I've had to disable SELinux protection on ntpd, which seems a bit
drastic, and would like to know if there's a more restrictive approach.
I'm using an MSF clock to pick up the Rugby (UK) time signal and a
specialised daemon to interrogate the clock. This daemon communicates
with ntpd via shared memory and is configured into ntpd as:
server 127.127.28.0 #SHM reference clock
fudge 127.127.1.0 stratum 2 refid "MSF"
Both daemons are running under the same (ntp) user. This worked under Fedora Core 1 without any problems, but under Core 3 during boot the log contained:
Oct 17 15:21:14 zoogz radioclkd[4639]: entering daemon mode
Oct 17 15:21:14 zoogz radioclkd[4639]: error unable to set real time
scheduling
Oct 17 15:21:14 zoogz radioclkd[4639]: error unable to lock memory pages
Oct 17 16:21:14 zoogz radioclkd: radioclkd startup succeeded
Oct 17 16:21:30 zoogz ntpdate[4649]: step time server 192.36.143.150
offset -0.0Oct 17 16:21:30 zoogz ntpd: succeeded
Oct 17 16:21:30 zoogz ntpd[4653]: ntpd 4.2.0a(a)1.1190-r Fri Aug 26
04:27:20 EDT 2Oct 17 16:21:30 zoogz ntpd: ntpd startup succeeded
Oct 17 16:21:30 zoogz ntpd[4653]: precision = 3.000 usec
Oct 17 16:21:30 zoogz ntpd[4653]: Listening on interface wildcard,
0.0.0.0#123
Oct 17 16:21:30 zoogz ntpd[4653]: Listening on interface wildcard,
::#123
Oct 17 16:21:30 zoogz ntpd[4653]: Listening on interface lo,
127.0.0.1#123
Oct 17 16:21:30 zoogz ntpd[4653]: Listening on interface eth0,
192.168.7.2#123
Oct 17 16:21:30 zoogz ntpd[4653]: kernel time sync status 0040
Oct 17 16:21:30 zoogz kernel: audit(1129562490.239:3): avc: denied {
ipc_owner } for pid=4653 comm="ntpd" capability=15
scontext=root:system_r:ntpd_t tcontext=root:system_r:ntpd_t
tclass=capability
Oct 17 16:21:30 zoogz ntpd[4653]: SHM shmget (unit 0): Permission denied
Oct 17 16:21:30 zoogz ntpd[4653]: configuration of 127.127.28.0 failed
Oct 17 16:21:30 zoogz ntpd[4653]: frequency initialized 126.404 PPM from
/var/liOct 17 16:24:49 zoogz ntpd[4653]: synchronized to 192.36.143.150,
stratum 1
I can get the MSF to connect to ntpd if I turn off SELinux protection
for ntpd, but this seems a bit drastic and in any case radioclkd is
still complaining that it can't turn on realtime scheduling or lock the
memory pages.
Is there a way to:
* allow radioclkd to set realtime scheduling
* allow radioclkd to lock memory pages
* allow ntpd to execute the shmget() call
without turning off SELinux protection for ntpd? What about allowing
radioclkd to set realtime scheduling and lock the required memory
pages?.
I apologise if I've sent this to the wrong list, but it seemed like the
best one from the content of the Fedora SELinux documentation and would
seen to be a general problem for at least some users who run ntpd.
Best regards,
Martin Gregorie