Paul Howarth wrote:
Gene Heskett wrote:
Paul Howarth wrote:
On Fri, 2006-06-30 at 22:58 -0500, Gene Heskett wrote:
Greetings;
It appears that the last selinux update has killed ntpd, as shown
from my messages log:
Jun 30 22:37:14 diablo ntpd[1936]: sendto(194.145.249.108): Invalid
argument
Jun 30 22:38:01 diablo ntpd[1936]: sendto(194.102.249.64): Invalid
argument
Jun 30 22:42:04 diablo ntpd[1936]: sendto(193.40.133.134): Invalid
argument
I have several pages of the above.
So to get a clean restart, I did a restart, and this error was logged.
Jun 30 22:52:34 diablo ntpd[1936]: ntpd exiting on signal 15
Jun 30 22:52:35 diablo kernel: audit(1151725955.188:14): avc:
denied { read } for pid=23841 comm="ntpd" name=".fonts.cache-2"
dev=hda5 ino=11556042 scontext=root:system_r:ntpd_t:s0
tcontext=root:object_r:user_home_t:s0 tclass=file
This avc is about ntpd being refused access to a .fonts.cache-2 file in
someone's home directory. Why it would be trying to access that I don't
know, but it has no business doing so.
Jun 30 22:52:35 diablo ntpd[23842]: ntpd 4.2.0a@xxxxxxxx Thu May 11
09:19:35 EDT 2006 (1)
Jun 30 22:52:35 diablo ntpd[23842]: precision = 6.000 usec
Jun 30 22:52:35 diablo ntpd[23842]: Listening on interface wildcard,
0.0.0.0#123
Jun 30 22:52:35 diablo ntpd[23842]: Listening on interface wildcard,
::#123
Jun 30 22:52:35 diablo ntpd[23842]: Listening on interface lo,
127.0.0.1#123
Jun 30 22:52:35 diablo ntpd[23842]: Listening on interface wlan0,
192.168.1.105#123
Jun 30 22:52:35 diablo ntpd[23842]: kernel time sync status 0040
Jun 30 22:52:36 diablo ntpd[23842]: frequency initialized -14.140
PPM from /var/lib/ntp/drift
It would appears that the avc did not prevent the startup of ntpd in any
case.
I assume something in yesterdays selinux update has done this, but
I've now forgotten the magic phrase to invoke from the cli to cause
a fix.
Can someone refresh my memory?
Try switching to permissive mode and restart ntpd:
# setenforce 0
# service ntpd restart
If ntpd is still not working, the problem lies elsewhere than SELinux.
Try re-enabling enforcing mode:
# setenforce 1
This may or may not make a difference, depending on whether:
1. It was an SELinux issue in the first place,
2. It was a startup issue, or
3. It was a regular runtime issue.
Paul.
Whatever it was Paul, it appears that the restart was sufficient to
fix it, those messages are no longer being logged. Shortly after that
snippet was pasted, I got this:
Jun 30 22:55:53 diablo ntpd[23842]: synchronized to LOCAL(0), stratum 10
Jun 30 22:55:53 diablo ntpd[23842]: kernel time sync disabled 0041
Jun 30 22:56:57 diablo ntpd[23842]: synchronized to 194.146.145.193,
stratum 2
Jun 30 23:02:18 diablo ntpd[23842]: kernel time sync enabled 0001
Jun 30 23:11:12 diablo kernel: audit(1151727072.318:15): avc: denied
{ execmod } for pid=23946 comm="firefox-bin" name="libflashplayer.so"
dev=hda5 ino=11686771
scontext=root:system_r:unconfined_t:s0-s0:c0.c255
tcontext=root:object_r:user_home_t:s0 tclass=file
But as I'd fired up firefox to do my nightly tour, it did log the
above over the flashplayer lib. Whats the fix there?
Do you have libflashplayer.so installed somewhere under your home
directory? That would cause this issue. /usr/local/lib would be a better
place.
Wherever it is, try this:
# chcon -t textrel_shlib_t libflashplayer.so
Paul.
Actually, there were several copies installed (including old copies in
old firefox installs), so I did:
chcon -t textrel_shlib_t `locate libflashplayer.so`
which seems to have resolved that issue just fine.
Thanks again.
--
Cheers, Gene
