I have just built an FC3 samba server using the K12LTSP iso's and am getting the following messages on the log.
Jan 21 01:55:14 admin ntpd[9988]: can't open /etc/ntp/drift.TEMP: Permission denied Jan 21 01:55:14 admin kernel: audit(1106290514.375:0): avc: denied { write } for pid=9988 exe=/usr/sbin/ntpd name=ntp dev=hda3 ino=3392705 scontext=root:system_r:ntpd_t tcontext=system_u:object_r:etc_t tclass=dir
With SELinux enabled, the drift file could not be created. In permissive mode, the drift file is properly created and updated. What have I done wrong?
[root@admin ntp]# ls -dZ . drwxr-xr-x ntp ntp system_u:object_r:etc_t [root@admin ntp]# ls -lZ drift -rw-r--r-- ntp ntp root:object_r:etc_t drift
Mark Orenstein East Granby, CT School System
On Sun, 23 Jan 2005 14:30:30 -0500 (EST), mroselinux@eastgranby.k12.ct.us mroselinux@eastgranby.k12.ct.us wrote:
I have just built an FC3 samba server using the K12LTSP iso's and am getting the following messages on the log.
Jan 21 01:55:14 admin ntpd[9988]: can't open /etc/ntp/drift.TEMP: Permission denied Jan 21 01:55:14 admin kernel: audit(1106290514.375:0): avc: denied { write } for pid=9988 exe=/usr/sbin/ntpd name=ntp dev=hda3 ino=3392705 scontext=root:system_r:ntpd_t tcontext=system_u:object_r:etc_t tclass=dir
With SELinux enabled, the drift file could not be created. In permissive mode, the drift file is properly created and updated. What have I done wrong?
[root@admin ntp]# ls -dZ . drwxr-xr-x ntp ntp system_u:object_r:etc_t [root@admin ntp]# ls -lZ drift -rw-r--r-- ntp ntp root:object_r:etc_t drift
version of ntp?
Mine (ntp-4.2.0.a.20040617-6) places the drift file in /var/lib/ntp. /var/lib/ntp seems appropriately labeled ntp_drift_t.
tom
Thanks,
I had driftfile pointing to /etc/ntp and changing it to /var/lib/ntp fixed it. It's a file I've carried forward for at least four years.
Mark
On Sun, 23 Jan 2005 14:30:30 -0500 (EST), mroselinux@eastgranby.k12.ct.us mroselinux@eastgranby.k12.ct.us wrote:
I have just built an FC3 samba server using the K12LTSP iso's and am getting the following messages on the log.
Jan 21 01:55:14 admin ntpd[9988]: can't open /etc/ntp/drift.TEMP: Permission denied Jan 21 01:55:14 admin kernel: audit(1106290514.375:0): avc: denied { write } for pid=9988 exe=/usr/sbin/ntpd name=ntp dev=hda3 ino=3392705 scontext=root:system_r:ntpd_t tcontext=system_u:object_r:etc_t tclass=dir
With SELinux enabled, the drift file could not be created. In permissive mode, the drift file is properly created and updated. What have I done wrong?
[root@admin ntp]# ls -dZ . drwxr-xr-x ntp ntp system_u:object_r:etc_t [root@admin ntp]# ls -lZ drift -rw-r--r-- ntp ntp root:object_r:etc_t drift
version of ntp?
Mine (ntp-4.2.0.a.20040617-6) places the drift file in /var/lib/ntp. /var/lib/ntp seems appropriately labeled ntp_drift_t.
tom
-- Tom London
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
mroselinux@eastgranby.k12.ct.us writes:
| Thanks,
| I had driftfile pointing to /etc/ntp and changing it to /var/lib/ntp fixed | it. It's a file I've carried forward for at least four years.
You are sure you don't still get the same errors for drift.TEMP?
Mine (ntp-4.2.0.a.20040617-6) places the drift file in /var/lib/ntp. /var/lib/ntp seems appropriately labeled ntp_drift_t.
I have the drift file in /var/lib/ntp/drift, but I get selinux errors for drift.TEMP:
Mar 6 18:51:26 slabber ntpd[26387]: can't open /var/lib/ntp/drift.TEMP: Permission denied Mar 6 18:51:26 slabber kernel: audit(1110131486.894:0): avc: denied { dac_override } for pid=26387 exe=/usr/sbin/ntpd capability=1 scontext=root:system_r:ntpd_t tcontext=root:system_r:ntpd_t tclass=capability
This is an updated FC3 system.
On Sun, Mar 06, 2005 at 07:03:26PM +0100, Lars Gullik Bjønnes wrote:
I have the drift file in /var/lib/ntp/drift, but I get selinux errors for drift.TEMP:
Mar 6 18:51:26 slabber ntpd[26387]: can't open /var/lib/ntp/drift.TEMP: Permission denied Mar 6 18:51:26 slabber kernel: audit(1110131486.894:0): avc: denied { dac_override } for pid=26387 exe=/usr/sbin/ntpd capability=1 scontext=root:system_r:ntpd_t tcontext=root:system_r:ntpd_t tclass=capability
This is an updated FC3 system.
What are the DAC unix permissions bits and owner/group on the file? I am no expert in SELinux, but that AVC sounds to me like the standard unix permissions are disallowing access to the file.
"Chuck R. Anderson" cra@WPI.EDU writes:
| On Sun, Mar 06, 2005 at 07:03:26PM +0100, Lars Gullik Bjønnes wrote:
I have the drift file in /var/lib/ntp/drift, but I get selinux errors for drift.TEMP:
Mar 6 18:51:26 slabber ntpd[26387]: can't open /var/lib/ntp/drift.TEMP: Permission denied Mar 6 18:51:26 slabber kernel: audit(1110131486.894:0): avc: denied { dac_override } for pid=26387 exe=/usr/sbin/ntpd capability=1 scontext=root:system_r:ntpd_t tcontext=root:system_r:ntpd_t tclass=capability
This is an updated FC3 system.
| What are the DAC unix permissions bits and owner/group on the file?
Of the directory you mean? It is creating the file in the first place that fails.
ls -la /var/lib/ntp/ total 24 drwxr-xr-x 2 ntp ntp 4096 Mar 6 22:20 . drwxr-xr-x 14 root root 4096 Feb 22 17:38 .. -rw-r--r-- 1 ntp ntp 7 Mar 6 22:20 drift
| I | am no expert in SELinux, but that AVC sounds to me like the standard | unix permissions are disallowing access to the file.
From /etc/selinux/targeted/contexts/file_contexts it seems this should
be allowed. But I am not familiar with the format:
grep -nr drift * files/file_contexts.pre:676:/var/lib/ntp(/.*)? system_u:object_r:ntp_drift_t files/file_contexts.pre:677:/etc/ntp/data(/.*)? system_u:object_r:ntp_drift_t files/file_contexts:676:/var/lib/ntp(/.*)? system_u:object_r:ntp_drift_t files/file_contexts:677:/etc/ntp/data(/.*)? system_u:object_r:ntp_drift_t
On Sun, 2005-03-06 at 22:45 +0100, Lars Gullik Bjønnes wrote:
Of the directory you mean? It is creating the file in the first place that fails.
ls -la /var/lib/ntp/ total 24 drwxr-xr-x 2 ntp ntp 4096 Mar 6 22:20 . drwxr-xr-x 14 root root 4096 Feb 22 17:38 .. -rw-r--r-- 1 ntp ntp 7 Mar 6 22:20 drift
Do you have ntpd configured to run as root or something?
Colin Walters walters@redhat.com writes:
| On Sun, 2005-03-06 at 22:45 +0100, Lars Gullik Bjønnes wrote:
Of the directory you mean? It is creating the file in the first place that fails.
ls -la /var/lib/ntp/ total 24 drwxr-xr-x 2 ntp ntp 4096 Mar 6 22:20 . drwxr-xr-x 14 root root 4096 Feb 22 17:38 .. -rw-r--r-- 1 ntp ntp 7 Mar 6 22:20 drift
| Do you have ntpd configured to run as root or something?
This is a FC3 install. No changes done. (the ntp servers have been changed, but that is it.)
Kindo strange.
larsbj@gullik.net (Lars Gullik Bjønnes) writes:
| Colin Walters walters@redhat.com writes:
| | On Sun, 2005-03-06 at 22:45 +0100, Lars Gullik Bjønnes wrote:
Of the directory you mean? It is creating the file in the first place that fails.
ls -la /var/lib/ntp/ total 24 drwxr-xr-x 2 ntp ntp 4096 Mar 6 22:20 . drwxr-xr-x 14 root root 4096 Feb 22 17:38 .. -rw-r--r-- 1 ntp ntp 7 Mar 6 22:20 drift
| | Do you have ntpd configured to run as root or something?
| This is a FC3 install. No changes done. | (the ntp servers have been changed, but that is it.)
| Kindo strange.
Hmm da hmm...
I seem to have had a rouge process here... most likely created when I tried to start ntpdc... I must have started ntpd manually instead.
So disregard all my reports. I'll inform you if I see some bad stuff later.
Sorry about the false alarms.
selinux@lists.fedoraproject.org
-
Chuck Anderson -
Colin Walters -
Lars Gullik Bjønnes -
mroselinux@eastgranby.k12.ct.us -
Tom London