avc for gpsd and ntpd use of shm

Daniel J Walsh dwalsh at redhat.com
Fri Mar 18 14:23:49 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/18/2011 10:11 AM, Skunk Worx wrote:
> Sup,
> 
> I am using EPEL 6 and a garmin 18 LVC on a serial port with gpsd. I am 
> fairly new to the selinux environment.
> 
> ntpd is supposed to be able to access a couple of shm locations to get 
> time from the gps daemon.
> 
> In /var/log/messages I see :
> 
> Mar 18 00:10:11 localhost ntpd[8899]: SHM shmget (unit 0): Permission denied
> Mar 18 00:10:11 localhost ntpd[8899]: configuration of 127.127.28.0 failed
> Mar 18 00:10:11 localhost ntpd[8899]: SHM shmget (unit 1): Permission denied
> Mar 18 00:10:11 localhost ntpd[8899]: configuration of 127.127.28.1 failed
> 
> Also avc messages :
> 
> type=SYSCALL msg=audit(1300431471.964:16749): arch=40000003 syscall=117 
> success=no exit=-13 a0=17 a1=4e545031 a2=50 a3=3c0 items=0 ppid=1 
> pid=8795 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
> tty=(none) ses=12 comm="ntpd" exe="/usr/sbin/ntpd" 
> subj=unconfined_u:system_r:ntpd_t:s0 key=(null)
> type=AVC msg=audit(1300432211.929:16768): avc:  denied  { unix_read 
> unix_write } for  pid=8899 comm="ntpd" key=1314148400 
> scontext=unconfined_u:system_r:ntpd_t:s0 
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=shm
> 
> type=SYSCALL msg=audit(1300432211.929:16768): arch=40000003 syscall=117 
> success=no exit=-13 a0=17 a1=4e545030 a2=50 a3=3c0 items=0 ppid=1 
> pid=8899 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
> tty=(none) ses=12 comm="ntpd" exe="/usr/sbin/ntpd" 
> subj=unconfined_u:system_r:ntpd_t:s0 key=(null)
> type=AVC msg=audit(1300432211.930:16769): avc:  denied  { unix_read 
> unix_write } for  pid=8899 comm="ntpd" key=1314148401 
> scontext=unconfined_u:system_r:ntpd_t:s0 
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=shm
> 
> Here's some direction from audit2allow :
> 
> # grep ntpd /var/log/audit/audit.log | audit2allow
> #============= ntpd_t ==============
> allow ntpd_t unconfined_t:shm { unix_read unix_write };
> 
> Should I use audit2allow and create a policy package to fix this or is 
> there a better way?
> 
> Thanks,
> John
Are you running this by hand and they eventually will run as a service?

unconfined_t indicates a logged in user process is running and ntpd_t is
trying access the shared memory of the type.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2DavUACgkQrlYvE4MpobPIKwCfW4RtmtVSjS+9WiTLAKw5U8vk
c88An07lGzO5xn98+zXibL+3YcrJ/QuL
=boDG
-----END PGP SIGNATURE-----

More information about the users mailing list