Re: NTPD vs SELinux question

Martin Gregorie wrote:
> I've had to disable SELinux protection on ntpd, which seems a bit
> drastic, and would like to know if there's a more restrictive approach.
>
> I'm using an MSF clock to pick up the Rugby (UK) time signal and a
> specialised daemon to interrogate the clock. This daemon communicates
> with ntpd via shared memory and is configured into ntpd as:
>
> server 127.127.28.0     #SHM reference clock
> fudge  127.127.1.0 stratum 2 refid "MSF"
>                                                                                 
> Both daemons are running under the same (ntp) user. This worked under Fedora 
> Core 1 without any problems, but under Core 3 during boot the log contained:
>
> Oct 17 15:21:14 zoogz radioclkd[4639]: entering daemon mode
> Oct 17 15:21:14 zoogz radioclkd[4639]: error unable to set real time
> scheduling
> Oct 17 15:21:14 zoogz radioclkd[4639]: error unable to lock memory pages
> Oct 17 16:21:14 zoogz radioclkd: radioclkd startup succeeded
> Oct 17 16:21:30 zoogz ntpdate[4649]: step time server 192.36.143.150
> offset -0.0Oct 17 16:21:30 zoogz ntpd:  succeeded
> Oct 17 16:21:30 zoogz ntpd[4653]: ntpd 4.2.0a@xxxxxxxx Fri Aug 26
> 04:27:20 EDT 2Oct 17 16:21:30 zoogz ntpd: ntpd startup succeeded
> Oct 17 16:21:30 zoogz ntpd[4653]: precision = 3.000 usec
> Oct 17 16:21:30 zoogz ntpd[4653]: Listening on interface wildcard,
> 0.0.0.0#123
> Oct 17 16:21:30 zoogz ntpd[4653]: Listening on interface wildcard,
> ::#123
> Oct 17 16:21:30 zoogz ntpd[4653]: Listening on interface lo,
> 127.0.0.1#123
> Oct 17 16:21:30 zoogz ntpd[4653]: Listening on interface eth0,
> 192.168.7.2#123
> Oct 17 16:21:30 zoogz ntpd[4653]: kernel time sync status 0040
> Oct 17 16:21:30 zoogz kernel: audit(1129562490.239:3): avc:  denied  {
> ipc_owner } for  pid=4653 comm="ntpd" capability=15
> scontext=root:system_r:ntpd_t tcontext=root:system_r:ntpd_t
> tclass=capability
> Oct 17 16:21:30 zoogz ntpd[4653]: SHM shmget (unit 0): Permission denied
> Oct 17 16:21:30 zoogz ntpd[4653]: configuration of 127.127.28.0 failed
> Oct 17 16:21:30 zoogz ntpd[4653]: frequency initialized 126.404 PPM from
> /var/liOct 17 16:24:49 zoogz ntpd[4653]: synchronized to 192.36.143.150,
> stratum 1
>
> I can get the MSF to connect to ntpd if I turn off SELinux protection
> for ntpd, but this seems a bit drastic and in any case radioclkd is
> still complaining that it can't turn on realtime scheduling or lock the
> memory pages.
>
> Is there a way to:
>       * allow radioclkd to set realtime scheduling
>       * allow radioclkd to lock memory pages
>       * allow ntpd to execute the shmget() call
>
> without turning off SELinux protection for ntpd? What about allowing
> radioclkd to set realtime scheduling and lock the required memory
> pages?. 
>
> I apologise if I've sent this to the wrong list, but it seemed like the
> best one from the content of the Fedora SELinux documentation and would
> seen to be a general problem for at least some users who run ntpd.
>
> Best regards,
> Martin Gregorie
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>   
Could you turn off enforcing mode and grab all the AVC Messages that are 
generated?
setenforce 0



--