I've spent quite a while trying to figure out how to get ntpd to accept NMEA GPS input from a serial device (you don't actually need a GPS to see the failure, any [even disconnected] serial port will do). I add: server 127.127.20.1 mode 2 fudge 127.127.20.1 time1 0.00 time2 0.00 stratum 1 refid GPS flag1 0 to /etc/ntp.conf and 'service ntpd restart'. /dev/gps1 is a symlink to /dev/ttyS1, which is chmod a+rw'ed (for now). ntpd starts, but /var/log/messages shows: ilmare ntpd[#]: refclock_open /dev/gps1: Permission denied --- Now, to be fair, I'm totally at a loss on how permissions should be set on these files. However, I'm willing to believe that there isn't any sane setting that will currently actually work. ***** EXTREMELY ANNOYING ***** With default selinux contexts on /dev/gps1 and /dev/ttyS1 you don't even get an audit error message. However, I've made some progress with the following: # ls -alZ /dev/gps1 /dev/ttyS1 lrwxrwxrwx. ntp ntp system_u:object_r:tty_device_t:s0 /dev/gps1 -> ttyS1 crw-rw-rw-. ntp ntp system_u:object_r:tty_device_t:s0 /dev/ttyS1 By loading the following 'mazentp.te': module mazentp 1.0; require { type ntpd_t; type tty_device_t; class lnk_file read; class chr_file { open read write }; } #============= ntpd_t ============== allow ntpd_t tty_device_t:lnk_file read; allow ntpd_t tty_device_t:chr_file { open read write }; I can get just a little bit further...: ilmare ntpd[#]: refclock_setup fd # tcgetattr: Permission denied And once again - absolutely no error messages in /var/log/audit/audit.log. There must be a frickin' better way to fix this then by blind wandering. There must be some way to get audit to actually log error messages. But there doesn't seem to be any setting in /etc/sysconfig/auditd and in general can't find any easily tweakable knobs.
It would appear that: # ls -alZ /dev/gps1 /dev/ttyS1 lrwxrwxrwx. ntp ntp system_u:object_r:tty_device_t:s0 /dev/gps1 -> ttyS1 crw-rw-rw-. ntp ntp system_u:object_r:tty_device_t:s0 /dev/ttyS1 along with: module mazentp 1.0; require { type ntpd_t; type tty_device_t; class lnk_file read; class chr_file { open read write ioctl }; } #============= ntpd_t ============== allow ntpd_t tty_device_t:lnk_file read; allow ntpd_t tty_device_t:chr_file { open read write ioctl }; is enough to get ntp to start with a GPS_NMEA(1) clock source. Although of course this is a total security nightmare setup, and this should probably be done in some different way. (I still can't actually get it to synchronize, but that's probably a totally unrelated problem)
Okay, I got it working, turns out you need access to the serial device for the NMEA 0183 data stream, and access to the LinuxPPS device for the PPS signal. Hence I needed: /etc/ntp.conf includes: server 127.127.20.0 mode 32 version 4 prefer minpoll 4 maxpoll 4 fudge 127.127.20.0 time1 0.000 time2 0.500 stratum 1 refid GPS flag1 1 flag2 0 # ls -alZ /dev/gps0 /dev/ttyS1 /dev/gpspps0 /dev/pps0 lrwxrwxrwx. ntp ntp system_u:object_r:tty_device_t:s0 /dev/gps0 -> ttyS1 crw-rw-rw-. ntp ntp system_u:object_r:tty_device_t:s0 /dev/ttyS1 lrwxrwxrwx. ntp ntp system_u:object_r:clock_device_t:s0 /dev/gpspps0 -> pps0 crw-rw-rw-. ntp ntp system_u:object_r:clock_device_t:s0 /dev/pps0 # cat /root/mazentp/mazentp.te module mazentp 1.0; require { type clock_device_t; type ntpd_t; type tty_device_t; class lnk_file read; class chr_file { open read write ioctl }; } #============= ntpd_t ============== allow ntpd_t tty_device_t:lnk_file read; allow ntpd_t tty_device_t:chr_file { open read write ioctl }; allow ntpd_t clock_device_t:lnk_file read; allow ntpd_t clock_device_t:chr_file { open read write ioctl }; Still not clear on what the permissions on those 2 symlinks and 2 devices should be... Looks like the symlinks could possibly be: lrwxrwxrwx. root root system_u:object_r:device_t:s0 gps0 -> ttyS1 lrwxrwxrwx. root root system_u:object_r:device_t:s0 gpspps0 -> pps0 And the device nodes should perhaps be: crw-rw----. root ntp system_u:object_r:tty_device_t:s0 /dev/ttyS1 crw-rw----. root ntp system_u:object_r:clock_device_t:s0 /dev/pps0 Which of course would imply a slightly different selinux configuration. Perhaps there should be an 'ntp_tty_device_t' or 'gps_tty_device_t' or 'ntp_clock_device_t' types???
I see the errors too. With gpsd (drivers 28 and 22) it should work, but ldattach has to be started after gpsd or gpsd has to use the -N option. (that is a bug in the gpsd privilege dropping code) Also, it shouldn't be necessary to chown the devices to the ntp group, ntpd opens them before it drops root privileges.
But we still need the SELinux permissions?
F16 has dev_rw_realtime_clock(ntpd_t) so all we need to add is term_use_unallocated_ttys(ntpd_t) And then back port to F15 and RHEL6.
Added to selinux-policy-3.9.16-39.fc15