On 03/18/2011 08:51 AM, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 03/18/2011 10:57 AM, Skunk Worx wrote:
>> On 03/18/2011 07:23 AM, Daniel J Walsh wrote:
>> On 03/18/2011 10:11 AM, Skunk Worx wrote:
>>>>> Sup,
>>>>>
>>>>> I am using EPEL 6 and a garmin 18 LVC on a serial port with gpsd. I am
>>>>> fairly new to the selinux environment.
>>>>>
>>>>> ntpd is supposed to be able to access a couple of shm locations to get
>>>>> time from the gps daemon.
>>>>>
>>>>> In /var/log/messages I see :
>>>>>
>>>>> Mar 18 00:10:11 localhost ntpd[8899]: SHM shmget (unit 0): Permission denied
>>>>> Mar 18 00:10:11 localhost ntpd[8899]: configuration of 127.127.28.0 failed
>>>>> Mar 18 00:10:11 localhost ntpd[8899]: SHM shmget (unit 1): Permission denied
>>>>> Mar 18 00:10:11 localhost ntpd[8899]: configuration of 127.127.28.1 failed
>>>>>
>>>>> Also avc messages :
>>>>>
>>>>> type=SYSCALL msg=audit(1300431471.964:16749): arch=40000003 syscall=117
>>>>> success=no exit=-13 a0=17 a1=4e545031 a2=50 a3=3c0 items=0 ppid=1
>>>>> pid=8795 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
>>>>> tty=(none) ses=12 comm="ntpd" exe="/usr/sbin/ntpd"
>>>>> subj=unconfined_u:system_r:ntpd_t:s0 key=(null)
>>>>> type=AVC msg=audit(1300432211.929:16768): avc: denied { unix_read
>>>>> unix_write } for pid=8899 comm="ntpd" key=1314148400
>>>>> scontext=unconfined_u:system_r:ntpd_t:s0
>>>>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=shm
>>>>>
>>>>> type=SYSCALL msg=audit(1300432211.929:16768): arch=40000003 syscall=117
>>>>> success=no exit=-13 a0=17 a1=4e545030 a2=50 a3=3c0 items=0 ppid=1
>>>>> pid=8899 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
>>>>> tty=(none) ses=12 comm="ntpd" exe="/usr/sbin/ntpd"
>>>>> subj=unconfined_u:system_r:ntpd_t:s0 key=(null)
>>>>> type=AVC msg=audit(1300432211.930:16769): avc: denied { unix_read
>>>>> unix_write } for pid=8899 comm="ntpd" key=1314148401
>>>>> scontext=unconfined_u:system_r:ntpd_t:s0
>>>>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=shm
>>>>>
>>>>> Here's some direction from audit2allow :
>>>>>
>>>>> # grep ntpd /var/log/audit/audit.log | audit2allow
>>>>> #============= ntpd_t ==============
>>>>> allow ntpd_t unconfined_t:shm { unix_read unix_write };
>>>>>
>>>>> Should I use audit2allow and create a policy package to fix this or is
>>>>> there a better way?
>>>>>
>>>>> Thanks,
>>>>> John
>> Are you running this by hand and they eventually will run as a service?
>>
>> unconfined_t indicates a logged in user process is running and ntpd_t is
>> trying access the shared memory of the type.
>
>> gpsd and ntpd are both started via rc scripts. The ntpd is stock from
>> EPEL 6. The gpsd rc script is hand-rolled from a version I found on the
>> web, while the gpsd itself is locally compiled from gpsd-2.95.tar.gz.
>
>> output of ps for the two daemons :
>> ntp 8899 1 0 00:10 ? 00:00:00 ntpd -u ntp:ntp -p
>> /var/run/ntpd.pid -g
>> nobody 8875 1 0 00:09 ? 00:00:38 /usr/local/sbin/gpsd -n
>> /dev/ttyS1
>
>> ---
>> John
> Then kill the gpsd you have running and start it using the service gpsd
> start script so it will run with the proper context.
>
> Or even better label you gpsd as gpsd_exec_t. Since we have policy for it.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk2Df4AACgkQrlYvE4MpobPotACg0cdt74DglxEAyFfBJkv9ecgX
> ugsAoLiibwlFwen66attbG6SjPZ17VOA
> =9tFo
> -----END PGP SIGNATURE-----
Thanks ... I labelled the gpsd daemon per your suggestion and restarted
both services. ntpd is accessing the GPS and PPS shm okay now.
---
John
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
