a very small number of changes would allow net-misc/openntpd to share sec-policy/selinux-ntp with net-misc/ntp. ntpd.te + # for net-misc/openntpd + allow ntpd_t self:capability { sys_chroot }; ntpd.fc + # for net-misc/openntpd + /usr/sbin/ntpd -- system_u:object_r:ntpd_exec_t + /etc/ntpd\.conf -- system_u:object_r:ntp_etc_t on one of the servers, allow ntpd_t self:capability { kill }; audit(1091824603.909:0): avc: denied { kill } for pid=5515 exe=/usr/sbin/ntpd capability=5 scontext=system_u:system_r:ntpd_t tcontext=system_u:system_r:ntpd_t tclass=capability was also needed when stopping the daemon. I don't get it how this is not needed on 2 other similar servers ... peter BTW. I will be on holiday until 16-th of august, with slight chances to have connectivity/mail from those mountain places I'll go to.
all this looks good. the reason that the kill capability is needed is because of this: root 14209 0.0 0.5 3760 1360 ? Ss 00:59 0:00 /usr/sbin/ntpd ntp 13134 0.0 0.5 3760 1416 ? S 00:59 0:00 \_ /usr/sbin/ntpd Most likely the parent process is signalling (probably sigkill or sigterm) the child. You need the kill capability when sending the signal to a process running under a different user. Since ntpd_t can only signal itself, it should be ok for it to have kill.
in cvs
