Re: ntpd vs selinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, 2006-06-30 at 22:58 -0500, Gene Heskett wrote:
> Greetings;
> 
> It appears that the last selinux update has killed ntpd, as shown from 
> my messages log:
> 
> Jun 30 22:37:14 diablo ntpd[1936]: sendto(194.145.249.108): Invalid argument
> Jun 30 22:38:01 diablo ntpd[1936]: sendto(194.102.249.64): Invalid argument
> Jun 30 22:42:04 diablo ntpd[1936]: sendto(193.40.133.134): Invalid argument
> 
> I have several pages of the above.
> 
> So to get a clean restart, I did a restart, and this error was logged.
> 
> Jun 30 22:52:34 diablo ntpd[1936]: ntpd exiting on signal 15
> Jun 30 22:52:35 diablo kernel: audit(1151725955.188:14): avc:  denied  { 
> read } for  pid=23841 comm="ntpd" name=".fonts.cache-2" dev=hda5 
> ino=11556042 scontext=root:system_r:ntpd_t:s0 
> tcontext=root:object_r:user_home_t:s0 tclass=file

This avc is about ntpd being refused access to a .fonts.cache-2 file in
someone's home directory. Why it would be trying to access that I don't
know, but it has no business doing so.

> Jun 30 22:52:35 diablo ntpd[23842]: ntpd 4.2.0a@xxxxxxxx Thu May 11 
> 09:19:35 EDT 2006 (1)
> Jun 30 22:52:35 diablo ntpd[23842]: precision = 6.000 usec
> Jun 30 22:52:35 diablo ntpd[23842]: Listening on interface wildcard, 
> 0.0.0.0#123
> Jun 30 22:52:35 diablo ntpd[23842]: Listening on interface wildcard, ::#123
> Jun 30 22:52:35 diablo ntpd[23842]: Listening on interface lo, 127.0.0.1#123
> Jun 30 22:52:35 diablo ntpd[23842]: Listening on interface wlan0, 
> 192.168.1.105#123
> Jun 30 22:52:35 diablo ntpd[23842]: kernel time sync status 0040
> Jun 30 22:52:36 diablo ntpd[23842]: frequency initialized -14.140 PPM 
> from /var/lib/ntp/drift

It would appears that the avc did not prevent the startup of ntpd in any
case.

> I assume something in yesterdays selinux update has done this, but I've 
> now forgotten the magic phrase to invoke from the cli to cause a fix.
> 
> Can someone refresh my memory?

Try switching to permissive mode and restart ntpd:

# setenforce 0
# service ntpd restart

If ntpd is still not working, the problem lies elsewhere than SELinux.

Try re-enabling enforcing mode:

# setenforce 1

This may or may not make a difference, depending on whether:
1. It was an SELinux issue in the first place,
2. It was a startup issue, or
3. It was a regular runtime issue.

Paul.
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux