ntpd vs selinux

Paul Howarth paul at city-fan.org
Mon Jul 3 12:43:31 UTC 2006


Gene Heskett wrote:
> Paul Howarth wrote:
>> On Fri, 2006-06-30 at 22:58 -0500, Gene Heskett wrote:
>>> Greetings;
>>>
>>> It appears that the last selinux update has killed ntpd, as shown 
>>> from my messages log:
>>>
>>> Jun 30 22:37:14 diablo ntpd[1936]: sendto(194.145.249.108): Invalid 
>>> argument
>>> Jun 30 22:38:01 diablo ntpd[1936]: sendto(194.102.249.64): Invalid 
>>> argument
>>> Jun 30 22:42:04 diablo ntpd[1936]: sendto(193.40.133.134): Invalid 
>>> argument
>>>
>>> I have several pages of the above.
>>>
>>> So to get a clean restart, I did a restart, and this error was logged.
>>>
>>> Jun 30 22:52:34 diablo ntpd[1936]: ntpd exiting on signal 15
>>> Jun 30 22:52:35 diablo kernel: audit(1151725955.188:14): avc:  
>>> denied  { read } for  pid=23841 comm="ntpd" name=".fonts.cache-2" 
>>> dev=hda5 ino=11556042 scontext=root:system_r:ntpd_t:s0 
>>> tcontext=root:object_r:user_home_t:s0 tclass=file
>>
>> This avc is about ntpd being refused access to a .fonts.cache-2 file in
>> someone's home directory. Why it would be trying to access that I don't
>> know, but it has no business doing so.
>>
>>> Jun 30 22:52:35 diablo ntpd[23842]: ntpd 4.2.0a at 1.1196-r Thu May 11 
>>> 09:19:35 EDT 2006 (1)
>>> Jun 30 22:52:35 diablo ntpd[23842]: precision = 6.000 usec
>>> Jun 30 22:52:35 diablo ntpd[23842]: Listening on interface wildcard, 
>>> 0.0.0.0#123
>>> Jun 30 22:52:35 diablo ntpd[23842]: Listening on interface wildcard, 
>>> ::#123
>>> Jun 30 22:52:35 diablo ntpd[23842]: Listening on interface lo, 
>>> 127.0.0.1#123
>>> Jun 30 22:52:35 diablo ntpd[23842]: Listening on interface wlan0, 
>>> 192.168.1.105#123
>>> Jun 30 22:52:35 diablo ntpd[23842]: kernel time sync status 0040
>>> Jun 30 22:52:36 diablo ntpd[23842]: frequency initialized -14.140 PPM 
>>> from /var/lib/ntp/drift
>>
>> It would appears that the avc did not prevent the startup of ntpd in any
>> case.
>>
>>> I assume something in yesterdays selinux update has done this, but 
>>> I've now forgotten the magic phrase to invoke from the cli to cause a 
>>> fix.
>>>
>>> Can someone refresh my memory?
>>
>> Try switching to permissive mode and restart ntpd:
>>
>> # setenforce 0
>> # service ntpd restart
>>
>> If ntpd is still not working, the problem lies elsewhere than SELinux.
>>
>> Try re-enabling enforcing mode:
>>
>> # setenforce 1
>>
>> This may or may not make a difference, depending on whether:
>> 1. It was an SELinux issue in the first place,
>> 2. It was a startup issue, or
>> 3. It was a regular runtime issue.
>>
>> Paul.
>>
> Whatever it was Paul, it appears that the restart was sufficient to fix 
> it, those messages are no longer being logged. Shortly after that 
> snippet was pasted, I got this:
> Jun 30 22:55:53 diablo ntpd[23842]: synchronized to LOCAL(0), stratum 10
> Jun 30 22:55:53 diablo ntpd[23842]: kernel time sync disabled 0041
> Jun 30 22:56:57 diablo ntpd[23842]: synchronized to 194.146.145.193, 
> stratum 2
> Jun 30 23:02:18 diablo ntpd[23842]: kernel time sync enabled 0001
> Jun 30 23:11:12 diablo kernel: audit(1151727072.318:15): avc:  denied  { 
> execmod } for  pid=23946 comm="firefox-bin" name="libflashplayer.so" 
> dev=hda5 ino=11686771 scontext=root:system_r:unconfined_t:s0-s0:c0.c255 
> tcontext=root:object_r:user_home_t:s0 tclass=file
> 
> But as I'd  fired up firefox to do my nightly tour, it did log the above 
>  over the flashplayer lib.  Whats the fix there?

Do you have libflashplayer.so installed somewhere under your home 
directory? That would cause this issue. /usr/local/lib would be a better 
place.

Wherever it is, try this:
# chcon -t textrel_shlib_t libflashplayer.so

Paul.




More information about the users mailing list