Description of problem: Can't use GUI date & time application to update system time using ntp when user's home dir is NFS mounted. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.5.13-49.fc10.noarch How reproducible: Always Steps to Reproduce: 1. In Gnome, select System -> Administration -> Date & Time. 2. Authenticate as root 3. Select Network Time Protocol tab 4. Check "Synchronize .. before starting service" 5. Click OK Actual results: Audit log indicates that ntpd could not read ~/.xsession-errors, and time is not set by ntp. Expected results: Time should be updated. Additional info: Source Context: unconfined_u:system_r:ntpd_t:s0 Target Context: system_u:object_r:nfs_t:s0 Target Objects: /home/gordon/.xsession-errors [ file ] Source: ntpd Source Path: /usr/sbin/ntpd Port: <Unknown> Host: herald.private.dragonsdawn.net Source RPM Packages: ntp-4.2.4p6-1.fc10 Target RPM Packages: Policy RPM: selinux-policy-3.5.13-49.fc10 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: use_nfs_home_dirs Host Name: herald.private.dragonsdawn.net Platform: Linux herald.private.dragonsdawn.net 2.6.27.19-170.2.35.fc10.x86_64 #1 SMP Mon Feb 23 13:00:23 EST 2009 x86_64 x86_64 Alert Count: 2 First Seen: Wed 25 Mar 2009 02:06:32 AM PDT Last Seen: Wed 25 Mar 2009 02:08:35 AM PDT Local ID: 45c97bea-04bb-48c2-bd90-f22e3cca090a Line Numbers: Raw Audit Messages : node=herald.private.dragonsdawn.net type=AVC msg=audit(1237972115.770:158): avc: denied { read } for pid=4607 comm="ntpd" path="/home/gordon/.xsession-errors" dev=0:13 ino=12517378 scontext=unconfined_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file node=herald.private.dragonsdawn.net type=SYSCALL msg=audit(1237972115.770:158): arch=c000003e syscall=59 success=yes exit=0 a0=1d7a730 a1=1d795c0 a2=1d7af10 a3=8 items=0 ppid=4606 pid=4607 auid=507 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=21 comm="ntpd" exe="/usr/sbin/ntpd" subj=unconfined_u:system_r:ntpd_t:s0 key=(null)
Miroslav in init.if could you add change the bottom to the following optional_policy(` xserver_rw_xdm_home_files(daemon) tunable_policy(`use_nfs_home_dirs',` fs_dontaudit_rw_nfs_files(daemon) ') tunable_policy(`use_samba_home_dirs',` fs_dontaudit_rw_cifs_files(daemon) ') ')\
Fixed in selinux-policy-3.5.13-54.fc10