh ; do > if [ -x ${f} ]; then > subsystem="${f%.sh}" > - . ${f} "${subsystem}_restore" > + subsystem="${subsystem##*/}" > + . ${f} > + "${subsystem}_restore" > fi > done > fi The following line: subsystem="${f%.sh}" Does the same as: subsystem="${subsystem##*/}" The '.' and call to the config and restore functions are on the same line in the current script, but you break it out in to separate lines. Does this matter?
Correction, subsystem="${f%.sh}" Gives $subsystem "ntp" as the value. Why do I need: subsystem="${subsystem##*/}" ?
%.sh removes only the .sh suffix, ##*/ will remove /etc/dhcp/dhclient.d/ from the beginning. Using subsystem=$(basename "$f" .sh) should do the same. As for the . command, I'm not sure what exactly is the syntax, but it doesn't work for me without the patch.
Thanks for the clarification. Fixed in dhcp-4.1.0-12.fc11