Re: avc for gpsd and ntpd use of shm

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 03/18/2011 08:51 AM, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 03/18/2011 10:57 AM, Skunk Worx wrote:
>> On 03/18/2011 07:23 AM, Daniel J Walsh wrote:
>> On 03/18/2011 10:11 AM, Skunk Worx wrote:
>>>>> Sup,
>>>>>
>>>>> I am using EPEL 6 and a garmin 18 LVC on a serial port with gpsd. I am
>>>>> fairly new to the selinux environment.
>>>>>
>>>>> ntpd is supposed to be able to access a couple of shm locations to get
>>>>> time from the gps daemon.
>>>>>
>>>>> In /var/log/messages I see :
>>>>>
>>>>> Mar 18 00:10:11 localhost ntpd[8899]: SHM shmget (unit 0): Permission denied
>>>>> Mar 18 00:10:11 localhost ntpd[8899]: configuration of 127.127.28.0 failed
>>>>> Mar 18 00:10:11 localhost ntpd[8899]: SHM shmget (unit 1): Permission denied
>>>>> Mar 18 00:10:11 localhost ntpd[8899]: configuration of 127.127.28.1 failed
>>>>>
>>>>> Also avc messages :
>>>>>
>>>>> type=SYSCALL msg=audit(1300431471.964:16749): arch=40000003 syscall=117
>>>>> success=no exit=-13 a0=17 a1=4e545031 a2=50 a3=3c0 items=0 ppid=1
>>>>> pid=8795 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
>>>>> tty=(none) ses=12 comm="ntpd" exe="/usr/sbin/ntpd"
>>>>> subj=unconfined_u:system_r:ntpd_t:s0 key=(null)
>>>>> type=AVC msg=audit(1300432211.929:16768): avc:  denied  { unix_read
>>>>> unix_write } for  pid=8899 comm="ntpd" key=1314148400
>>>>> scontext=unconfined_u:system_r:ntpd_t:s0
>>>>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=shm
>>>>>
>>>>> type=SYSCALL msg=audit(1300432211.929:16768): arch=40000003 syscall=117
>>>>> success=no exit=-13 a0=17 a1=4e545030 a2=50 a3=3c0 items=0 ppid=1
>>>>> pid=8899 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
>>>>> tty=(none) ses=12 comm="ntpd" exe="/usr/sbin/ntpd"
>>>>> subj=unconfined_u:system_r:ntpd_t:s0 key=(null)
>>>>> type=AVC msg=audit(1300432211.930:16769): avc:  denied  { unix_read
>>>>> unix_write } for  pid=8899 comm="ntpd" key=1314148401
>>>>> scontext=unconfined_u:system_r:ntpd_t:s0
>>>>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=shm
>>>>>
>>>>> Here's some direction from audit2allow :
>>>>>
>>>>> # grep ntpd /var/log/audit/audit.log | audit2allow
>>>>> #============= ntpd_t ==============
>>>>> allow ntpd_t unconfined_t:shm { unix_read unix_write };
>>>>>
>>>>> Should I use audit2allow and create a policy package to fix this or is
>>>>> there a better way?
>>>>>
>>>>> Thanks,
>>>>> John
>> Are you running this by hand and they eventually will run as a service?
>>
>> unconfined_t indicates a logged in user process is running and ntpd_t is
>> trying access the shared memory of the type.
>
>> gpsd and ntpd are both started via rc scripts. The ntpd is stock from
>> EPEL 6. The gpsd rc script is hand-rolled from a version I found on the
>> web, while the gpsd itself is locally compiled from gpsd-2.95.tar.gz.
>
>> output of ps for the two daemons :
>> ntp       8899     1  0 00:10 ?        00:00:00 ntpd -u ntp:ntp -p
>> /var/run/ntpd.pid -g
>> nobody    8875     1  0 00:09 ?        00:00:38 /usr/local/sbin/gpsd -n
>> /dev/ttyS1
>
>> ---
>> John
> Then kill the gpsd you have running and start it using the service gpsd
> start script so it will  run with the proper context.
>
> Or even better label you gpsd as gpsd_exec_t. Since we have policy for it.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk2Df4AACgkQrlYvE4MpobPotACg0cdt74DglxEAyFfBJkv9ecgX
> ugsAoLiibwlFwen66attbG6SjPZ17VOA
> =9tFo
> -----END PGP SIGNATURE-----

Thanks ... I labelled the gpsd daemon per your suggestion and restarted 
both services. ntpd is accessing the GPS and PPS shm okay now.

---
John

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux