This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 488865 - selinux is preventing ntpd access to /etc/ntp.conf
selinux is preventing ntpd access to /etc/ntp.conf
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: ypbind (Show other bugs)
11
All Linux
low Severity medium
: ---
: ---
Assigned To: Karel Klíč
Fedora Extras Quality Assurance
:
Depends On: 488470
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-05 19:52 EST by David Cantrell
Modified: 2013-03-03 17:59 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 488470
Environment:
Last Closed: 2009-12-11 10:40:47 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Cantrell 2009-03-05 19:52:24 EST
The /etc/dhcp/dhclient.d/yp.sh file needs to be updated with the changes
referenced in this patch.

I also notice that ypbind is not yet providing /etc/dhcp/dhclient.d/yp.sh, so that should happen too.

+++ This bug was initially created as a clone of Bug #488470 +++

Description of problem:
ntpd fails to synchronize to any ntp servers, since it is denied access to /etc/ntp.conf

Version-Release number of selected component (if applicable):
selinux-policy-3.6.6.-8

How reproducible:
Always

Steps to Reproduce:
1. Run selinux in enforcing mode
2. /etc/init.d/ntpd restart
3.
  
Actual results:
ntpq -p returns:
No association ID's returned

Expected results:
ntpq -p returns:
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 sites.urchin.ea 193.201.201.18   4 u   11   64    1   35.835   -1.872   0.002
 scarlett.lon.re 192.36.144.23    2 u   10   64    1   36.961   -2.837   0.002
 ntp1.arse.org   .INIT.          16 u    -   64    0    0.000    0.000   0.000
 lyla.preshweb.c 130.88.200.6     3 u    8   64    1   34.037   -2.130   0.002
 ntp4.ja.net     .DCFa.           1 u    7   64    1   37.139   -1.534   0.002

or something similar

Additional info:
node=samson.armitage.org.uk type=AVC msg=audit(1236177107.657:553): avc: denied { getattr } for pid=6697 comm="ntpd" path="/etc/ntp.conf" dev=dm-0 ino=1039455 scontext=unconfined_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=file node=samson.armitage.org.uk type=SYSCALL msg=audit(1236177107.657:553): arch=40000003 syscall=197 success=yes exit=0 a0=4 a1=bf9f5730 a2=46fff4 a3=29ac548 items=0 ppid=6696 pid=6697 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ntpd" exe="/usr/sbin/ntpd" subj=unconfined_u:system_r:ntpd_t:s0 key=(null) 

and also

node=samson.armitage.org.uk type=AVC msg=audit(1236177107.629:552): avc: denied { read } for pid=6697 comm="ntpd" name="ntp.conf" dev=dm-0 ino=1039455 scontext=unconfined_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=file node=samson.armitage.org.uk type=AVC msg=audit(1236177107.629:552): avc: denied { open } for pid=6697 comm="ntpd" name="ntp.conf" dev=dm-0 ino=1039455 scontext=unconfined_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=file node=samson.armitage.org.uk type=SYSCALL msg=audit(1236177107.629:552): arch=40000003 syscall=5 success=yes exit=4 a0=bb5b1a a1=0 a2=1b6 a3=0 items=0 ppid=6696 pid=6697 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ntpd" exe="/usr/sbin/ntpd" subj=unconfined_u:system_r:ntpd_t:s0 key=(null)

--- Additional comment from dwalsh@redhat.com on 2009-03-04 10:31:33 EDT ---

This looks like this file was created by dhclient? in the /var/lib/dhclient directory and then moved into /etc/ntp.conf.  If dhclient is doing this it should run restorecon on the file when  it is done.

restorecon -R -v /etc/ntp.conf 

Will fix.

--- Additional comment from dwalsh@redhat.com on 2009-03-04 10:33:04 EDT ---

Created an attachment (id=334005)
Patch to run restorecon on all files created by dhclient
Comment 1 Vitezslav Crhonek 2009-03-18 08:20:22 EDT
Hi David,

ypbind is providing /etc/dhcp/dhclient.d/nis.sh (attached in your mail). It should be renamed to /etc/dhcp/dhclient.d/yp.sh?

nis.sh is updated in CVS, please check it before I do a new build.
Comment 2 Bug Zapper 2009-06-09 07:56:27 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 3 Karel Klíč 2009-12-11 10:40:47 EST
The /etc/dhcp/dhclient.d/yp.sh (nis.sh in F-11) seems to be updated with the changes referenced in the patch as requested.

I am closing this bug. Please reopen if some problem occurs.

Note You need to log in before you can comment on or make changes to this bug.