"Chuck R. Anderson" <cra(a)WPI.EDU> writes:
| On Sun, Mar 06, 2005 at 07:03:26PM +0100, Lars Gullik Bjønnes wrote:
> I have the drift file in /var/lib/ntp/drift, but I get selinux
errors
> for drift.TEMP:
>
> Mar 6 18:51:26 slabber ntpd[26387]: can't open
> /var/lib/ntp/drift.TEMP: Permission denied
> Mar 6 18:51:26 slabber kernel: audit(1110131486.894:0): avc: denied
> { dac_override } for pid=26387 exe=/usr/sbin/ntpd capability=1
> scontext=root:system_r:ntpd_t tcontext=root:system_r:ntpd_t
> tclass=capability
>
> This is an updated FC3 system.
| What are the DAC unix permissions bits and owner/group on the file?
Of the directory you mean? It is creating the file in the first place
that fails.
ls -la /var/lib/ntp/
total 24
drwxr-xr-x 2 ntp ntp 4096 Mar 6 22:20 .
drwxr-xr-x 14 root root 4096 Feb 22 17:38 ..
-rw-r--r-- 1 ntp ntp 7 Mar 6 22:20 drift
| I
| am no expert in SELinux, but that AVC sounds to me like the standard
| unix permissions are disallowing access to the file.
From /etc/selinux/targeted/contexts/file_contexts it seems this should
be allowed. But I am not familiar with the format:
grep -nr drift *
files/file_contexts.pre:676:/var/lib/ntp(/.*)?
system_u:object_r:ntp_drift_t
files/file_contexts.pre:677:/etc/ntp/data(/.*)?
system_u:object_r:ntp_drift_t
files/file_contexts:676:/var/lib/ntp(/.*)?
system_u:object_r:ntp_drift_t
files/file_contexts:677:/etc/ntp/data(/.*)?
system_u:object_r:ntp_drift_t
--
Lgb