492464 – policy prevents ntpd from accessing .xsession-errors on NFS home dir

Bug 492464 - policy prevents ntpd from accessing .xsession-errors on NFS home dir

Summary: policy prevents ntpd from accessing .xsession-errors on NFS home dir

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	10
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-03-26 20:44 UTC by Gordon Messmer
Modified:	2009-11-10 07:32 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-11-10 07:32:31 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Gordon Messmer 2009-03-26 20:44:48 UTC

Description of problem:
Can't use GUI date & time application to update system time using ntp when user's home dir is NFS mounted.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.5.13-49.fc10.noarch

How reproducible:
Always

Steps to Reproduce:
1. In Gnome, select System -> Administration -> Date & Time.
2. Authenticate as root
3. Select Network Time Protocol tab
4. Check "Synchronize .. before starting service"
5. Click OK
  
Actual results:
Audit log indicates that ntpd could not read ~/.xsession-errors, and time is not set by ntp.

Expected results:
Time should be updated.

Additional info:
Source Context:  unconfined_u:system_r:ntpd_t:s0
Target Context:  system_u:object_r:nfs_t:s0
Target Objects:  /home/gordon/.xsession-errors [ file ]
Source:  ntpd
Source Path:  /usr/sbin/ntpd
Port:  <Unknown>
Host:  herald.private.dragonsdawn.net
Source RPM Packages:  ntp-4.2.4p6-1.fc10
Target RPM Packages:  
Policy RPM:  selinux-policy-3.5.13-49.fc10
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  use_nfs_home_dirs
Host Name:  herald.private.dragonsdawn.net
Platform:  Linux herald.private.dragonsdawn.net 2.6.27.19-170.2.35.fc10.x86_64 #1 SMP Mon Feb 23 13:00:23 EST 2009 x86_64 x86_64
Alert Count:  2
First Seen:  Wed 25 Mar 2009 02:06:32 AM PDT
Last Seen:  Wed 25 Mar 2009 02:08:35 AM PDT
Local ID:  45c97bea-04bb-48c2-bd90-f22e3cca090a
Line Numbers:  

Raw Audit Messages :

node=herald.private.dragonsdawn.net type=AVC msg=audit(1237972115.770:158): avc: denied { read } for pid=4607 comm="ntpd" path="/home/gordon/.xsession-errors" dev=0:13 ino=12517378 scontext=unconfined_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file 

node=herald.private.dragonsdawn.net type=SYSCALL msg=audit(1237972115.770:158): arch=c000003e syscall=59 success=yes exit=0 a0=1d7a730 a1=1d795c0 a2=1d7af10 a3=8 items=0 ppid=4606 pid=4607 auid=507 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=21 comm="ntpd" exe="/usr/sbin/ntpd" subj=unconfined_u:system_r:ntpd_t:s0 key=(null)

Comment 1 Daniel Walsh 2009-03-27 01:06:44 UTC

Miroslav in init.if could you add change the bottom to the following

optional_policy(`
	xserver_rw_xdm_home_files(daemon)
	tunable_policy(`use_nfs_home_dirs',`
		fs_dontaudit_rw_nfs_files(daemon)
	')
	tunable_policy(`use_samba_home_dirs',`
		fs_dontaudit_rw_cifs_files(daemon)
	')
')\

Comment 2 Miroslav Grepl 2009-03-30 16:24:49 UTC

Fixed in selinux-policy-3.5.13-54.fc10

Note You need to log in before you can comment on or make changes to this bug.