Re: ntpd vs selinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Paul Howarth wrote:
Gene Heskett wrote:
Paul Howarth wrote:
On Fri, 2006-06-30 at 22:58 -0500, Gene Heskett wrote:
Greetings;

It appears that the last selinux update has killed ntpd, as shown from my messages log:

Jun 30 22:37:14 diablo ntpd[1936]: sendto(194.145.249.108): Invalid argument Jun 30 22:38:01 diablo ntpd[1936]: sendto(194.102.249.64): Invalid argument Jun 30 22:42:04 diablo ntpd[1936]: sendto(193.40.133.134): Invalid argument

I have several pages of the above.

So to get a clean restart, I did a restart, and this error was logged.

Jun 30 22:52:34 diablo ntpd[1936]: ntpd exiting on signal 15
Jun 30 22:52:35 diablo kernel: audit(1151725955.188:14): avc: denied { read } for pid=23841 comm="ntpd" name=".fonts.cache-2" dev=hda5 ino=11556042 scontext=root:system_r:ntpd_t:s0 tcontext=root:object_r:user_home_t:s0 tclass=file

This avc is about ntpd being refused access to a .fonts.cache-2 file in
someone's home directory. Why it would be trying to access that I don't
know, but it has no business doing so.

Jun 30 22:52:35 diablo ntpd[23842]: ntpd 4.2.0a@xxxxxxxx Thu May 11 09:19:35 EDT 2006 (1)
Jun 30 22:52:35 diablo ntpd[23842]: precision = 6.000 usec
Jun 30 22:52:35 diablo ntpd[23842]: Listening on interface wildcard, 0.0.0.0#123 Jun 30 22:52:35 diablo ntpd[23842]: Listening on interface wildcard, ::#123 Jun 30 22:52:35 diablo ntpd[23842]: Listening on interface lo, 127.0.0.1#123 Jun 30 22:52:35 diablo ntpd[23842]: Listening on interface wlan0, 192.168.1.105#123
Jun 30 22:52:35 diablo ntpd[23842]: kernel time sync status 0040
Jun 30 22:52:36 diablo ntpd[23842]: frequency initialized -14.140 PPM from /var/lib/ntp/drift

It would appears that the avc did not prevent the startup of ntpd in any
case.

I assume something in yesterdays selinux update has done this, but I've now forgotten the magic phrase to invoke from the cli to cause a fix.

Can someone refresh my memory?

Try switching to permissive mode and restart ntpd:

# setenforce 0
# service ntpd restart

If ntpd is still not working, the problem lies elsewhere than SELinux.

Try re-enabling enforcing mode:

# setenforce 1

This may or may not make a difference, depending on whether:
1. It was an SELinux issue in the first place,
2. It was a startup issue, or
3. It was a regular runtime issue.

Paul.

Whatever it was Paul, it appears that the restart was sufficient to fix it, those messages are no longer being logged. Shortly after that snippet was pasted, I got this:
Jun 30 22:55:53 diablo ntpd[23842]: synchronized to LOCAL(0), stratum 10
Jun 30 22:55:53 diablo ntpd[23842]: kernel time sync disabled 0041
Jun 30 22:56:57 diablo ntpd[23842]: synchronized to 194.146.145.193, stratum 2
Jun 30 23:02:18 diablo ntpd[23842]: kernel time sync enabled 0001
Jun 30 23:11:12 diablo kernel: audit(1151727072.318:15): avc: denied { execmod } for pid=23946 comm="firefox-bin" name="libflashplayer.so" dev=hda5 ino=11686771 scontext=root:system_r:unconfined_t:s0-s0:c0.c255 tcontext=root:object_r:user_home_t:s0 tclass=file

But as I'd fired up firefox to do my nightly tour, it did log the above over the flashplayer lib. Whats the fix there?

Do you have libflashplayer.so installed somewhere under your home directory? That would cause this issue. /usr/local/lib would be a better place.

Wherever it is, try this:
# chcon -t textrel_shlib_t libflashplayer.so

Paul.

Actually, there were several copies installed (including old copies in old firefox installs), so I did:
chcon -t textrel_shlib_t `locate libflashplayer.so`
which seems to have resolved that issue just fine.

Thanks again.

--
Cheers, Gene


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux