Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 155855 - avc denied for dhclient, ntp.conf and step-tickers
Summary: avc denied for dhclient, ntp.conf and step-tickers
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-04-24 20:40 UTC by Ville Skyttä
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version: 1.25.4-10.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-09-15 15:56:39 UTC


Attachments (Terms of Use)

Description Ville Skyttä 2005-04-24 20:40:47 UTC
Up to date Rawhide as of today (ntp-4.2.0.a.20040617-8,
selinux-policy-targeted-1.23.12-4, dhclient-3.0.2-9):
dhclient tries to update ntp.conf and step-tickers based on the info it gets
from the DHCP server, but SELinux doesn't seem happy with that:

Apr 24 05:42:48 gk012 dhclient: DHCPREQUEST on eth1 to 192.168.2.41 port 67
Apr 24 05:42:48 gk012 dhclient: DHCPACK from 192.168.2.41
Apr 24 05:42:48 gk012 kernel: audit(1114310568.830:7359154): avc:  denied  {
unlink } for  pid=18276 exe=/bin/mv name=ntp.conf.predhclient dev=hda2
ino=5816838 scontext=user_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_t
tclass=file
Apr 24 05:42:48 gk012 kernel: audit(1114310568.830:7359154): syscall=38 exit=-13
a0=bffbdc1d a1=bffbdc2b a2=8057284 a3=0 items=2 pid=18276 loginuid=-1 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
Apr 24 05:42:48 gk012 kernel: audit(1114310568.830:7359154): item=0
name=/etc/ntp.conf inode=5815617 dev=03:02 mode=040755 uid=0 gid=0 rdev=00:00
Apr 24 05:42:48 gk012 kernel: audit(1114310568.830:7359154): item=1
name=/etc/ntp.conf.predhclient inode=5815617 dev=03:02 mode=040755 uid=0 gid=0
rdev=00:00
Apr 24 05:42:49 gk012 kernel: audit(1114310569.013:7359724): avc:  denied  {
unlink } for  pid=18281 exe=/bin/mv name=step-tickers.predhclient dev=hda2
ino=5817166 scontext=user_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_t
tclass=file
Apr 24 05:42:49 gk012 kernel: audit(1114310569.013:7359724): syscall=38 exit=-13
a0=bf94fc0d a1=bf94fc23 a2=8057284 a3=0 items=2 pid=18281 loginuid=-1 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
Apr 24 05:42:49 gk012 kernel: audit(1114310569.013:7359724): item=0
name=/etc/ntp/step-tickers inode=5816664 dev=03:02 mode=040755 uid=0 gid=0
rdev=00:00
Apr 24 05:42:49 gk012 kernel: audit(1114310569.013:7359724): item=1
name=/etc/ntp/step-tickers.predhclient inode=5816664 dev=03:02 mode=040755 uid=0
gid=0 rdev=00:00
Apr 24 05:42:49 gk012 dhclient: bound to 192.168.2.248 -- renewal in 8383 seconds.

Comment 1 Daniel Walsh 2005-04-25 14:53:40 UTC
You have some badly labeled files.

restorecon -R -v /etc

Should clear this up.

Dan

Comment 2 Ville Skyttä 2005-04-25 16:32:55 UTC
I have done "/sbin/fixfiles relabel /" as well as "touch /.autorelabel &&
reboot" every now and then but after a while, the problem just seems to
resurface.  No these avc denied messages today after doing the latter
(/.autorelabel) operation some 7 hours ago though, will keep an eye on it.

Comment 3 Ville Skyttä 2005-05-02 18:17:27 UTC
It's been a week since I've seen these messages, so assuming fixed.

Comment 4 Ville Skyttä 2005-05-04 18:43:05 UTC
Well, there you go, the problem has resurfaced.  Should have knocked wood.

I saw these errors again on shutdown, and at reboot, after "starting xinitd", an
message from awk scrolled by, saying /etc/ntp.conf doesn't exist.

And behold, I no longer have /etc/ntp.conf or /etc/ntp/step-tickers.  Only
/etc/ntp.conf.predhclient and /etc/ntp/step-tickers.predhclient are there.

ntp-4.2.0.a.20040617-8
dhclient-3.0.2-11
selinux-policy-targeted-1.23.14-2


Comment 5 Daniel Walsh 2005-05-10 15:34:20 UTC
What avc messages did you get?

I have not seen this.

Dan

Comment 6 Ville Skyttä 2005-05-10 15:58:23 UTC
See the initial comment in this bug report for the avc messages.

Comment 7 Daniel Walsh 2005-05-10 16:03:54 UTC
So the question is how did step-tickers.predhclient get mislabeled again?

Looks like you did somekind of relabel.  
There is a bug in file context 

1.23.15-4 will have the fix.


< --- nsapolicy/file_contexts/program/ntpd.fc   2005-02-24 14:51:09.000000000 -0500
< +++ policy-1.23.15/file_contexts/program/ntpd.fc      2005-05-10
12:00:21.000000000 -0400
< @@ -1,7 +1,7 @@
<  /var/lib/ntp(/.*)?                   system_u:object_r:ntp_drift_t
<  /etc/ntp/data(/.*)?                  system_u:object_r:ntp_drift_t
<  /etc/ntp(d)?\.conf(.sv)?     --      system_u:object_r:net_conf_t
< -/etc/ntp/step-tickers                --      system_u:object_r:net_conf_t
< +/etc/ntp/step-tickers.*              --      system_u:object_r:net_conf_t
<  /usr/sbin/ntpd                       --      system_u:object_r:ntpd_exec_t
<  /usr/sbin/ntpdate            --      system_u:object_r:ntpdate_exec_t
<  /var/log/ntpstats(/.*)?                      system_u:object_r:ntpd_log_t


Comment 8 Ville Skyttä 2005-05-10 16:38:18 UTC
Note that this problem occurs with /etc/ntp.conf(.predhclient) too.  Also,
should the "." in ".sv" be backslashed?  Or, to follow the step-tickers change,
more generally, just:

  /etc/ntp(d)?\.conf.*



Note You need to log in before you can comment on or make changes to this bug.