Bug 966253 - SELinux is preventing /usr/sbin/ntpdate from read, write access on the chr_file /dev/mapper/control.
Summary: SELinux is preventing /usr/sbin/ntpdate from read, write access on the chr_fi...
Alias: None
Product: Fedora
Classification: Fedora
Component: anaconda
Version: 19
Hardware: x86_64
OS: Unspecified
Target Milestone: ---
Assignee: Brian Lane
QA Contact: Fedora Extras Quality Assurance
Whiteboard: abrt_hash:cdc02a6698222e8c88077c552f9...
Depends On:
Blocks: F19-accepted, F19FinalFreezeException
TreeView+ depends on / blocked
Reported: 2013-05-22 21:07 UTC by markleeuw
Modified: 2014-02-01 01:14 UTC (History)
19 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-02-01 01:14:43 UTC
Type: ---

Attachments (Terms of Use)
stop leaking file descriptors (6.03 KB, patch)
2013-06-12 23:07 UTC, Brian Lane
no flags Details | Diff
stop using os.system (3.14 KB, patch)
2013-06-12 23:08 UTC, Brian Lane
no flags Details | Diff

Description markleeuw 2013-05-22 21:07:04 UTC
Description of problem:
SELinux is preventing /usr/sbin/ntpdate from read, write access on the chr_file /dev/mapper/control.

*****  Plugin leaks (86.2 confidence) suggests  ******************************

If you want to ignore ntpdate trying to read write access the control chr_file, because you believe it should not need this access.
Then you should report this as a bug.  
You can generate a local policy module to dontaudit this access.
# grep /usr/sbin/ntpdate /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

*****  Plugin catchall (14.7 confidence) suggests  ***************************

If you believe that ntpdate should be allowed read write access on the control chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep ntpdate /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:ntpd_t:s0
Target Context                system_u:object_r:lvm_control_t:s0
Target Objects                /dev/mapper/control [ chr_file ]
Source                        ntpdate
Source Path                   /usr/sbin/ntpdate
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           ntpdate-4.2.6p5-11.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-44.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.9.3-301.fc19.x86_64 #1 SMP Mon
                              May 20 12:50:56 UTC 2013 x86_64 x86_64
Alert Count                   8
First Seen                    2013-05-21 11:40:52 BST
Last Seen                     2013-05-21 11:41:17 BST
Local ID                      616ca72a-6328-4207-a7fe-9df70b7c750f

Raw Audit Messages
type=AVC msg=audit(1369132877.369:396): avc:  denied  { read write } for  pid=1202 comm="ntpdate" path="/dev/mapper/control" dev="devtmpfs" ino=1164 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file

type=SYSCALL msg=audit(1369132877.369:396): arch=x86_64 syscall=execve success=yes exit=0 a0=d92eb0 a1=d934b0 a2=d91f80 a3=7fffb93fb060 items=0 ppid=1197 pid=1202 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=ntpdate exe=/usr/sbin/ntpdate subj=system_u:system_r:ntpd_t:s0 key=(null)

Hash: ntpdate,ntpd_t,lvm_control_t,chr_file,read,write


#============= ntpd_t ==============
allow ntpd_t lvm_control_t:chr_file { read write };

audit2allow -RYou must regenerate interface info by running /usr/bin/sepolgen-ifgen

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.3-301.fc19.x86_64
type:           libreport

Comment 1 Justin Clift 2013-05-28 10:41:15 UTC
Description of problem:
This was caused by enabling ntpdate through the F19 installation GUI, plus manually typing in "clock.redhat.com" as an NTP source.

Which, now I look at it, seems to have been dropped on the floor. :(

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.4-300.fc19.x86_64
type:           libreport

Comment 2 Daniel Bossert 2013-05-29 10:15:09 UTC

I did not entering anything manually as an additional NTP source. This must have been automatically.


Comment 3 Brian Lane 2013-06-07 00:16:50 UTC
Are you doing a live install? I see these AVC's logged in a boot.iso install, but we run with selinux permissive so they are not fatal.

Either ntpdate need to stop trying to touch /dev/mapper/control (why would they need to?) or the selinux rules need to be updated.

Comment 4 Robert Lightfoot 2013-06-07 01:44:33 UTC
Description of problem:
Fresh Install F19-i386-Final-TC1

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.4-300.fc19.i686.PAE
type:           libreport

Comment 5 Robert Lightfoot 2013-06-07 01:47:04 UTC
Nominating for freeze exception.  If this was in a release blocking DE it would be a final release blocker, thus it qualifies as freeze exception.

Comment 6 Miroslav Lichvar 2013-06-07 09:33:50 UTC
ntpdate doesn't touch /dev/mapper/control and its code hasn't changed in a long time. This looks more like a leaked file descriptor coming from the process which runs ntpdate. Reassigning back to anaconda.

Comment 7 Daniel Walsh 2013-06-07 20:30:29 UTC
Yes this has nothing to do with ntpdate other then it is being passed a fd open to /dev/mapper/control and SELinux is shutting it down.

This is probably the lvm code used in anaconda leaking a file descriptor

Comment 8 Adam Williamson 2013-06-10 17:36:08 UTC
Discussed at 2013-06-10 blocker review meeting: http://meetbot.fedoraproject.org/fedora-blocker-review/2013-06-10/f19final-blocker-review-4.2013-06-10-16.01.log.txt . 

If this occurred on a GNOME or KDE (release-blocking desktop) live install on a fairly 'normal' path through the installer it may well constitute a release blocking issue, so if anyone can reliably reproduce on GNOME or KDE, please speak up. For now we did a quick test of a TC2 GNOME install and did not hit the AVC. With the number of reports on this bug, though, we at least accept it as a freeze exception issue; AVCs during install look really bad and should be fixed when possible. If the fix is too complex, though, we may have to live with it.

Comment 9 Brian Lane 2013-06-12 21:27:29 UTC
The way the date/time spoke is written currently depends on using os.system for the ntpdate call. This isn't likely to be changed this late in F19.

Comment 10 Brian Lane 2013-06-12 23:07:46 UTC
Created attachment 760338 [details]
stop leaking file descriptors

Comment 11 Brian Lane 2013-06-12 23:08:51 UTC
Created attachment 760339 [details]
stop using os.system

This patch causes problems with the date/time screen. it blocks on completion of the ntpdate execution. We need to rethink how we're doing things in this spoke.

Comment 12 ryanj 2013-06-13 19:19:07 UTC
Description of problem:
fresh install of fedora 19 with MATE wm produces SELinux errors

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.2-301.fc19.x86_64
type:           libreport

Comment 13 Hans de Goede 2013-06-18 16:09:09 UTC
Description of problem:
Installed F-19 tc2 arm, enabled ntp, logged into an xfce session, then had this selinux alert waiting for me.

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.4.43.sun5i+
type:           libreport

Comment 14 gil cattaneo 2013-08-23 15:55:30 UTC
Description of problem:
during compiling a java library simple-xml 2.7.1 (http://simple.sourceforge.net/)

Additional info:
reporter:       libreport-2.1.6
hashmarkername: setroubleshoot
kernel:         3.10.9-200.fc19.i686
type:           libreport

Comment 15 Brian Lane 2014-02-01 01:14:43 UTC
We no longer use ntpdate.

Note You need to log in before you can comment on or make changes to this bug.