NTPD vs SELinux question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I've had to disable SELinux protection on ntpd, which seems a bit
drastic, and would like to know if there's a more restrictive approach.

I'm using an MSF clock to pick up the Rugby (UK) time signal and a
specialised daemon to interrogate the clock. This daemon communicates
with ntpd via shared memory and is configured into ntpd as:

server 127.127.28.0     #SHM reference clock
fudge  127.127.1.0 stratum 2 refid "MSF"
                                                                                Both daemons are running under the same (ntp) user. This worked under Fedora Core 1 without any problems, but under Core 3 during boot the log contained:

Oct 17 15:21:14 zoogz radioclkd[4639]: entering daemon mode
Oct 17 15:21:14 zoogz radioclkd[4639]: error unable to set real time
scheduling
Oct 17 15:21:14 zoogz radioclkd[4639]: error unable to lock memory pages
Oct 17 16:21:14 zoogz radioclkd: radioclkd startup succeeded
Oct 17 16:21:30 zoogz ntpdate[4649]: step time server 192.36.143.150
offset -0.0Oct 17 16:21:30 zoogz ntpd:  succeeded
Oct 17 16:21:30 zoogz ntpd[4653]: ntpd 4.2.0a@xxxxxxxx Fri Aug 26
04:27:20 EDT 2Oct 17 16:21:30 zoogz ntpd: ntpd startup succeeded
Oct 17 16:21:30 zoogz ntpd[4653]: precision = 3.000 usec
Oct 17 16:21:30 zoogz ntpd[4653]: Listening on interface wildcard,
0.0.0.0#123
Oct 17 16:21:30 zoogz ntpd[4653]: Listening on interface wildcard,
::#123
Oct 17 16:21:30 zoogz ntpd[4653]: Listening on interface lo,
127.0.0.1#123
Oct 17 16:21:30 zoogz ntpd[4653]: Listening on interface eth0,
192.168.7.2#123
Oct 17 16:21:30 zoogz ntpd[4653]: kernel time sync status 0040
Oct 17 16:21:30 zoogz kernel: audit(1129562490.239:3): avc:  denied  {
ipc_owner } for  pid=4653 comm="ntpd" capability=15
scontext=root:system_r:ntpd_t tcontext=root:system_r:ntpd_t
tclass=capability
Oct 17 16:21:30 zoogz ntpd[4653]: SHM shmget (unit 0): Permission denied
Oct 17 16:21:30 zoogz ntpd[4653]: configuration of 127.127.28.0 failed
Oct 17 16:21:30 zoogz ntpd[4653]: frequency initialized 126.404 PPM from
/var/liOct 17 16:24:49 zoogz ntpd[4653]: synchronized to 192.36.143.150,
stratum 1

I can get the MSF to connect to ntpd if I turn off SELinux protection
for ntpd, but this seems a bit drastic and in any case radioclkd is
still complaining that it can't turn on realtime scheduling or lock the
memory pages.

Is there a way to:
      * allow radioclkd to set realtime scheduling
      * allow radioclkd to lock memory pages
      * allow ntpd to execute the shmget() call

without turning off SELinux protection for ntpd? What about allowing
radioclkd to set realtime scheduling and lock the required memory
pages?. 

I apologise if I've sent this to the wrong list, but it seemed like the
best one from the content of the Fedora SELinux documentation and would
seen to be a general problem for at least some users who run ntpd.

Best regards,
Martin Gregorie


--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux