Bug 662523 - SELinux is preventing /usr/sbin/ntpd "read" access on /etc/samba/smb.conf.
Summary: SELinux is preventing /usr/sbin/ntpd "read" access on /etc/samba/smb.conf.
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 14
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:5a95b647b9f...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-12-13 01:04 UTC by Rodolfo Ferrari
Modified: 2011-05-27 08:50 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2011-05-27 08:50:11 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
ntp.conf configuration file. (1.98 KB, application/octet-stream)
2010-12-13 19:26 UTC, Rodolfo Ferrari
no flags Details
ntpd read access on samba.conf alert message (2.65 KB, text/plain)
2010-12-15 03:42 UTC, Rodolfo Ferrari
no flags Details
ntpd strace output (2.41 KB, text/plain)
2010-12-15 03:45 UTC, Rodolfo Ferrari
no flags Details

Description Rodolfo Ferrari 2010-12-13 01:04:27 UTC
Summary:

SELinux is preventing /usr/sbin/ntpd "read" access on /etc/samba/smb.conf.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by ntpd. It is not expected that this access is
required by ntpd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:ntpd_t:s0
Target Context                system_u:object_r:samba_etc_t:s0
Target Objects                /etc/samba/smb.conf [ file ]
Source                        ntpd
Source Path                   /usr/sbin/ntpd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           ntp-4.2.6p3-0.1.rc10.fc14
Target RPM Packages           samba-common-3.5.6-71.fc14
Policy RPM                    selinux-policy-3.9.7-16.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.35.9-64.fc14.i686 #1 SMP Fri Dec 3 12:35:42
                              UTC 2010 i686 i686
Alert Count                   10
First Seen                    Sun 12 Dec 2010 11:05:25 AM MST
Last Seen                     Sun 12 Dec 2010 04:59:14 PM MST
Local ID                      03178ac0-1ad8-4772-a6a3-76c9293173c3
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1292198354.842:10): avc:  denied  { read } for  pid=1598 comm="ntpd" name="smb.conf" dev=dm-0 ino=395518 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:samba_etc_t:s0 tclass=file

node=(removed) type=AVC msg=audit(1292198354.842:10): avc:  denied  { open } for  pid=1598 comm="ntpd" name="smb.conf" dev=dm-0 ino=395518 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:samba_etc_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1292198354.842:10): arch=40000003 syscall=5 success=yes exit=5 a0=be2780 a1=8000 a2=0 a3=0 items=0 ppid=1 pid=1598 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ntpd" exe="/usr/sbin/ntpd" subj=system_u:system_r:ntpd_t:s0 key=(null)



Hash String generated from  catchall,ntpd,ntpd_t,samba_etc_t,file,read
audit2allow suggests:

#============= ntpd_t ==============
allow ntpd_t samba_etc_t:file { read open };

Comment 1 Miroslav Grepl 2010-12-13 14:26:24 UTC
Did you setup ntp and samba to work together?

Could you attach your ntp.conf?

Comment 2 Rodolfo Ferrari 2010-12-13 19:26:12 UTC
Created attachment 468460 [details]
ntp.conf configuration file.

(In reply to comment #1)
> Did you setup ntp and samba to work together?
> 
> Could you attach your ntp.conf?

No, I just checked off "Synchronize date and time over the network" on the "Adjust Date and Time" tab.

The error appeared right away, later on, I added a new NTP server (my LAN's Windows 2003 DC) since I configured Winbind and join the Linux workstation with AD.

Attached is the ntp.conf file.

Comment 3 Miroslav Grepl 2010-12-14 13:12:12 UTC
Mirku,
what do you think? It looks legitimate.

Comment 4 Miroslav Lichvar 2010-12-14 13:30:23 UTC
I don't see where is this coming from, ntpd doesn't seem to have any code that would read smb.conf.

Can you please attach output of ntpd started in strace for few minutes?

strace -eopen /usr/sbin/ntpd -n -u ntp:ntp

Comment 5 Daniel Walsh 2010-12-14 13:53:46 UTC
Winbind?

Comment 6 Simo Sorce 2010-12-14 14:28:29 UTC
not necessarily, today ntpd comes with code to allow it to sign packets, needed for samba4 AD servers.
nss_winbindd and pam_winbindd iirc do not read smb.conf directly.
Let me check the code, I'll get back to you if I find anything relevant.

Comment 7 Rodolfo Ferrari 2010-12-15 03:42:09 UTC
Created attachment 468759 [details]
ntpd read access on samba.conf alert message

Not sure if this is related to this bug, this error has happened a couple of times.

Comment 8 Rodolfo Ferrari 2010-12-15 03:45:33 UTC
Created attachment 468760 [details]
ntpd strace output

As requested, attached is the output of the ntpd's strace.   I gave it 5 mins .. it only opened files during the first minute after that there was no more output.

Let me know if we need the log for a longer period of time.

Comment 9 Daniel Walsh 2011-05-26 20:25:28 UTC
Is this fixed in the current release.


Note You need to log in before you can comment on or make changes to this bug.