View Issue Details

IDProjectCategoryView StatusLast Update
0015506CentOS-7selinux-policypublic2018-12-03 00:18
Status newResolutionopen 
Platformarmv7lOSCentOS Linux (AltArch)OS Version4.14.78-v7.1.el7
Product Version7.5.1804 
Target VersionFixed in Version 
Summary0015506: Missing read access permission for ntpd on resolv.conf
Descriptionntpd fails to synchronize clock due to permission issue

I am not sure whether this is a SELinux policy issue or a core ntpd issue:
1. The policy is clearly not consistent with the behavior of the application
2. I find it weird that an application is directly reading resolv.conf
Steps To Reproduce1. Install CentOS-Userland-7-armv7hl-RaspberryPI-Minimal-1804-sda.raw on a Raspberry PI 3 B+
2. Install ntpd and start it.
3. Observe host's clock failing to get synchronized
3. Observe ntpd_intres emitting "host name not found" log entries
4. Find "SELinux is preventing /usr/sbin/ntpd from read access on the file resolv.conf" in the audit log
Tags7.5, ntp, security




2018-12-02 08:05

reporter   ~0033187

When checking the audit log, I am seeing a number of other services (including /usr/sbin/rsyslogd) missing read access on resolv.conf...


2018-12-02 16:38

developer   ~0033189

1) why ntpd instead of chronyd (this is more of a personal question than a bug related one)
2) what is the output of "restorecon -Rv /etc/resolv.conf"
3) have you updated to the latest CR?


2018-12-02 20:26

reporter   ~0033192

1.) I didn't know there were any alternatives to ntpd until this issue prompted me to look for one (which happened yesterday). (BTW, chrony seems to have had the same issue in my environment: "SELinux is preventing /usr/sbin/chronyd from read access on the file resolv.conf")
2.) The output of "restorecon -Rv /etc/resolv.conf" is NOW empty. Sorry, but I executed "semanage fcontext -a -t net_conf_t /etc/resolv.conf; /sbin/restorecon -v /etc/resolv.conf" earlier today (after I filed this report).
3.) I am not sure what "yum update" does in terms of CRs, but I did a "yum update" yesterday before this issue came up. (How do I update to the latest CR?)


2018-12-03 00:18

developer   ~0033193

1) chronyd is the default "time client" in 7
2) ack
3) This is what I meant . CR now contains almost all the bits that will be part of 7.6, that is until 7.6 is released (soon).

Issue History

Date Modified Username Field Change
2018-12-02 08:00 pdkovacs New Issue
2018-12-02 08:00 pdkovacs Tag Attached: 7.5
2018-12-02 08:00 pdkovacs Tag Attached: ntp
2018-12-02 08:00 pdkovacs Tag Attached: security
2018-12-02 08:05 pdkovacs Note Added: 0033187
2018-12-02 16:38 pgreco Note Added: 0033189
2018-12-02 20:26 pdkovacs Note Added: 0033192
2018-12-03 00:18 pgreco Note Added: 0033193