Bug 979708 - SELinux is preventing /usr/sbin/ntpd from remove_name access on the directory /var/log/ntpstats/loopstats.
SELinux is preventing /usr/sbin/ntpd from remove_name access on the directory...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
19
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-29 14:11 EDT by Niki Guldbrand
Modified: 2013-07-06 21:32 EDT (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-59.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-07-06 21:32:42 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Niki Guldbrand 2013-06-29 14:11:49 EDT
SELinux is preventing /usr/sbin/ntpd from remove_name access on the directory /var/log/ntpstats/loopstats.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that ntpd should be allowed remove_name access on the loopstats directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep ntpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:ntpd_t:s0
Target Context                system_u:object_r:ntpd_log_t:s0
Target Objects                /var/log/ntpstats/loopstats [ dir ]
Source                        ntpd
Source Path                   /usr/sbin/ntpd
Port                          <Unknown>
Host                          ipa
Source RPM Packages           ntp-4.2.6p5-11.fc19.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-54.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ipa
Platform                      Linux ipa 3.9.6-200.fc18.i686.PAE #1 SMP Thu Jun
                              13 19:19:30 UTC 2013 i686 i686
Alert Count                   1
First Seen                    2013-06-29 08:35:56 CEST
Last Seen                     2013-06-29 08:35:56 CEST
Local ID                      1706b8ad-af02-472f-9736-6087c60280ef

Raw Audit Messages
type=AVC msg=audit(1372487756.709:60): avc:  denied  { remove_name } for  pid=651 comm="ntpd" name="loopstats" dev="dm-1" ino=524580 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntpd_log_t:s0 tclass=dir


type=SYSCALL msg=audit(1372487756.709:60): arch=i386 syscall=unlink success=no exit=EACCES a0=b81ebee0 a1=bffc3a58 a2=b7776b4c a3=b81ebee0 items=0 ppid=1 pid=651 auid=4294967295 uid=38 gid=38 euid=38 suid=38 fsuid=38 egid=38 sgid=38 fsgid=38 ses=4294967295 tty=(none) comm=ntpd exe=/usr/sbin/ntpd subj=system_u:system_r:ntpd_t:s0 key=(null)

Hash: ntpd,ntpd_t,ntpd_log_t,dir,remove_name
Comment 1 Niki Guldbrand 2013-06-29 14:14:02 EDT
All so got this related on:

Subject: [SELinux AVC Alert] SELinux is preventing /usr/sbin/ntpd from remove_name access on the directory /var/log/ntpstats/peerstats

SELinux is preventing /usr/sbin/ntpd from remove_name access on the directory /var/log/ntpstats/peerstats.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that ntpd should be allowed remove_name access on the peerstats directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep ntpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:ntpd_t:s0
Target Context                system_u:object_r:ntpd_log_t:s0
Target Objects                /var/log/ntpstats/peerstats [ dir ]
Source                        ntpd
Source Path                   /usr/sbin/ntpd
Port                          <Unknown>
Host                          ipa
Source RPM Packages           ntp-4.2.6p5-11.fc19.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-54.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ipa
Platform                      Linux ipa 3.9.6-200.fc18.i686.PAE #1 SMP Thu Jun
                              13 19:19:30 UTC 2013 i686 i686
Alert Count                   1
First Seen                    2013-06-29 08:53:58 CEST
Last Seen                     2013-06-29 08:53:58 CEST
Local ID                      af2cb2db-8417-4ee4-8394-066a1b65a6ad

Raw Audit Messages
type=AVC msg=audit(1372488838.622:65): avc:  denied  { remove_name } for  pid=670 comm="ntpd" name="peerstats" dev="dm-1" ino=524534 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntpd_log_t:s0 tclass=dir


type=SYSCALL msg=audit(1372488838.622:65): arch=i386 syscall=unlink success=no exit=EACCES a0=b86f6ee0 a1=bfa7a368 a2=b7798b4c a3=b86f6ee0 items=0 ppid=1 pid=670 auid=4294967295 uid=38 gid=38 euid=38 suid=38 fsuid=38 egid=38 sgid=38 fsgid=38 ses=4294967295 tty=(none) comm=ntpd exe=/usr/sbin/ntpd subj=system_u:system_r:ntpd_t:s0 key=(null)

Hash: ntpd,ntpd_t,ntpd_log_t,dir,remove_name
Comment 2 Niki Guldbrand 2013-06-29 14:25:35 EDT
And another one:

SELinux is preventing /usr/sbin/ntpd from link access on the file clockstats.20130629.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that ntpd should be allowed link access on the clockstats.20130629 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep ntpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:ntpd_t:s0
Target Context                system_u:object_r:ntpd_log_t:s0
Target Objects                clockstats.20130629 [ file ]
Source                        ntpd
Source Path                   /usr/sbin/ntpd
Port                          <Unknown>
Host                          ipa
Source RPM Packages           ntp-4.2.6p5-11.fc19.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-54.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ipa
Platform                      Linux ipa 3.9.6-301.fc19.i686.PAE #1 SMP Mon Jun
                              17 14:38:10 UTC 2013 i686 i686
Alert Count                   1
First Seen                    2013-06-29 19:58:06 CEST
Last Seen                     2013-06-29 19:58:06 CEST
Local ID                      d994195f-2524-47c1-93b9-5d1154e8739b

Raw Audit Messages
type=AVC msg=audit(1372528686.420:831): avc:  denied  { link } for  pid=3279 comm="ntpd" name="clockstats.20130629" dev="dm-1" ino=525489 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntpd_log_t:s0 tclass=file


type=SYSCALL msg=audit(1372528686.420:831): arch=i386 syscall=link success=no exit=EACCES a0=b8693cc8 a1=b8693fc8 a2=b773fb4c a3=b8693fc8 items=0 ppid=1 pid=3279 auid=4294967295 uid=38 gid=38 euid=38 suid=38 fsuid=38 egid=38 sgid=38 fsgid=38 ses=4294967295 tty=(none) comm=ntpd exe=/usr/sbin/ntpd subj=system_u:system_r:ntpd_t:s0 key=(null)

Hash: ntpd,ntpd_t,ntpd_log_t,file,link
Comment 3 Niki Guldbrand 2013-06-29 14:49:41 EDT
This is the current policy module I'm using right now to fix this.

module net.guldbrand.ipa_ntpd 1.0;

require {
        type ntpd_t;
        type ntpd_log_t;
        class dir remove_name;
        class file { unlink link };
}

#============= ntpd_t ==============

allow ntpd_t ntpd_log_t:dir remove_name;
allow ntpd_t ntpd_log_t:file unlink;
allow ntpd_t ntpd_log_t:file link;
Comment 4 Fedora Update System 2013-07-03 15:49:44 EDT
selinux-policy-3.12.1-59.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-59.fc19
Comment 5 Fedora Update System 2013-07-04 22:13:26 EDT
Package selinux-policy-3.12.1-59.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-59.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-12373/selinux-policy-3.12.1-59.fc19
then log in and leave karma (feedback).
Comment 6 stepglenn 2013-07-05 21:36:07 EDT
(In reply to Niki Guldbrand from comment #3)
I also needed a similar policy module, BUT with these additionals:

require {
	type ntpd_t;
	type ntpd_log_t;
	class dir remove_name;
	class file { read write unlink link };
}

#============= ntpd_t ==============
allow ntpd_t ntpd_log_t:dir remove_name;
allow ntpd_t ntpd_log_t:file { read write unlink link };


> This is the current policy module I'm using right now to fix this.
> 
> module net.guldbrand.ipa_ntpd 1.0;
> 
> require {
>         type ntpd_t;
>         type ntpd_log_t;
>         class dir remove_name;
>         class file { unlink link };
> }
> 
> #============= ntpd_t ==============
> 
> allow ntpd_t ntpd_log_t:dir remove_name;
> allow ntpd_t ntpd_log_t:file unlink;
> allow ntpd_t ntpd_log_t:file link;
Comment 7 stepglenn 2013-07-05 21:46:18 EDT
The selinux-policy-3.12.1-59.fc19 testing update seems to fix all my issues with this issue. No need for a "local" policy module.
Comment 8 Fedora Update System 2013-07-06 21:32:42 EDT
selinux-policy-3.12.1-59.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.