This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 492464 - policy prevents ntpd from accessing .xsession-errors on NFS home dir
policy prevents ntpd from accessing .xsession-errors on NFS home dir
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
10
All Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-26 16:44 EDT by Gordon Messmer
Modified: 2009-11-10 02:32 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-11-10 02:32:31 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Gordon Messmer 2009-03-26 16:44:48 EDT
Description of problem:
Can't use GUI date & time application to update system time using ntp when user's home dir is NFS mounted.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.5.13-49.fc10.noarch

How reproducible:
Always

Steps to Reproduce:
1. In Gnome, select System -> Administration -> Date & Time.
2. Authenticate as root
3. Select Network Time Protocol tab
4. Check "Synchronize .. before starting service"
5. Click OK
  
Actual results:
Audit log indicates that ntpd could not read ~/.xsession-errors, and time is not set by ntp.

Expected results:
Time should be updated.

Additional info:
Source Context:  unconfined_u:system_r:ntpd_t:s0
Target Context:  system_u:object_r:nfs_t:s0
Target Objects:  /home/gordon/.xsession-errors [ file ]
Source:  ntpd
Source Path:  /usr/sbin/ntpd
Port:  <Unknown>
Host:  herald.private.dragonsdawn.net
Source RPM Packages:  ntp-4.2.4p6-1.fc10
Target RPM Packages:  
Policy RPM:  selinux-policy-3.5.13-49.fc10
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  use_nfs_home_dirs
Host Name:  herald.private.dragonsdawn.net
Platform:  Linux herald.private.dragonsdawn.net 2.6.27.19-170.2.35.fc10.x86_64 #1 SMP Mon Feb 23 13:00:23 EST 2009 x86_64 x86_64
Alert Count:  2
First Seen:  Wed 25 Mar 2009 02:06:32 AM PDT
Last Seen:  Wed 25 Mar 2009 02:08:35 AM PDT
Local ID:  45c97bea-04bb-48c2-bd90-f22e3cca090a
Line Numbers:  

Raw Audit Messages :

node=herald.private.dragonsdawn.net type=AVC msg=audit(1237972115.770:158): avc: denied { read } for pid=4607 comm="ntpd" path="/home/gordon/.xsession-errors" dev=0:13 ino=12517378 scontext=unconfined_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file 

node=herald.private.dragonsdawn.net type=SYSCALL msg=audit(1237972115.770:158): arch=c000003e syscall=59 success=yes exit=0 a0=1d7a730 a1=1d795c0 a2=1d7af10 a3=8 items=0 ppid=4606 pid=4607 auid=507 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=21 comm="ntpd" exe="/usr/sbin/ntpd" subj=unconfined_u:system_r:ntpd_t:s0 key=(null)
Comment 1 Daniel Walsh 2009-03-26 21:06:44 EDT
Miroslav in init.if could you add change the bottom to the following

optional_policy(`
	xserver_rw_xdm_home_files(daemon)
	tunable_policy(`use_nfs_home_dirs',`
		fs_dontaudit_rw_nfs_files(daemon)
	')
	tunable_policy(`use_samba_home_dirs',`
		fs_dontaudit_rw_cifs_files(daemon)
	')
')\
Comment 2 Miroslav Grepl 2009-03-30 12:24:49 EDT
Fixed in selinux-policy-3.5.13-54.fc10

Note You need to log in before you can comment on or make changes to this bug.