From: fedora-selinux-list-bounces@redhat.com[SMTP:fedora-selinux-list-bounces@re dhat.com] on behalf of Stephen Smalley[SMTP:sds@epoch.ncsc.mil]
On Thu, 2004-06-17 at 10:03, Jason Hooper wrote:
Jan 3 02:11:03 doh1 kernel: audit(1041581463.810:0): avc: denied {
write
} for pid=1694 exe=/usr/sbin/ntpdate path=/ dev=hda3 ino=3367 scontext=root:system_r:ntpd_t tcontext=system_u:object_r:root_t tclass=chr_file
Mismatch between your kernel and policy. RedHat released a kernel update for FC2 without updating the policy accordingly. If you update to selinux-policy-strict in the devel tree, you should be ok. But note that this also requires updating SysVinit, libselinux, and possibly other components as the policy layout has changed completely in the devel tree.
> First, is SELinux supposed to work in Fedora Core 2 or is it in beta(alpha) > phase ?
It is supposed to work.
Khm, khm ... it is alpha/beta after all, isn't it ?
-- Stephen Smalley sds@epoch.ncsc.mil National Security Agency
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Thu, 2004-06-17 at 10:12, David Balazic wrote:
Khm, khm ... it is alpha/beta after all, isn't it ?
Shrug. If you want to be conservative, you can just patch your policy to include the devnull initial SID rather than trying to update to rawhide.
That all seems like a lot of work. Also, whos to say they wont update the kernel again the same way and im back on the list 6 mo from now. And it seems to work in permissive mode, but that's not selinux exactly is it...
# ntpdate -q ntp-2.cso.uiuc.edu Looking for host ntp-2.cso.uiuc.edu and service ntp host found : ntp-2.gw.uiuc.edu server 130.126.24.44, stratum 2, offset -46708.392381, delay 0.04820 17 Jun 22:51:14 ntpdate[1431]: step time server 130.126.24.44 offset -46708.392381 sec
..
-----Original Message----- From: fedora-selinux-list-bounces@redhat.com [mailto:fedora-selinux-list-bounces@redhat.com] On Behalf Of Stephen Smalley Sent: Thursday, June 17, 2004 9:45 AM To: Fedora SELinux support list for users & developers. Subject: RE: ntp
On Thu, 2004-06-17 at 10:12, David Balazic wrote:
Khm, khm ... it is alpha/beta after all, isn't it ?
Shrug. If you want to be conservative, you can just patch your policy to include the devnull initial SID rather than trying to update to rawhide.
-- Stephen Smalley sds@epoch.ncsc.mil National Security Agency
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org