Description of problem: SELinux is preventing /usr/sbin/ntpdate from read, write access on the chr_file /dev/mapper/control. ***** Plugin leaks (86.2 confidence) suggests ****************************** If you want to ignore ntpdate trying to read write access the control chr_file, because you believe it should not need this access. Then you should report this as a bug. You can generate a local policy module to dontaudit this access. Do # grep /usr/sbin/ntpdate /var/log/audit/audit.log | audit2allow -D -M mypol # semodule -i mypol.pp ***** Plugin catchall (14.7 confidence) suggests *************************** If you believe that ntpdate should be allowed read write access on the control chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep ntpdate /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ntpd_t:s0 Target Context system_u:object_r:lvm_control_t:s0 Target Objects /dev/mapper/control [ chr_file ] Source ntpdate Source Path /usr/sbin/ntpdate Port <Unknown> Host (removed) Source RPM Packages ntpdate-4.2.6p5-11.fc19.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-44.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.9.3-301.fc19.x86_64 #1 SMP Mon May 20 12:50:56 UTC 2013 x86_64 x86_64 Alert Count 8 First Seen 2013-05-21 11:40:52 BST Last Seen 2013-05-21 11:41:17 BST Local ID 616ca72a-6328-4207-a7fe-9df70b7c750f Raw Audit Messages type=AVC msg=audit(1369132877.369:396): avc: denied { read write } for pid=1202 comm="ntpdate" path="/dev/mapper/control" dev="devtmpfs" ino=1164 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file type=SYSCALL msg=audit(1369132877.369:396): arch=x86_64 syscall=execve success=yes exit=0 a0=d92eb0 a1=d934b0 a2=d91f80 a3=7fffb93fb060 items=0 ppid=1197 pid=1202 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=ntpdate exe=/usr/sbin/ntpdate subj=system_u:system_r:ntpd_t:s0 key=(null) Hash: ntpdate,ntpd_t,lvm_control_t,chr_file,read,write audit2allow #============= ntpd_t ============== allow ntpd_t lvm_control_t:chr_file { read write }; audit2allow -RYou must regenerate interface info by running /usr/bin/sepolgen-ifgen Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.3-301.fc19.x86_64 type: libreport
Description of problem: This was caused by enabling ntpdate through the F19 installation GUI, plus manually typing in "clock.redhat.com" as an NTP source. Which, now I look at it, seems to have been dropped on the floor. :( Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.4-300.fc19.x86_64 type: libreport
Hello I did not entering anything manually as an additional NTP source. This must have been automatically. Regards Daniel
Are you doing a live install? I see these AVC's logged in a boot.iso install, but we run with selinux permissive so they are not fatal. Either ntpdate need to stop trying to touch /dev/mapper/control (why would they need to?) or the selinux rules need to be updated.
Description of problem: Fresh Install F19-i386-Final-TC1 Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.4-300.fc19.i686.PAE type: libreport
Nominating for freeze exception. If this was in a release blocking DE it would be a final release blocker, thus it qualifies as freeze exception.
ntpdate doesn't touch /dev/mapper/control and its code hasn't changed in a long time. This looks more like a leaked file descriptor coming from the process which runs ntpdate. Reassigning back to anaconda.
Yes this has nothing to do with ntpdate other then it is being passed a fd open to /dev/mapper/control and SELinux is shutting it down. This is probably the lvm code used in anaconda leaking a file descriptor
Discussed at 2013-06-10 blocker review meeting: http://meetbot.fedoraproject.org/fedora-blocker-review/2013-06-10/f19final-blocker-review-4.2013-06-10-16.01.log.txt . If this occurred on a GNOME or KDE (release-blocking desktop) live install on a fairly 'normal' path through the installer it may well constitute a release blocking issue, so if anyone can reliably reproduce on GNOME or KDE, please speak up. For now we did a quick test of a TC2 GNOME install and did not hit the AVC. With the number of reports on this bug, though, we at least accept it as a freeze exception issue; AVCs during install look really bad and should be fixed when possible. If the fix is too complex, though, we may have to live with it.
The way the date/time spoke is written currently depends on using os.system for the ntpdate call. This isn't likely to be changed this late in F19.
Created attachment 760338 [details] stop leaking file descriptors
Created attachment 760339 [details] stop using os.system This patch causes problems with the date/time screen. it blocks on completion of the ntpdate execution. We need to rethink how we're doing things in this spoke.
Description of problem: fresh install of fedora 19 with MATE wm produces SELinux errors Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.2-301.fc19.x86_64 type: libreport
Description of problem: Installed F-19 tc2 arm, enabled ntp, logged into an xfce session, then had this selinux alert waiting for me. Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.4.43.sun5i+ type: libreport
Description of problem: during compiling a java library simple-xml 2.7.1 (http://simple.sourceforge.net/) Additional info: reporter: libreport-2.1.6 hashmarkername: setroubleshoot kernel: 3.10.9-200.fc19.i686 type: libreport
We no longer use ntpdate.
Brilliant. Please allow me to withdraw all my past criticism of Red Hat's bug resolution methodology. I see from this bug report, that in fact, if you ignore a problem for long enough it actually may just go away. Red Hat's approach is vindicated. I am humbled & apologetic. Well done everybody.