Policy for ntp using nonstandard clock device links
Eric Paris
eparis at parisplace.org
Wed Apr 27 00:39:20 UTC 2005
Some ntp clocks like the the wwvb1 which are configured with a line like
server 127.127.4.1 minpoll 3 maxpoll 4
in ntp.conf will need to talk to a "clock device" at /dev/wwvb1. In
reality the clock is connected to something like /dev/ttyS0 where ntpd
would normally have permissions. But for these types of clocks we have
to create a sym link ln -s /dev/ttyS0 /dev/wwvb1 because ntp recognizes
the clock as being at /dev/wwvb1.
We get denials like
audit(1114388976.276:0): avc: denied { read } for pid=23691
exe=/usr/sbin/ntpd name=wwvb1 dev=tmpfs ino=148116
scontext=root:system_r:ntpd_t tcontext=root:object_r:device_t
tclass=lnk_file
which can be fixed with
allow ntpd_t device_t:lnk_file read;
It might also want write permission, I'm not sure right now. I'm
looking for comments on the right way to fix this. Is adding this or
maybe rw_file_perms the way we really should go about this?
Eric
More information about the selinux
mailing list