Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 162410 - execmem not allowed for ntpd_t
Summary: execmem not allowed for ntpd_t
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 3
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2005-07-04 10:49 UTC by Marco Colombo
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2005-07-08 09:03:57 UTC

Attachments (Terms of Use)

Description Marco Colombo 2005-07-04 10:49:59 UTC
Description of problem:
After upgrading to selinux-policy-targeted-1.17.30-3.15, ntpd fails to run.
I use to run it with -q as a replacement for ntpdate. I get the following log:
avc:  denied  { execmem } for  pid=9475 comm=ntpd scontext=root:system_r:ntpd_t
tcontext=root:system_r:ntpd_t tclass=process
(see below for the error message)

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Just run:
ntpd -q -g

Actual results:
ntpd: error while loading shared libraries: failed to map segment
from shared object: Permission denied

Expected results:
It should run just fine. It used to with the previous version of the policy

Additional info:
The policy is a slightly customized one. I installed it with:
make -C /etc/selinux/targeted/src/policy clean reload

Adding the following rule in the policy fixes the problem:
allow ntpd_t self:process execmem;

I also get another avc message, but this seems to be harmless (ntpd runs and
sets the date) and it was already present with previous versions of the policy:
avc:  denied  { execute } for  pid=9804 comm=ntpd path=/etc/ dev=md0
ino=4346 scontext=root:system_r:ntpd_t tcontext=system_u:object_r:ld_so_cache_t

Since I had to add the above rule, I added the following as well:
allow ntpd_t ld_so_cache_t:file execute;

None of the local customizations refer to ntpd_t or ld_so_cache_t at all. I can
provide them if more details are needed, but I'm sure they are not related to
the problem (we use to keep web contents and the PostgreSQL databases under
/home, and the policy has to be modified to allow that).

BTW, there should be a nice way for users to add local customizations to the
policy in the source. Right now, I'm using one file for the policy and one for
the file_contexts, like this:

This way I don't have to modify the source files (last time I tried, they were
not marked as %config(noreplace) in the rpm, I had to move things back in place
after an update). Is there a better place where to put site-specific additions
to the policy?


Comment 1 Daniel Walsh 2005-07-05 14:24:33 UTC
Changing to config(noreplace) in rawhide.

What kernel are you running?


Comment 2 Marco Colombo 2005-07-05 18:00:20 UTC
I'm running kernel-2.6.11-1.14_FC3smp (unmodified).

Both 1.27_FC3 and now 1.35_FC3 have been considered low priority updates here. I
installed the rpms but I haven't rebooted the system yet. If I get the changelog
right, we're not directly affected by the bugs they fix, so I'm just waiting for
a scheduled reboot. Meanwhile I'll try and reproduce the problem on another host
that runs the latest kernel.

For now, I've got the following line added to the policy (it fixes the problem
for now w/o a reboot):

allow ntpd_t self:process execmem;

If you confirm it's a kernel issue and a kernel update fixes it (but I still
have doubts, it seems to me it's ntpd doing something and it's SELinux blocking
it), feel free to mark the bug as solved. I'll just wait for the next reboot and
remove the extra rule I added.

Comment 3 Marco Colombo 2005-07-08 09:03:57 UTC
I've upgraded to 2.6.11-1.35_FC3smp, removed the extra lines in the policy and
everything is fine now. Thanks.

Note You need to log in before you can comment on or make changes to this bug.