Bug 488864 - selinux is preventing ntpd access to /etc/ntp.conf
selinux is preventing ntpd access to /etc/ntp.conf
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: dhcp (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: David Cantrell
Fedora Extras Quality Assurance
:
Depends On: 488470
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-05 19:49 EST by David Cantrell
Modified: 2009-03-11 15:14 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 488470
Environment:
Last Closed: 2009-03-11 15:14:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Cantrell 2009-03-05 19:49:12 EST
The /etc/dhcp/dhclient.d/ntp.sh file needs to be updated with the changes referenced in this patch.

+++ This bug was initially created as a clone of Bug #488470 +++

Description of problem:
ntpd fails to synchronize to any ntp servers, since it is denied access to /etc/ntp.conf

Version-Release number of selected component (if applicable):
selinux-policy-3.6.6.-8

How reproducible:
Always

Steps to Reproduce:
1. Run selinux in enforcing mode
2. /etc/init.d/ntpd restart
3.
  
Actual results:
ntpq -p returns:
No association ID's returned

Expected results:
ntpq -p returns:
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 sites.urchin.ea 193.201.201.18   4 u   11   64    1   35.835   -1.872   0.002
 scarlett.lon.re 192.36.144.23    2 u   10   64    1   36.961   -2.837   0.002
 ntp1.arse.org   .INIT.          16 u    -   64    0    0.000    0.000   0.000
 lyla.preshweb.c 130.88.200.6     3 u    8   64    1   34.037   -2.130   0.002
 ntp4.ja.net     .DCFa.           1 u    7   64    1   37.139   -1.534   0.002

or something similar

Additional info:
node=samson.armitage.org.uk type=AVC msg=audit(1236177107.657:553): avc: denied { getattr } for pid=6697 comm="ntpd" path="/etc/ntp.conf" dev=dm-0 ino=1039455 scontext=unconfined_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=file node=samson.armitage.org.uk type=SYSCALL msg=audit(1236177107.657:553): arch=40000003 syscall=197 success=yes exit=0 a0=4 a1=bf9f5730 a2=46fff4 a3=29ac548 items=0 ppid=6696 pid=6697 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ntpd" exe="/usr/sbin/ntpd" subj=unconfined_u:system_r:ntpd_t:s0 key=(null) 

and also

node=samson.armitage.org.uk type=AVC msg=audit(1236177107.629:552): avc: denied { read } for pid=6697 comm="ntpd" name="ntp.conf" dev=dm-0 ino=1039455 scontext=unconfined_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=file node=samson.armitage.org.uk type=AVC msg=audit(1236177107.629:552): avc: denied { open } for pid=6697 comm="ntpd" name="ntp.conf" dev=dm-0 ino=1039455 scontext=unconfined_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=file node=samson.armitage.org.uk type=SYSCALL msg=audit(1236177107.629:552): arch=40000003 syscall=5 success=yes exit=4 a0=bb5b1a a1=0 a2=1b6 a3=0 items=0 ppid=6696 pid=6697 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ntpd" exe="/usr/sbin/ntpd" subj=unconfined_u:system_r:ntpd_t:s0 key=(null)

--- Additional comment from dwalsh@redhat.com on 2009-03-04 10:31:33 EDT ---

This looks like this file was created by dhclient? in the /var/lib/dhclient directory and then moved into /etc/ntp.conf.  If dhclient is doing this it should run restorecon on the file when  it is done.

restorecon -R -v /etc/ntp.conf 

Will fix.

--- Additional comment from dwalsh@redhat.com on 2009-03-04 10:33:04 EDT ---

Created an attachment (id=334005)
Patch to run restorecon on all files created by dhclient
Comment 1 Miroslav Lichvar 2009-03-09 11:38:10 EDT
Is this something that needs to be fixed in ntp package? The /etc/dhcp/dhclient.d/ntp.sh script calls restorecon.

Anyway, /sbin/dhclient-script needs the following patch to actually call the functions from the ntp script.

@@ -364,7 +364,9 @@
         for f in /etc/dhcp/dhclient.d/*.sh ; do
             if [ -x ${f} ]; then
                 subsystem="${f%.sh}"
-                . ${f} "${subsystem}_config"
+                subsystem="${subsystem##*/}"
+                . ${f}
+                "${subsystem}_config"
             fi
         done
     fi
@@ -490,7 +492,9 @@
             for f in /etc/dhcp/dhclient.d/*.sh ; do
                 if [ -x ${f} ]; then
                     subsystem="${f%.sh}"
-                    . ${f} "${subsystem}_restore"
+                    subsystem="${subsystem##*/}"
+                    . ${f}
+                    "${subsystem}_restore"
                 fi
             done
         fi
Comment 2 David Cantrell 2009-03-09 16:30:47 EDT
(In reply to comment #1)
> Is this something that needs to be fixed in ntp package? The
> /etc/dhcp/dhclient.d/ntp.sh script calls restorecon.

No, you don't need to change anything in ntp.sh if it calls restorecon already.  I created this bug so you'd check ntp.sh and change it if necessary.

> Anyway, /sbin/dhclient-script needs the following patch to actually call the
> functions from the ntp script.
> 
> @@ -364,7 +364,9 @@
>          for f in /etc/dhcp/dhclient.d/*.sh ; do
>              if [ -x ${f} ]; then
>                  subsystem="${f%.sh}"
> -                . ${f} "${subsystem}_config"
> +                subsystem="${subsystem##*/}"
> +                . ${f}
> +                "${subsystem}_config"
>              fi
>          done
>      fi
> @@ -490,7 +492,9 @@
>              for f in /etc/dhcp/dhclient.d/*.sh ; do
>                  if [ -x ${f} ]; then
>                      subsystem="${f%.sh}"
> -                    . ${f} "${subsystem}_restore"
> +                    subsystem="${subsystem##*/}"
> +                    . ${f}
> +                    "${subsystem}_restore"
>                  fi
>              done
>          fi  

The following line:

    subsystem="${f%.sh}"

Does the same as:

    subsystem="${subsystem##*/}"

The '.' and call to the config and restore functions are on the same line in the current script, but you break it out in to separate lines.  Does this matter?
Comment 3 David Cantrell 2009-03-09 16:32:14 EDT
Correction,

    subsystem="${f%.sh}"

Gives $subsystem "ntp" as the value.  Why do I need:

    subsystem="${subsystem##*/}"

?
Comment 4 Miroslav Lichvar 2009-03-10 04:59:47 EDT
%.sh removes only the .sh suffix, ##*/ will remove /etc/dhcp/dhclient.d/ from the beginning. Using subsystem=$(basename "$f" .sh) should do the same.

As for the . command, I'm not sure what exactly is the syntax, but it doesn't work for me without the patch.
Comment 5 David Cantrell 2009-03-11 15:14:50 EDT
Thanks for the clarification.  Fixed in dhcp-4.1.0-12.fc11

Note You need to log in before you can comment on or make changes to this bug.