/etc/init.d/ntpd creates the file /var/run/ntpd.pid so that it can reset its user:group to ntp:ntp before launching the daemon ntpd. this causes ntpd.pid to have a context of initrc_var_run_t instead of ntpd_var_run_t. The latter is what selinux requires (as defined in ntpd.te) to allow ntpd to access the ntpd.pid file. Also, the following line needs to be inserted into ntpd.fc (but this doesn't really cause the above error): /var/run/ntpd.pid -- system_u:object_r:ntpd_var_run_t Reproducible: Always Steps to Reproduce: 1.emerge ntpd, 'make load' the selinux policy 2. correct the ntp line in /etc/group from 'ntp:x:' to 'ntp::ntp' 3.start ntpd from the console with /etc/init.d/ntpd start Actual Results: avc messages- denied { write getattr } for ntpd.pid ntpd log entry- can't access pid file empty /var/run/ntpd.pid file created with context of initrc_var_run_t ntpd continues ro run, but init can't stop it without a valid pid file Expected Results: /var/run/ntpd.pid should have a context of ntpd_var_run_t to allow ntpd to access this file I have temporarily circumvented this problem by adding allow ntpd_t initrc_var_run_t:file { getattr write }; to my policy, but this is a hack and not a solution.
I received the following solution from Thomas Bleher: Add the following line to /etc/init.d/ntpd directly after the chown: [ -e /sbin/restorecon ] && /sbin/restorecon /var/run/ntpd.pid That looks like it will do the trick but I haven't had a chance to test it yet.
pid files should be created by daemons themselves and not by init scripts. we have to simply move the pid file into a directory where the ntp user will be able to write (like /var/run/ntpd/), and drop the 'touch' and 'chown' from the init script.
Created attachment 42785 [details] ntpd use this init script. no changes have to be made to the policy
Does this work even if NTPD_OPTS remains "-u ntp:ntp"? I should maybe add that I had another avc denial which required adding "allow ntpd_t self:capability dac_override" to the policy. Is this related to the user:group issue?
Richard: no dac_override is needed if you enforce. vapier: is it safe to remove the following lines from the ntpd init script: --- ntpd.orig 2004-10-07 13:00:35.000000000 +0300 +++ ntpd 2004-10-28 16:30:29.360200024 +0300 @@ -22,11 +22,6 @@ checkconfig || return $? ebegin "Starting ntpd" - touch /var/run/ntpd.pid - if ! chown ntp:ntp /var/run/ntpd.pid ; then - eend 1 "unable to chown pid file" - return 1 - fi /usr/bin/ntpd -p /var/run/ntpd.pid ${NTPD_OPTS} eend $? "Failed to start ntpd" } ntpd.pid is created before the privilege drop takes place, so the daemon can create it's pid file without any help.
added fix to ntpd.rc as proposed
marking as FIXED thanks vapier