Re: avc for gpsd and ntpd use of shm

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/18/2011 10:57 AM, Skunk Worx wrote:
> On 03/18/2011 07:23 AM, Daniel J Walsh wrote:
> On 03/18/2011 10:11 AM, Skunk Worx wrote:
>>>> Sup,
>>>>
>>>> I am using EPEL 6 and a garmin 18 LVC on a serial port with gpsd. I am
>>>> fairly new to the selinux environment.
>>>>
>>>> ntpd is supposed to be able to access a couple of shm locations to get
>>>> time from the gps daemon.
>>>>
>>>> In /var/log/messages I see :
>>>>
>>>> Mar 18 00:10:11 localhost ntpd[8899]: SHM shmget (unit 0): Permission denied
>>>> Mar 18 00:10:11 localhost ntpd[8899]: configuration of 127.127.28.0 failed
>>>> Mar 18 00:10:11 localhost ntpd[8899]: SHM shmget (unit 1): Permission denied
>>>> Mar 18 00:10:11 localhost ntpd[8899]: configuration of 127.127.28.1 failed
>>>>
>>>> Also avc messages :
>>>>
>>>> type=SYSCALL msg=audit(1300431471.964:16749): arch=40000003 syscall=117
>>>> success=no exit=-13 a0=17 a1=4e545031 a2=50 a3=3c0 items=0 ppid=1
>>>> pid=8795 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
>>>> tty=(none) ses=12 comm="ntpd" exe="/usr/sbin/ntpd"
>>>> subj=unconfined_u:system_r:ntpd_t:s0 key=(null)
>>>> type=AVC msg=audit(1300432211.929:16768): avc:  denied  { unix_read
>>>> unix_write } for  pid=8899 comm="ntpd" key=1314148400
>>>> scontext=unconfined_u:system_r:ntpd_t:s0
>>>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=shm
>>>>
>>>> type=SYSCALL msg=audit(1300432211.929:16768): arch=40000003 syscall=117
>>>> success=no exit=-13 a0=17 a1=4e545030 a2=50 a3=3c0 items=0 ppid=1
>>>> pid=8899 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
>>>> tty=(none) ses=12 comm="ntpd" exe="/usr/sbin/ntpd"
>>>> subj=unconfined_u:system_r:ntpd_t:s0 key=(null)
>>>> type=AVC msg=audit(1300432211.930:16769): avc:  denied  { unix_read
>>>> unix_write } for  pid=8899 comm="ntpd" key=1314148401
>>>> scontext=unconfined_u:system_r:ntpd_t:s0
>>>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=shm
>>>>
>>>> Here's some direction from audit2allow :
>>>>
>>>> # grep ntpd /var/log/audit/audit.log | audit2allow
>>>> #============= ntpd_t ==============
>>>> allow ntpd_t unconfined_t:shm { unix_read unix_write };
>>>>
>>>> Should I use audit2allow and create a policy package to fix this or is
>>>> there a better way?
>>>>
>>>> Thanks,
>>>> John
> Are you running this by hand and they eventually will run as a service?
> 
> unconfined_t indicates a logged in user process is running and ntpd_t is
> trying access the shared memory of the type.

> gpsd and ntpd are both started via rc scripts. The ntpd is stock from 
> EPEL 6. The gpsd rc script is hand-rolled from a version I found on the 
> web, while the gpsd itself is locally compiled from gpsd-2.95.tar.gz.

> output of ps for the two daemons :
> ntp       8899     1  0 00:10 ?        00:00:00 ntpd -u ntp:ntp -p 
> /var/run/ntpd.pid -g
> nobody    8875     1  0 00:09 ?        00:00:38 /usr/local/sbin/gpsd -n 
> /dev/ttyS1

> ---
> John
Then kill the gpsd you have running and start it using the service gpsd
start script so it will  run with the proper context.

Or even better label you gpsd as gpsd_exec_t. Since we have policy for it.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2Df4AACgkQrlYvE4MpobPotACg0cdt74DglxEAyFfBJkv9ecgX
ugsAoLiibwlFwen66attbG6SjPZ17VOA
=9tFo
-----END PGP SIGNATURE-----
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux