Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 162591 - avc denied search for ntpd
Summary: avc denied search for ntpd
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 3
Hardware: i586
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-07-06 17:01 UTC by Kasper Dupont
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-07-11 17:29:42 UTC


Attachments (Terms of Use)

Description Kasper Dupont 2005-07-06 17:01:26 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1) Gecko/20031114

Description of problem:
After upgrading from 1.17.30-3.9 to 1.17.30-3.13 the
system started producing error messages, and the clock
is no longer being synchronized with the ntp server.

Jul  6 17:57:00 skjelle kernel: audit(1120665420.971:0): avc:  denied  { search } for  pid=2800 exe=/usr/sbin/ntpd name=/ dev=md5 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
Jul  6 17:57:01 skjelle kernel: audit(1120665421.063:0): avc:  denied  { search } for  pid=2800 exe=/usr/sbin/ntpd name=/ dev=md5 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
Jul  6 17:57:01 skjelle kernel: audit(1120665421.064:0): avc:  denied  { search } for  pid=2800 exe=/usr/sbin/ntpd name=/ dev=md5 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
Jul  6 17:57:01 skjelle kernel: audit(1120665421.065:0): avc:  denied  { search } for  pid=2800 exe=/usr/sbin/ntpd name=/ dev=md5 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
Jul  6 17:57:01 skjelle kernel: audit(1120665421.066:0): avc:  denied  { search } for  pid=2800 exe=/usr/sbin/ntpd name=/ dev=md5 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
Jul  6 17:57:01 skjelle kernel: audit(1120665421.067:0): avc:  denied  { search } for  pid=2800 exe=/usr/sbin/ntpd name=/ dev=md5 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir


Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-3.16

How reproducible:
Always

Steps to Reproduce:
1. Boot


Additional info:

I found two bug reports which may related to this,
but it doesn't look like exactly the same problem.
Bug #141345 and bug #155855.

Comment 1 Daniel Walsh 2005-07-11 17:29:42 UTC
You have a labeling problem.  Looks like you need to relabel

touch /.autorelabel
reboot.

Comment 2 Kasper Dupont 2005-07-15 08:23:44 UTC
Relabeling seems to have removed the symptoms. But why does upgrading
selinux-policy-targeted cause labeling problems?

Comment 3 Daniel Walsh 2005-07-15 17:46:59 UTC
It should not.  Did you boot with SELinux=0?  Or did you add a new disk?

file_t indicates a file without a file context.  IE That is what the kernel puts
in when a file was created outside of SELinux on a labeled file system.

Dan

Comment 4 Kasper Dupont 2005-07-15 19:28:23 UTC
/home had developed a few bad sectors, so the entire installation was copied to
a software raid-1 on two new disks. After removing the old disk, the system
worked without any problems for a few days until selinux-policy-targeted was
updated.


Note You need to log in before you can comment on or make changes to this bug.