Bug 622796 - SELinux is preventing /usr/sbin/ntpd access to a leaked netlink_route_socket file descriptor.
Summary: SELinux is preventing /usr/sbin/ntpd access to a leaked netlink_route_socket ...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: firstboot
Version: 14
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Martin Gracik
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:4fdbb144068...
Depends On:
Blocks: 739684
TreeView+ depends on / blocked
 
Reported: 2010-08-10 12:50 UTC by Rodd Clarkson
Modified: 2013-07-04 12:51 UTC (History)
191 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-05-31 06:55:02 UTC
Type: ---


Attachments (Terms of Use)

Description Rodd Clarkson 2010-08-10 12:50:50 UTC
Summary:

SELinux is preventing /usr/sbin/ntpd access to a leaked netlink_route_socket
file descriptor.

Detailed Description:

[ntpd has a permissive type (ntpd_t). This access was not denied.]

SELinux denied access requested by the ntpd command. It looks like this is
either a leaked descriptor or ntpd output was redirected to a file it is not
allowed to access. Leaks usually can be ignored since SELinux is just closing
the leak and reporting the error. The application does not use the descriptor,
so it will run properly. If this is a redirection, you will not get output in
the netlink_route_socket. You should generate a bugzilla on selinux-policy, and
it will get routed to the appropriate package. You can safely ignore this avc.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)

Additional Information:

Source Context                system_u:system_r:ntpd_t:s0
Target Context                system_u:system_r:firstboot_t:s0
Target Objects                netlink_route_socket [ netlink_route_socket ]
Source                        ntpd
Source Path                   /usr/sbin/ntpd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           ntp-4.2.6p2-1.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.8.8-10.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   leaks
Host Name                     (removed)
Platform                      Linux (removed) 2.6.35-3.fc14.x86_64 #1
                              SMP Fri Aug 6 19:41:28 UTC 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Tue 10 Aug 2010 10:43:43 PM EST
Last Seen                     Tue 10 Aug 2010 10:43:43 PM EST
Local ID                      fd855fcd-1a25-440e-9184-ad778102f6f3
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1281444223.378:116): avc:  denied  { read write } for  pid=1848 comm="ntpd" path="socket:[16689]" dev=sockfs ino=16689 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:system_r:firstboot_t:s0 tclass=netlink_route_socket

node=(removed) type=SYSCALL msg=audit(1281444223.378:116): arch=c000003e syscall=59 success=yes exit=0 a0=1723d20 a1=1723da0 a2=1724680 a3=7fffdbfd0d40 items=0 ppid=1847 pid=1848 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ntpd" exe="/usr/sbin/ntpd" subj=system_u:system_r:ntpd_t:s0 key=(null)



Hash String generated from  leaks,ntpd,ntpd_t,firstboot_t,netlink_route_socket,read,write
audit2allow suggests:

#============= ntpd_t ==============
allow ntpd_t firstboot_t:netlink_route_socket { read write };

Comment 1 David Timms 2010-08-15 05:50:22 UTC
This may only occur if during firstboot, the user chooses time setting to be 'get from network'.

Comment 2 Sandro Mathys 2010-10-14 21:51:35 UTC
No update on this bug so far, but I wasn't able to reproduce this while I did several installations of F14 Final TC1.1 today that should trigger this.

Can anyone still reproduce this in TC1.x?

Comment 3 Sandro Mathys 2010-10-21 18:23:43 UTC
Reproduced today with a fresh install from the F14 Final TC6 Gnome LiveCD.

Comment 4 Jaroslav Reznik 2010-10-22 12:11:11 UTC
I can reproduce it in F14 RC1.

NPT server set up in Firstboot but I think this bug should be reassigned to ntpd, shouldn't be?

Comment 5 Daniel Walsh 2010-10-22 14:31:07 UTC
Well ntpd is not leaking, something that firstboot executes before executing ntpd restart is causing the problem.  system-config-network?

Comment 6 Michael 2010-10-23 07:43:04 UTC
hello all,

i habe this error-msg every update. (german lang. version SElinux below - is the same as Rodd Clarkson 2010-08-10 08:50:50 EDT)

ahoi
majestyx

--------------------------------------------------


Zusammenfassung:

SELinux hindert /usr/sbin/tzdata-update am Zugriff auf einen /tmp/tmp9wX9eF
Dateideskriptorleck.

Detaillierte Beschreibung:

[tzdata-update hat einen zugelassenen Typ (tzdata_t). Dieser Zugriff wurde nicht
verweigert.]

SELinux verweigerte den vom tzdata-update-Befehl angeforderten Zugriff. Dies
kann entweder ein Leck des Dateideskriptors sein, oder tzdata-update Ausgabe
wurde an eine Datei umgeleitet, für die es kein Zugriffsrecht besitzt. Lecks
können in der Regel ignoriert werden, denn SELinux schließt einfach das Leck und
meldet den Fehler. Die Anwendung wird den Deskriptor nicht verwenden und
infolgedessen einwandfrei funktionieren. Falls dies eine Umleitung ist, werden
Sie keine Ausgabe im /tmp/tmp9wX9eF erhalten. Sie sollten einen Fehlerbericht
für selinux-policy einreichen, der anschließend dem richtigen Paket zugeordnet
wird. Sie können diese AVC bedenkenlos ignorieren

Zugriff erlauben:

Sie können ein lokales Richtlininenmodul generieren, um diesen Zugriff zu
erlauben - siehe FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)

Zusätzliche Informationen:

Quellkontext                  system_u:system_r:tzdata_t:s0-s0:c0.c1023
Zielkontext                   system_u:object_r:initrc_tmp_t:s0
Zielobjekte                   /tmp/tmp9wX9eF [ file ]
Quelle                        tzdata-update
Quellpfad                     /usr/sbin/tzdata-update
Port                          <Unbekannt>
Host                          mydesktop
RPM-Pakete der Quelle         glibc-common-2.12.1-2
RPM-Pakete des Ziels          
Richtlinien-RPM               selinux-policy-3.7.19-65.fc13
SELinux aktiviert             True
Richtlinientyp                targeted
Enforcing-Modus               Enforcing
Plugin-Name                   leaks
Rechnername                   mydesktop
Plattform                     Linux desktop.cacn 2.6.34.7-56.fc13.i686.PAE #1
                              SMP Wed Sep 15 03:27:15 UTC 2010 i686 i686
Anzahl der Alarme             8
Zuerst gesehen                Mi 15 Sep 2010 22:03:49 CEST
Zuletzt gesehen               Fr 22 Okt 2010 07:01:15 CEST
Lokale ID                     5a61c6f3-7b05-42b5-a47b-7010b1758270
Zeilennummern                 

Raw-Audit-Meldungen           

node=mydesktop type=AVC msg=audit(1287723675.87:24955): avc:  denied  { read append } for  pid=13639 comm="tzdata-update" path="/tmp/tmp9wX9eF" dev=dm-0 ino=395514 scontext=system_u:system_r:tzdata_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file

node=mydesktop type=AVC msg=audit(1287723675.87:24955): avc:  denied  { read append } for  pid=13639 comm="tzdata-update" path="/tmp/tmp9wX9eF" dev=dm-0 ino=395514 scontext=system_u:system_r:tzdata_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file

node=mydesktop type=SYSCALL msg=audit(1287723675.87:24955): arch=40000003 syscall=11 success=yes exit=0 a0=a769720 a1=9be5e58 a2=9be5e70 a3=0 items=0 ppid=13473 pid=13639 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tzdata-update" exe="/usr/sbin/tzdata-update" subj=system_u:system_r:tzdata_t:s0-s0:c0.c1023 key=(null)

Comment 7 Miroslav Grepl 2010-10-25 10:50:13 UTC
Michael,
your issue is different. Please execute

# restorecon -R -v /usr/libexec/packagekitd 

Should fix.

Comment 8 Michael 2010-10-25 14:23:38 UTC
Hello Miroslav,

done, output is:

#restorecon reset /usr/libexec/packagekitd context #system_u:object_r:bin_t:s0->system_u:object_r:rpm_exec_t:s0

thx for Help.

Comment 9 Flóki Pálsson 2010-10-25 18:18:54 UTC
I just installed F14 RC1 live X_86.

Comment 10 Daniel Walsh 2010-10-25 19:32:07 UTC
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.9.7-6.fc14

Comment 11 Michael 2010-10-25 20:23:20 UTC
hello daniel

thx, i have done. and it looks like to work....

Comment 12 Christopher Swift 2010-11-03 20:35:20 UTC
I have just installed the final release of Fedora 14 today from the 64bit Live CD.  I got the same error on my first boot after choosing to synchronise my time using ntp in the firstboot configuration screen.  This bug still exists in the final disc.

Comment 13 James Laska 2010-11-03 20:52:23 UTC
(In reply to comment #12)
> I have just installed the final release of Fedora 14 today from the 64bit Live
> CD.  I got the same error on my first boot after choosing to synchronise my
> time using ntp in the firstboot configuration screen.  This bug still exists in
> the final disc.

Note, this bug is still in MODIFIED which means a fix has been included in the selinux-policy source.  However, an update that includes this fix has not yet been created and provided through bodhi (https://admin.fedoraproject.org/updates/search/selinux-policy).  The current selinux-policy in Fedora 14 is selinux-policy-3.9.7-7.fc14.

Once an update that fixes this issue is available, and this bug is linked in the bodhi update, the bug will move to ON_QA.  At that point a new selinux-policy package will be available for testing.

Comment 14 satellitgo 2010-11-11 20:26:48 UTC
f14-i686-live-desktop  installed to Virtualbox with liveinst
(MacBook Air  Oracle Virtualbox for OSX)
used network server for time setting in firstboot. Same error

Comment 15 halb_b 2010-12-17 07:37:15 UTC
Anyone else have the 32bit version? This, followed by a few other issues. Just started testing Unix/Linux about 4 months ago, so I take notes each time I test a new distro. I did the partitioning, but had to skip the initial network configuration. 1st, I was getting an error about the wlan0 being undetected. I tried again with the wireless on & got the same error message, but it said eth0 instead of wlan0. The third time, I turned them both on, but picked the alternative do it later button. I used the NTP option too. I wasn't sure about the update error, so I killed the GUI process all together. I lost patience, opened the terminal. I assumed it would be similar to the other 4 distributions I've been testing, same shells, w/either GNOME or KDE. Not nearly as easy. On a positive note, it's probably more secure than others.  I ruled out integrity as an issue. I just purchased a six disk 64bit & the same set 32bit, from a vendor. Amen for Linux/Unix massive community forums. I have not cleared my cache or history yet. I still have a lot of learning to do. I wouldn't know what to look for. So, if anyone would like to see them...     

Summary: 
SELinux is preventing /usr/sbin/ntpd access to a leaked netlink_route_socket 
file descriptor. 

Detailed Description: 

[ntpd has a permissive type (ntpd_t). This access was not denied.] 

SELinux denied access requested by the ntpd command. It looks like this is 
either a leaked descriptor or ntpd output was redirected to a file it is not 
allowed to access. Leaks usually can be ignored since SELinux is just closing 
the leak and reporting the error. The application does not use the descriptor, 
so it will run properly. If this is a redirection, you will not get output in 
the netlink_route_socket. You should generate a bugzilla on selinux-policy, and 
it will get routed to the appropriate package. You can safely ignore this avc. 

Allowing Access: 

You can generate a local policy module to allow this access - see FAQ 
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) 

Additional Information: 

Source Context                system_u:system_r:ntpd_t:s0 
Target Context                system_u:system_r:firstboot_t:s0 
Target Objects                netlink_route_socket [ netlink_route_socket ] 
Source                        ntpd 
Source Path                   /usr/sbin/ntpd 
Port                          <Unknown> 
Host                          (removed) 
Source RPM Packages           ntp-4.2.6p2-7.fc14 
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-3.fc14 
Selinux Enabled               True 
Policy Type                   targeted 
Enforcing Mode                Enforcing 
Plugin Name                   leaks 
Host Name                     (removed) 
Platform                      Linux (removed) 2.6.35.6-45.fc14.i686 #1 
                              SMP Mon Oct 18 23:56:17 UTC 2010 i686 i686 
Alert Count                   1 
First Seen                    Thu 16 Dec 2010 06:34:44 PM CST 
Last Seen                     Thu 16 Dec 2010 06:34:44 PM CST 
Local ID                      43c48f70-2eb7-4d0c-90ab-e7a78212a534 
Line Numbers                  

Raw Audit Messages            
 
node=(removed) type=AVC msg=audit(1292546084.890:32392): avc:  denied  { read write } for  pid=1695 comm="ntpd" path="socket:[13991]" dev=sockfs ino=13991 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:system_r:firstboot_t:s0 tclass=netlink_route_socket 

node=(removed) type=SYSCALL msg=audit(1292546084.890:32392): arch=40000003 syscall=11 success=yes exit=0 a0=85d7d18 a1=85d7ff8 a2=85d8280 a3=85d7ff8 items=0 ppid=1694 pid=1695 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ntpd" exe="/usr/sbin/ntpd" subj=system_u:system_r:ntpd_t:s0 key=(null)

Comment 16 Daniel Walsh 2010-12-17 14:21:11 UTC
Please update to the latest selinux policy and this avc will be dontaudited.
selinux-policy-3.9.7-17.fc14

Comment 17 Martin Gracik 2010-12-20 11:46:33 UTC
Shouldn't the component be changed to selinux-policy?

Comment 18 Daniel Walsh 2010-12-20 14:07:36 UTC
If an application is leaking a a file descriptor, how is this SELinux problem.  We are just covering it up by dontauditing the bug.

Comment 19 Martin Gracik 2010-12-20 15:44:39 UTC
I see. Firstboot uses a module from system-config-date, does this also happen if you try to setup ntpd in system-config-date ?

Comment 20 Daniel Walsh 2010-12-20 20:51:20 UTC
We have never seen it there.

Comment 21 Fedora Admin XMLRPC Client 2011-02-16 16:09:27 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 22 rickabillie 2011-02-22 05:31:30 UTC
got this on my first boot, let me know if it is not approprate to post this as I am new to bug reporting...

Summary:

SELinux is preventing ntpd "read write" access on netlink_route_socket.

Detailed Description:

SELinux denied access requested by ntpd. It is not expected that this access is
required by ntpd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:ntpd_t:s0
Target Context                system_u:system_r:firstboot_t:s0
Target Objects                netlink_route_socket [ netlink_route_socket ]
Source                        ntpd
Source Path                   ntpd
Port                          <Unknown>
Host                          sepioteuthis-lessoniana.industrialite
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-3.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     sepioteuthis-lessoniana.industrialite
Platform                      Linux sepioteuthis-lessoniana.industrialite
                              2.6.35.6-45.fc14.i686 #1 SMP Mon Oct 18 23:56:17
                              UTC 2010 i686 i686
Alert Count                   1
First Seen                    Sun 20 Feb 2011 03:04:01 PM CST
Last Seen                     Sun 20 Feb 2011 03:04:01 PM CST
Local ID                      00b6cb18-32e2-4279-9c35-66c8b87db3c4
Line Numbers                  

Raw Audit Messages            

node=sepioteuthis-lessoniana.industrialite type=AVC msg=audit(1298235841.476:9): avc:  denied  { read write } for  pid=1392 comm="ntpd" path="socket:[13421]" dev=sockfs ino=13421 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:system_r:firstboot_t:s0 tclass=netlink_route_socket

Comment 23 Daniel Walsh 2011-02-22 14:47:07 UTC
yum -y update

dontaudited in latest policy

Comment 24 Jon Bailey 2011-03-21 23:08:25 UTC
Just happened with VirtualBox (Host: Win7-64, Guest: just-installed from Fedora-14-x86_64-Live-Desktop.iso , set to dual-CPU with NX/VM enabled)

Comment 25 Daniel Walsh 2011-03-22 11:54:50 UTC
I would guess the livecd had an older version of SELinux policy.

Comment 26 Ian C 2011-04-05 12:02:43 UTC
(In reply to comment #25)
> I would guess the livecd had an older version of SELinux policy.

Apparently so, I get this with the LiveCD after install (x86-64)

Comment 27 Daniel Walsh 2011-04-05 15:28:45 UTC
Well you can ignore this bug,since it is fixed in the latest code.

Comment 28 Gina 2011-06-04 19:58:29 UTC
(In reply to comment #1)
> This may only occur if during firstboot, the user chooses time setting to be
> 'get from network'.

Yes.  I chose get from network as a trial. Generally I do not do this.  Also I reproduced this by reinstalling the same way.  Just to see if it didn't happen this time.  

So I presume that this will not happen when I upgrade to 15.  

I am brand new so can someone tell me, if I get the same error again I should report each incidence?  Your response is so right on.  You guys are on it.  That is great.  I can tell I'll be learning alot.

Comment 29 Wade Mealing 2011-06-06 05:08:29 UTC
Gina, 

You probably shouldn't get this exact error message again.  If you do get it again from another release it is worthwhile reporting it, but I believe the abrt tool should report it under a different hash.

This should be fixed in the Fedora 15 release, I did the installation method the same way you did and didn't see the problem.  

I think this particular bug is fixed for all users after their first system update.

Comment 30 Gina 2011-06-13 13:51:30 UTC
(In reply to comment #29)
> Gina, 
> 
> You probably shouldn't get this exact error message again.  If you do get it
> again from another release it is worthwhile reporting it, but I believe the
> abrt tool should report it under a different hash.
> 
> This should be fixed in the Fedora 15 release, I did the installation method
> the same way you did and didn't see the problem.  
> 
> I think this particular bug is fixed for all users after their first system
> update.

Thank you Wade.

Comment 31 Gina 2011-06-13 13:54:41 UTC
My hp pavilion 520n works with Fedora 14.  It is an i686 processr.  It does not work with Fedora 15 I believe.  I tried Katya Lime and Ubuntu 11 and it won't work with those.  I think I found my Linux in Fedora 14 for this machine.  I don't think I'll be upgrading to 15 unless they make compatability changes.  

Just fyi.  I haven't gone looking for where I should post this yet.  Thank you!


Note You need to log in before you can comment on or make changes to this bug.