On 03/18/2011 07:23 AM, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 03/18/2011 10:11 AM, Skunk Worx wrote:
>> Sup,
>>
>> I am using EPEL 6 and a garmin 18 LVC on a serial port with gpsd. I am
>> fairly new to the selinux environment.
>>
>> ntpd is supposed to be able to access a couple of shm locations to get
>> time from the gps daemon.
>>
>> In /var/log/messages I see :
>>
>> Mar 18 00:10:11 localhost ntpd[8899]: SHM shmget (unit 0): Permission denied
>> Mar 18 00:10:11 localhost ntpd[8899]: configuration of 127.127.28.0 failed
>> Mar 18 00:10:11 localhost ntpd[8899]: SHM shmget (unit 1): Permission denied
>> Mar 18 00:10:11 localhost ntpd[8899]: configuration of 127.127.28.1 failed
>>
>> Also avc messages :
>>
>> type=SYSCALL msg=audit(1300431471.964:16749): arch=40000003 syscall=117
>> success=no exit=-13 a0=17 a1=4e545031 a2=50 a3=3c0 items=0 ppid=1
>> pid=8795 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
>> tty=(none) ses=12 comm="ntpd" exe="/usr/sbin/ntpd"
>> subj=unconfined_u:system_r:ntpd_t:s0 key=(null)
>> type=AVC msg=audit(1300432211.929:16768): avc: denied { unix_read
>> unix_write } for pid=8899 comm="ntpd" key=1314148400
>> scontext=unconfined_u:system_r:ntpd_t:s0
>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=shm
>>
>> type=SYSCALL msg=audit(1300432211.929:16768): arch=40000003 syscall=117
>> success=no exit=-13 a0=17 a1=4e545030 a2=50 a3=3c0 items=0 ppid=1
>> pid=8899 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
>> tty=(none) ses=12 comm="ntpd" exe="/usr/sbin/ntpd"
>> subj=unconfined_u:system_r:ntpd_t:s0 key=(null)
>> type=AVC msg=audit(1300432211.930:16769): avc: denied { unix_read
>> unix_write } for pid=8899 comm="ntpd" key=1314148401
>> scontext=unconfined_u:system_r:ntpd_t:s0
>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=shm
>>
>> Here's some direction from audit2allow :
>>
>> # grep ntpd /var/log/audit/audit.log | audit2allow
>> #============= ntpd_t ==============
>> allow ntpd_t unconfined_t:shm { unix_read unix_write };
>>
>> Should I use audit2allow and create a policy package to fix this or is
>> there a better way?
>>
>> Thanks,
>> John
> Are you running this by hand and they eventually will run as a service?
>
> unconfined_t indicates a logged in user process is running and ntpd_t is
> trying access the shared memory of the type.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk2DavUACgkQrlYvE4MpobPIKwCfW4RtmtVSjS+9WiTLAKw5U8vk
> c88An07lGzO5xn98+zXibL+3YcrJ/QuL
> =boDG
> -----END PGP SIGNATURE-----
gpsd and ntpd are both started via rc scripts. The ntpd is stock from
EPEL 6. The gpsd rc script is hand-rolled from a version I found on the
web, while the gpsd itself is locally compiled from gpsd-2.95.tar.gz.
output of ps for the two daemons :
ntp 8899 1 0 00:10 ? 00:00:00 ntpd -u ntp:ntp -p
/var/run/ntpd.pid -g
nobody 8875 1 0 00:09 ? 00:00:38 /usr/local/sbin/gpsd -n
/dev/ttyS1
---
John
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
