View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0015506||CentOS-7||selinux-policy||public||2018-12-02 08:00||2018-12-03 00:18|
|Platform||armv7l||OS||CentOS Linux (AltArch)||OS Version||4.14.78-v7.1.el7|
|Target Version||Fixed in Version|
|Summary||0015506: Missing read access permission for ntpd on resolv.conf|
|Description||ntpd fails to synchronize clock due to permission issue|
I am not sure whether this is a SELinux policy issue or a core ntpd issue:
1. The policy is clearly not consistent with the behavior of the application
2. I find it weird that an application is directly reading resolv.conf
|Steps To Reproduce||1. Install CentOS-Userland-7-armv7hl-RaspberryPI-Minimal-1804-sda.raw on a Raspberry PI 3 B+|
2. Install ntpd and start it.
3. Observe host's clock failing to get synchronized
3. Observe ntpd_intres emitting "host name not found" log entries
4. Find "SELinux is preventing /usr/sbin/ntpd from read access on the file resolv.conf" in the audit log
|Tags||7.5, ntp, security|
|When checking the audit log, I am seeing a number of other services (including /usr/sbin/rsyslogd) missing read access on resolv.conf...|
1) why ntpd instead of chronyd (this is more of a personal question than a bug related one)
2) what is the output of "restorecon -Rv /etc/resolv.conf"
3) have you updated to the latest CR?
1.) I didn't know there were any alternatives to ntpd until this issue prompted me to look for one (which happened yesterday). (BTW, chrony seems to have had the same issue in my environment: "SELinux is preventing /usr/sbin/chronyd from read access on the file resolv.conf")
2.) The output of "restorecon -Rv /etc/resolv.conf" is NOW empty. Sorry, but I executed "semanage fcontext -a -t net_conf_t /etc/resolv.conf; /sbin/restorecon -v /etc/resolv.conf" earlier today (after I filed this report).
3.) I am not sure what "yum update" does in terms of CRs, but I did a "yum update" yesterday before this issue came up. (How do I update to the latest CR?)
1) chronyd is the default "time client" in 7
3) This is what I meant https://wiki.centos.org/AdditionalResources/Repositories/CR . CR now contains almost all the bits that will be part of 7.6, that is until 7.6 is released (soon).
|2018-12-02 08:00||pdkovacs||New Issue|
|2018-12-02 08:00||pdkovacs||Tag Attached: 7.5|
|2018-12-02 08:00||pdkovacs||Tag Attached: ntp|
|2018-12-02 08:00||pdkovacs||Tag Attached: security|
|2018-12-02 08:05||pdkovacs||Note Added: 0033187|
|2018-12-02 16:38||pgreco||Note Added: 0033189|
|2018-12-02 20:26||pdkovacs||Note Added: 0033192|
|2018-12-03 00:18||pgreco||Note Added: 0033193|