Denied despite permissive mode?

Stephen Smalley sds at tycho.nsa.gov
Thu Apr 19 16:20:45 UTC 2007


On Wed, 2007-04-18 at 09:19 -0600, Andrew Ziem wrote:
> Hi,
> 
> 1. Should I be getting denied in permissive mode?

No.

> 2. How do I get ntpd working?  (Also, smartd has the same problem, but 
> they both used to work some months ago.)
> 
> [root at z ~]# getsebool -a | grep exec
> allow_execheap --> on
> allow_execmem --> on
> allow_execmod --> on
> allow_execstack --> on
> allow_java_execstack --> off
> httpd_ssi_exec --> on
> httpd_suexec_disable_trans --> off
> [root at z ~]# getenforce
> Permissive
> [root at z ~]# /sbin/service ntpd start
> Starting ntpd: SELinux denied execmem.

Hmm...that's interesting.  What is generating that message ("SELinux
denied execmem")?  A SELinux denial only manifests as an audit message
(in /var/log/messages or /var/log/audit/audit.log) and as an error
return from the kernel (with errno EACCES, but not distinguished from
other potential reasons for permission denied there), so some userland
component is displaying that message for you, not SELinux itself.  

I'd guess that the application or script is getting an error and
incorrectly assuming that it was SELinux that was the culprit, as
permissive mode shouldn't deny anything.

>                                                            [FAILED]
> [root at z ~]# cat /etc/fedora-release
> Fedora Core release 5 (Bordeaux)
> [root at z ~]# uname -a
> Linux z.localdomain 2.6.20-1.2312.fc5 #1 Tue Apr 10 15:09:44 EDT 2007 
> i686 athlon i386 GNU/Linux
> 
> 
> 
> Andrew
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- 
Stephen Smalley
National Security Agency




More information about the fedora-selinux-list mailing list