[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: AVCs with ntpd

From: Stephen Smalley <sds epoch ncsc mil>
To: "Fedora SELinux support list for users & developers." <fedora-selinux-list redhat com>
Subject: Re: AVCs with ntpd
Date: Mon, 20 Sep 2004 09:02:23 -0400

On Mon, 2004-09-20 at 08:18, Felipe Alfaro Solana wrote:
> 2. Recompiled the kernel with SElinux support

The Fedora kernel SRPM or a kernel.org kernel?

> audit(1095681913.039:0(: avc: denied  { search } for  pid=2515 
> exe=/usr/sbin/ntpd dev=tmpfs ino=357 scontext=user_u:system_r:ntpd_t 
> tcontext=user_u:object_r"tmpfs_t tclass=dir
> 
> The problem here is that I'm using UDEV and that the initial ramdisk 
> mounts a tmpfs on top of "/dev", thus, covering the labeled "/dev" that 
> resides on disk.
> 
> How should I fix this?

This works fine on my rawhide systems, but I am using the Fedora kernel,
and it includes a patch to add xattr support to tmpfs so that udev can
label the tmpfs inodes with the correct security context.  The tmpfs
xattr support is not yet in the mainline kernel, but should be soon.

-- 
Stephen Smalley <sds epoch ncsc mil>
National Security Agency

References:
- AVCs with ntpd
  - From: Felipe Alfaro Solana

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]