Fedora 14 NTP and SELinux

Michal Jaegermann michal at harddata.com
Mon Nov 29 07:57:26 UTC 2010


On Mon, Nov 29, 2010 at 11:35:05AM +0530, Rahul Sundaram wrote:
> 
> Read a couple of reviews and blog posts mentioning this,  if you use ntp
> via firstboot in Fedora 14 and you login, you get SELinux warnings on
> login.

Do you mean something like these in logs?

 NULL security context for user, but SELinux in permissive mode, continuing ()
 NULL security context for user, but SELinux in permissive mode, continuing ()
 NULL security context for user, but SELinux in permissive mode, continuing ()
 NULL security context for user, but SELinux in permissive mode, continuing ()
 NULL security context for user, but SELinux in permissive mode, continuing ()
 NULL security context for user, but SELinux in permissive mode, continuing ()

I am getting these on machines upgraded from Fedora 12 to 14 and
that is after autorelabel and 'restorecon -RF ...' on various
directories.  These are from /var/log/cron and there is not much
more anywhere which would allow to define local policies to get
around that.  All these machines had no problems with SELinux before
an upgrade.

Originally after an upgrade and after an initial relabelling it was
impossible to login with SELinux in an enforcing mode (at least
remotely and that is pretty nasty if you do not have a local
console) but more relabelling apparently helped with that.

I am also collecting these:

 Unauthorized SELinux context, but SELinux in permissive mode, continuing (/etc/
crontab)
 Unauthorized SELinux context, but SELinux in permissive mode, continuing (/etc/
cron.d/sa-update)
 Unauthorized SELinux context, but SELinux in permissive mode, continuing (/etc/
cron.d/smolt)
 Unauthorized SELinux context, but SELinux in permissive mode, continuing (/etc/
cron.d/0hourly)
 Unauthorized SELinux context, but SELinux in permissive mode, continuing (/var/
spool/cron/root)

selinux-policy-targeted-3.9.7-12.fc14 if somebody cares.

> I tried testing this in a vm and this is very much reproducible
> and is such a jarring user experience.

I should likely write bugzilla reports but I sort of gave up on
SELinux and do expect nasty things after every upgrade so these are
at the very bottom of my queue.  An impossible to understand and
control security is of not a real use.

   Michal


More information about the test mailing list