Hide Forgot
SELinux is preventing /bin/bash from 'getattr' accesses on the file /etc/rc.d/init.d/ntpd. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that bash should be allowed getattr access on the ntpd file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep service /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 Target Context system_u:object_r:ntpd_initrc_exec_t:s0 Target Objects /etc/rc.d/init.d/ntpd [ file ] Source service Source Path /bin/bash Port <Unknown> Host (removed) Source RPM Packages bash-4.1.9-5.fc15 Target RPM Packages ntp-4.2.6p3-1.fc15 Policy RPM selinux-policy-3.9.12-6.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.37-2.fc15.x86_64 #1 SMP Fri Jan 7 14:57:36 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Sat 15 Jan 2011 07:13:20 PM EST Last Seen Sat 15 Jan 2011 07:13:20 PM EST Local ID 6b7d9578-a34f-4dca-abf4-7787e4acf535 Raw Audit Messages type=AVC msg=audit(1295136800.226:97): avc: denied { getattr } for pid=5515 comm="service" path="/etc/rc.d/init.d/ntpd" dev=dm-0 ino=26459 scontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ntpd_initrc_exec_t:s0 tclass=file type=SYSCALL msg=audit(1295136800.226:97): arch=x86_64 syscall=stat success=no exit=EACCES a0=1150200 a1=7fff7ef7f460 a2=7fff7ef7f460 a3=8 items=0 ppid=5513 pid=5515 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=service exe=/bin/bash subj=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 key=(null) Hash: service,gnomeclock_t,ntpd_initrc_exec_t,file,getattr audit2allow #============= gnomeclock_t ============== allow gnomeclock_t ntpd_initrc_exec_t:file getattr; audit2allow -R #============= gnomeclock_t ============== allow gnomeclock_t ntpd_initrc_exec_t:file getattr;
Could you try to execute # semanage permissive -a gnomeclock_t and repeat actions which produce your AVC messages. Are you seeing other AVC msgs which relate with ntpd? # ausearch -m avc -ts recent Thank you.
I'll try to replicate this. I was doing this from a Live image unfortunately which I updated and hit another issue that was preventing me from starting gnome-shell up again. I will certainly give this another shot and I'll report here if it happens again with details on the command you want me to run.
This SELinux alert was triggered for me by going to the "System Settings" and clicking on the "Date and Time" option. After applying "semanage permissive -a gnomeclock_t" as root, now Date and Time does not raise an alert ... nor does it seem to open anything though. This is with LiveCD daily build 2011-01-22.
Bug 669924, Bug 672338 and Bug 672337 are all triggered by the same SETroubleshooter event.
Miroslav I think you want to allow a transition from gnomeclock to initrc_t through ntpd_initrc_exec_t. gnomeclock is doing a service ntpd start or reload to kick off ntp timing. optional_policy(` ntp_initrc_domtran(gconfd_t) ')
Make that optional_policy(` ntp_initrc_domtran(gnomeclock_t) ') Miroslav I think we need this back ported to F13,F14
*** Bug 672338 has been marked as a duplicate of this bug. ***
*** Bug 672337 has been marked as a duplicate of this bug. ***
Yes, the transition is needed. I was able to reproduce it.