702351 – ntpd produces an AVC when started from firstboot GUI

Bug 702351 - ntpd produces an AVC when started from firstboot GUI

Summary: ntpd produces an AVC when started from firstboot GUI

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.1
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Daniel Walsh
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-05-05 12:30 UTC by Milos Malik
Modified:	2014-11-28 09:14 UTC (History)
CC List:	2 users (show)
Fixed In Version:	selinux-policy-3.7.19-107.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-12-06 10:07:40 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:1511	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2011-12-06 00:39:17 UTC

Description Milos Malik 2011-05-05 12:30:27 UTC

Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-93.el6.noarch
selinux-policy-targeted-3.7.19-93.el6.noarch
selinux-policy-mls-3.7.19-93.el6.noarch
selinux-policy-doc-3.7.19-93.el6.noarch
selinux-policy-minimum-3.7.19-93.el6.noarch

How reproducible:
always

Steps to Reproduce:
1. get a RHEL-6.1 machine
2. chkconfig firstboot on
3. replace "RUN_FIRSTBOOT=NO" by "RUN_FIRSTBOOT=YES" in /etc/sysconfig/firstboot file
4. reboot the machine
5. click through the firstboot GUI to the "Date and Time" configuration screen
6. enable some/all NTP options visible on the screen
7. click "Finish"
  
Actual results:
----
time->Thu May  5 13:51:56 2011
type=SYSCALL msg=audit(1304596316.232:114): arch=40000003 syscall=11 success=yes exit=0 a0=9790d28 a1=9791008 a2=9791290 a3=9791008 items=0 ppid=2650 pid=2651 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ntpd" exe="/usr/sbin/ntpd" subj=system_u:system_r:ntpd_t:s0 key=(null)
type=AVC msg=audit(1304596316.232:114): avc:  denied  { read write } for  pid=2651 comm="ntpd" path="socket:[66323]" dev=sockfs ino=66323 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:system_r:firstboot_t:s0 tclass=netlink_route_socket
----

Expected results:
no AVCs

Comment 1 Miroslav Grepl 2011-05-05 13:01:16 UTC

This is a leaked file descriptor in the tool that does the initial ntpd setup.

Comment 2 Daniel Walsh 2011-05-06 18:33:42 UTC

Do we recreate a new install for 6.1?

Comment 3 Miroslav Grepl 2011-08-05 10:36:06 UTC

I am fixing it. Backporting from Fedora.

Comment 4 Miroslav Grepl 2011-08-10 15:25:56 UTC

Fixed in selinux-policy-3.7.19-107.el6

Comment 7 errata-xmlrpc 2011-12-06 10:07:40 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html

Note You need to log in before you can comment on or make changes to this bug.