ntp.... was Re: Fresh rawhide install / AVC messages

Russell Coker russell at coker.com.au
Thu Mar 11 10:50:43 UTC 2004 

On Thu, 11 Mar 2004 04:54, Tom Mitchell <mitch48 at yahoo.com> wrote:
> > net_conf_t doesn't seem ideal to me, but I can't think of anything better
> > at the moment.
>
> I am almost confused by dhcp...
>
> How does /etc/ntp.conf differ from /etc/adjtime /bin/date,
> adjtime(system call) in this discussion.  All interact with the time
> of day.

/etc/adjtime is used to account for inaccuracies of the hardware clock on the 
motherboard, so that after some time of power-off the clock compensation can 
be made for those inaccuracies.  Nothing to do with dhcpc.

/bin/date is not relevant either.  AFAIK there is no way of transferring the 
system time in the DHCP protocol (correct me if I'm wrong), so it doesn't 
have anything to do with this issue.

> I might trust my dhcp server to give me an IP address but do I also
> want it to set the time of day.  Then what else do I trust it to do?
> How do I manage the list of things that dhcp might update?

Apparently it's a standard feature to allow dhcpc to set the IP address of the 
NTP server.  You can surely reconfigure your dhcpc to not do this.  Also as a 
local customisation you could relabel /etc/ntp.conf to etc_t and thus deny 
dhcpc_t write access to it (ntpd_t has read access to etc_t:file).

> For example if I have a well crafted /etc/ntp.conf file will that file
> be lost if I move to a different DHCP served net.

Maybe.  That depends on what your DHCP client does.

> If I look at /usr/share/doc/dhcp-3.0pl2/dhcpd.conf.sample dhcp can set
> a list of common things.  Some are important, not all involve files
> that trigger audit.
>         option nis-domain               "domain.org";
>         option domain-name              "domain.org";
>         option domain-name-servers      192.168.1.1;
>         option time-offset              -18000; # Eastern Standard Time
>         option ntp-servers              192.168.1.1;
>         option netbios-name-servers     192.168.1.1;
>
> See man 5  dhcpd-options for more options.

Interesting.  Is the time offset supported in dhcpc?  If so we'll need policy 
for that.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

More information about the selinux mailing list