966253 – SELinux is preventing /usr/sbin/ntpdate from read, write access on the chr_file /dev/mapper/control.

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 966253 - SELinux is preventing /usr/sbin/ntpdate from read, write access on the chr_file /dev/mapper/control.

Summary: SELinux is preventing /usr/sbin/ntpdate from read, write access on the chr_fi...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	anaconda
Sub Component:
Version:	19
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Brian Lane
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:cdc02a6698222e8c88077c552f9...
Depends On:
Blocks:	F19-accepted, F19FinalFreezeException
TreeView+	depends on / blocked

Reported:	2013-05-22 21:07 UTC by markleeuw
Modified:	2014-02-01 01:14 UTC (History)
CC List:	19 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-02-01 01:14:43 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
stop leaking file descriptors (6.03 KB, patch) 2013-06-12 23:07 UTC, Brian Lane	no flags	Details \| Diff
stop using os.system (3.14 KB, patch) 2013-06-12 23:08 UTC, Brian Lane	no flags	Details \| Diff
View All

Description markleeuw 2013-05-22 21:07:04 UTC

Description of problem:
SELinux is preventing /usr/sbin/ntpdate from read, write access on the chr_file /dev/mapper/control.

*****  Plugin leaks (86.2 confidence) suggests  ******************************

If you want to ignore ntpdate trying to read write access the control chr_file, because you believe it should not need this access.
Then you should report this as a bug.  
You can generate a local policy module to dontaudit this access.
Do
# grep /usr/sbin/ntpdate /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

*****  Plugin catchall (14.7 confidence) suggests  ***************************

If you believe that ntpdate should be allowed read write access on the control chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep ntpdate /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:ntpd_t:s0
Target Context                system_u:object_r:lvm_control_t:s0
Target Objects                /dev/mapper/control [ chr_file ]
Source                        ntpdate
Source Path                   /usr/sbin/ntpdate
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           ntpdate-4.2.6p5-11.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-44.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.9.3-301.fc19.x86_64 #1 SMP Mon
                              May 20 12:50:56 UTC 2013 x86_64 x86_64
Alert Count                   8
First Seen                    2013-05-21 11:40:52 BST
Last Seen                     2013-05-21 11:41:17 BST
Local ID                      616ca72a-6328-4207-a7fe-9df70b7c750f

Raw Audit Messages
type=AVC msg=audit(1369132877.369:396): avc:  denied  { read write } for  pid=1202 comm="ntpdate" path="/dev/mapper/control" dev="devtmpfs" ino=1164 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file


type=SYSCALL msg=audit(1369132877.369:396): arch=x86_64 syscall=execve success=yes exit=0 a0=d92eb0 a1=d934b0 a2=d91f80 a3=7fffb93fb060 items=0 ppid=1197 pid=1202 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=ntpdate exe=/usr/sbin/ntpdate subj=system_u:system_r:ntpd_t:s0 key=(null)

Hash: ntpdate,ntpd_t,lvm_control_t,chr_file,read,write

audit2allow

#============= ntpd_t ==============
allow ntpd_t lvm_control_t:chr_file { read write };

audit2allow -RYou must regenerate interface info by running /usr/bin/sepolgen-ifgen


Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.3-301.fc19.x86_64
type:           libreport

Comment 1 Justin Clift 2013-05-28 10:41:15 UTC

Description of problem:
This was caused by enabling ntpdate through the F19 installation GUI, plus manually typing in "clock.redhat.com" as an NTP source.

Which, now I look at it, seems to have been dropped on the floor. :(

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.4-300.fc19.x86_64
type:           libreport

Comment 2 Daniel Bossert 2013-05-29 10:15:09 UTC

Hello

I did not entering anything manually as an additional NTP source. This must have been automatically.

Regards
Daniel

Comment 3 Brian Lane 2013-06-07 00:16:50 UTC

Are you doing a live install? I see these AVC's logged in a boot.iso install, but we run with selinux permissive so they are not fatal.

Either ntpdate need to stop trying to touch /dev/mapper/control (why would they need to?) or the selinux rules need to be updated.

Comment 4 Robert Lightfoot 2013-06-07 01:44:33 UTC

Description of problem:
Fresh Install F19-i386-Final-TC1

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.4-300.fc19.i686.PAE
type:           libreport

Comment 5 Robert Lightfoot 2013-06-07 01:47:04 UTC

Nominating for freeze exception.  If this was in a release blocking DE it would be a final release blocker, thus it qualifies as freeze exception.

Comment 6 Miroslav Lichvar 2013-06-07 09:33:50 UTC

ntpdate doesn't touch /dev/mapper/control and its code hasn't changed in a long time. This looks more like a leaked file descriptor coming from the process which runs ntpdate. Reassigning back to anaconda.

Comment 7 Daniel Walsh 2013-06-07 20:30:29 UTC

Yes this has nothing to do with ntpdate other then it is being passed a fd open to /dev/mapper/control and SELinux is shutting it down.

This is probably the lvm code used in anaconda leaking a file descriptor

Comment 8 Adam Williamson 2013-06-10 17:36:08 UTC

Discussed at 2013-06-10 blocker review meeting: http://meetbot.fedoraproject.org/fedora-blocker-review/2013-06-10/f19final-blocker-review-4.2013-06-10-16.01.log.txt . 

If this occurred on a GNOME or KDE (release-blocking desktop) live install on a fairly 'normal' path through the installer it may well constitute a release blocking issue, so if anyone can reliably reproduce on GNOME or KDE, please speak up. For now we did a quick test of a TC2 GNOME install and did not hit the AVC. With the number of reports on this bug, though, we at least accept it as a freeze exception issue; AVCs during install look really bad and should be fixed when possible. If the fix is too complex, though, we may have to live with it.

Comment 9 Brian Lane 2013-06-12 21:27:29 UTC

The way the date/time spoke is written currently depends on using os.system for the ntpdate call. This isn't likely to be changed this late in F19.

Comment 10 Brian Lane 2013-06-12 23:07:46 UTC

Created attachment 760338 [details]
stop leaking file descriptors

Comment 11 Brian Lane 2013-06-12 23:08:51 UTC

Created attachment 760339 [details]
stop using os.system

This patch causes problems with the date/time screen. it blocks on completion of the ntpdate execution. We need to rethink how we're doing things in this spoke.

Comment 12 ryanj 2013-06-13 19:19:07 UTC

Description of problem:
fresh install of fedora 19 with MATE wm produces SELinux errors

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.2-301.fc19.x86_64
type:           libreport

Comment 13 Hans de Goede 2013-06-18 16:09:09 UTC

Description of problem:
Installed F-19 tc2 arm, enabled ntp, logged into an xfce session, then had this selinux alert waiting for me.

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.4.43.sun5i+
type:           libreport

Comment 14 gil cattaneo 2013-08-23 15:55:30 UTC

Description of problem:
during compiling a java library simple-xml 2.7.1 (http://simple.sourceforge.net/)

Additional info:
reporter:       libreport-2.1.6
hashmarkername: setroubleshoot
kernel:         3.10.9-200.fc19.i686
type:           libreport

Comment 15 Brian Lane 2014-02-01 01:14:43 UTC

We no longer use ntpdate.

Note You need to log in before you can comment on or make changes to this bug.