Bug 732180 - ntpd + selinux + gps = problems.
Summary: ntpd + selinux + gps = problems.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: ntp
Version: 15
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Lichvar
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-20 09:55 UTC by Maciej Żenczykowski
Modified: 2011-10-27 11:33 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-10-27 11:33:10 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Maciej Żenczykowski 2011-08-20 09:55:53 UTC 
I've spent quite a while trying to figure out how to get ntpd to accept NMEA GPS input from a serial device (you don't actually need a GPS to see the failure, any [even disconnected] serial port will do).

I add:
  server 127.127.20.1 mode 2
  fudge 127.127.20.1 time1 0.00 time2 0.00 stratum 1 refid GPS flag1 0
to /etc/ntp.conf and 'service ntpd restart'.

/dev/gps1 is a symlink to /dev/ttyS1, which is chmod a+rw'ed (for now).

ntpd starts, but /var/log/messages shows:
  ilmare ntpd[#]: refclock_open /dev/gps1: Permission denied

---
Now, to be fair, I'm totally at a loss on how permissions should be set on these files.
However, I'm willing to believe that there isn't any sane setting that will currently actually work.

***** EXTREMELY ANNOYING *****
With default selinux contexts on /dev/gps1 and /dev/ttyS1 you don't even get an audit error message.

However, I've made some progress with the following:

# ls -alZ /dev/gps1 /dev/ttyS1
lrwxrwxrwx. ntp ntp system_u:object_r:tty_device_t:s0 /dev/gps1 -> ttyS1
crw-rw-rw-. ntp ntp system_u:object_r:tty_device_t:s0 /dev/ttyS1

By loading the following 'mazentp.te':

  module mazentp 1.0;

  require {
    type ntpd_t;
    type tty_device_t;
    class lnk_file read;
    class chr_file { open read write };
  }

  #============= ntpd_t ==============
  allow ntpd_t tty_device_t:lnk_file read;
  allow ntpd_t tty_device_t:chr_file { open read write };

I can get just a little bit further...:
  ilmare ntpd[#]: refclock_setup fd # tcgetattr: Permission denied

And once again - absolutely no error messages in /var/log/audit/audit.log.

There must be a frickin' better way to fix this then by blind wandering.
There must be some way to get audit to actually log error messages.
But there doesn't seem to be any setting in /etc/sysconfig/auditd
and in general can't find any easily tweakable knobs.
Comment 1 Maciej Żenczykowski 2011-08-20 10:06:50 UTC 
It would appear that:

  # ls -alZ /dev/gps1 /dev/ttyS1
  lrwxrwxrwx. ntp ntp system_u:object_r:tty_device_t:s0 /dev/gps1 -> ttyS1
  crw-rw-rw-. ntp ntp system_u:object_r:tty_device_t:s0 /dev/ttyS1

along with:

  module mazentp 1.0;

  require {
    type ntpd_t;
    type tty_device_t;
    class lnk_file read;
    class chr_file { open read write ioctl };
  }

  #============= ntpd_t ==============
  allow ntpd_t tty_device_t:lnk_file read;
  allow ntpd_t tty_device_t:chr_file { open read write ioctl };

is enough to get ntp to start with a GPS_NMEA(1) clock source.
Although of course this is a total security nightmare setup, and this should probably be done in some different way.

(I still can't actually get it to synchronize, but that's probably a totally unrelated problem)
Comment 2 Maciej Żenczykowski 2011-08-20 12:33:11 UTC 
Okay, I got it working, turns out you need access to the serial device for the NMEA 0183 data stream, and access to the LinuxPPS device for the PPS signal.

Hence I needed:

/etc/ntp.conf includes:
  server 127.127.20.0 mode 32 version 4 prefer minpoll 4 maxpoll 4
  fudge 127.127.20.0 time1 0.000 time2 0.500 stratum 1 refid GPS flag1 1 flag2 0

# ls -alZ /dev/gps0 /dev/ttyS1 /dev/gpspps0 /dev/pps0
lrwxrwxrwx. ntp ntp system_u:object_r:tty_device_t:s0 /dev/gps0 -> ttyS1
crw-rw-rw-. ntp ntp system_u:object_r:tty_device_t:s0 /dev/ttyS1
lrwxrwxrwx. ntp ntp system_u:object_r:clock_device_t:s0 /dev/gpspps0 -> pps0
crw-rw-rw-. ntp ntp system_u:object_r:clock_device_t:s0 /dev/pps0


# cat /root/mazentp/mazentp.te 

module mazentp 1.0;

require {
        type clock_device_t;
        type ntpd_t;
        type tty_device_t;
        class lnk_file read;
        class chr_file { open read write ioctl };
}

#============= ntpd_t ==============
allow ntpd_t tty_device_t:lnk_file read;
allow ntpd_t tty_device_t:chr_file { open read write ioctl };
allow ntpd_t clock_device_t:lnk_file read;
allow ntpd_t clock_device_t:chr_file { open read write ioctl };


Still not clear on what the permissions on those 2 symlinks and 2 devices should be...

Looks like the symlinks could possibly be:
lrwxrwxrwx. root root    system_u:object_r:device_t:s0    gps0 -> ttyS1
lrwxrwxrwx. root root    system_u:object_r:device_t:s0    gpspps0 -> pps0

And the device nodes should perhaps be:
crw-rw----. root ntp system_u:object_r:tty_device_t:s0 /dev/ttyS1
crw-rw----. root ntp system_u:object_r:clock_device_t:s0 /dev/pps0

Which of course would imply a slightly different selinux configuration.
Perhaps there should be an 'ntp_tty_device_t' or 'gps_tty_device_t' or 'ntp_clock_device_t' types???
Comment 3 Miroslav Lichvar 2011-08-22 13:03:14 UTC 
I see the errors too.

With gpsd (drivers 28 and 22) it should work, but ldattach has to be started after gpsd or gpsd has to use the -N option. (that is a bug in the gpsd privilege dropping code)

Also, it shouldn't be necessary to chown the devices to the ntp group, ntpd opens them before it drops root privileges.
Comment 4 Daniel Walsh 2011-08-22 14:07:52 UTC 
But we still need the SELinux permissions?
Comment 5 Daniel Walsh 2011-08-22 14:15:35 UTC 
F16 has dev_rw_realtime_clock(ntpd_t)
 so all we need to add is

term_use_unallocated_ttys(ntpd_t)


And then back port to F15 and RHEL6.
Comment 6 Miroslav Grepl 2011-08-23 10:29:27 UTC 
Added to selinux-policy-3.9.16-39.fc15
Note You need to log in before you can comment on or make changes to this bug.