Re: ntpd vs selinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Paul Howarth wrote:
On Fri, 2006-06-30 at 22:58 -0500, Gene Heskett wrote:
Greetings;

It appears that the last selinux update has killed ntpd, as shown from my messages log:

Jun 30 22:37:14 diablo ntpd[1936]: sendto(194.145.249.108): Invalid argument
Jun 30 22:38:01 diablo ntpd[1936]: sendto(194.102.249.64): Invalid argument
Jun 30 22:42:04 diablo ntpd[1936]: sendto(193.40.133.134): Invalid argument

I have several pages of the above.

So to get a clean restart, I did a restart, and this error was logged.

Jun 30 22:52:34 diablo ntpd[1936]: ntpd exiting on signal 15
Jun 30 22:52:35 diablo kernel: audit(1151725955.188:14): avc: denied { read } for pid=23841 comm="ntpd" name=".fonts.cache-2" dev=hda5 ino=11556042 scontext=root:system_r:ntpd_t:s0 tcontext=root:object_r:user_home_t:s0 tclass=file

This avc is about ntpd being refused access to a .fonts.cache-2 file in
someone's home directory. Why it would be trying to access that I don't
know, but it has no business doing so.

Jun 30 22:52:35 diablo ntpd[23842]: ntpd 4.2.0a@xxxxxxxx Thu May 11 09:19:35 EDT 2006 (1)
Jun 30 22:52:35 diablo ntpd[23842]: precision = 6.000 usec
Jun 30 22:52:35 diablo ntpd[23842]: Listening on interface wildcard, 0.0.0.0#123
Jun 30 22:52:35 diablo ntpd[23842]: Listening on interface wildcard, ::#123
Jun 30 22:52:35 diablo ntpd[23842]: Listening on interface lo, 127.0.0.1#123
Jun 30 22:52:35 diablo ntpd[23842]: Listening on interface wlan0, 192.168.1.105#123
Jun 30 22:52:35 diablo ntpd[23842]: kernel time sync status 0040
Jun 30 22:52:36 diablo ntpd[23842]: frequency initialized -14.140 PPM from /var/lib/ntp/drift

It would appears that the avc did not prevent the startup of ntpd in any
case.

I assume something in yesterdays selinux update has done this, but I've now forgotten the magic phrase to invoke from the cli to cause a fix.

Can someone refresh my memory?

Try switching to permissive mode and restart ntpd:

# setenforce 0
# service ntpd restart

If ntpd is still not working, the problem lies elsewhere than SELinux.

Try re-enabling enforcing mode:

# setenforce 1

This may or may not make a difference, depending on whether:
1. It was an SELinux issue in the first place,
2. It was a startup issue, or
3. It was a regular runtime issue.

Paul.

Whatever it was Paul, it appears that the restart was sufficient to fix it, those messages are no longer being logged. Shortly after that snippet was pasted, I got this:
Jun 30 22:55:53 diablo ntpd[23842]: synchronized to LOCAL(0), stratum 10
Jun 30 22:55:53 diablo ntpd[23842]: kernel time sync disabled 0041
Jun 30 22:56:57 diablo ntpd[23842]: synchronized to 194.146.145.193, stratum 2
Jun 30 23:02:18 diablo ntpd[23842]: kernel time sync enabled 0001
Jun 30 23:11:12 diablo kernel: audit(1151727072.318:15): avc: denied { execmod } for pid=23946 comm="firefox-bin" name="libflashplayer.so" dev=hda5 ino=11686771 scontext=root:system_r:unconfined_t:s0-s0:c0.c255 tcontext=root:object_r:user_home_t:s0 tclass=file

But as I'd fired up firefox to do my nightly tour, it did log the above over the flashplayer lib. Whats the fix there?

Thanks.

--
Cheers, Gene

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux