Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-15085

SELinux prevents the ntpd service (ntpsec) from name_connect to 4460/tcp (NTS)

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Major Major
    • rhel-9.4
    • rhel-9.3.0
    • selinux-policy
    • None
    • selinux-policy-38.1.27-1.el9
    • None
    • Medium
    • sst_security_selinux
    • ssg_security
    • 12
    • None
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Hide

      The ntpd service starts and runs successfully in enforcing mode when it is configured to use NTS servers. No SELinux denials are triggered during the start or run.

      Show
      The ntpd service starts and runs successfully in enforcing mode when it is configured to use NTS servers. No SELinux denials are triggered during the start or run.
    • Pass
    • Automated
    • Release Note Not Required
    • All
    • None

      The following BZ is reproducible on RHEL-9.3:

      What were you trying to do that didn't work?

      The ntpd service runs in enforcing mode but the following messages appear in the systemd journal:
      Oct 31 04:52:13 removed ntpd[5161]: DNS: dns_probe: nts.netnod.se:4460, cast_flags:1, flags:21901
      Oct 31 04:52:14 removed ntpd[5161]: NTSc: DNS lookup of nts.netnod.se:4460 took 0.488 sec
      Oct 31 04:52:14 removed ntpd[5161]: NTSc: connecting to nts.netnod.se:4460 => [2001:67c:2550:d::7]:4460
      Oct 31 04:52:14 removed ntpd[5161]: NTSc: connect_TCP_socket: connect failed: Permission denied
      Oct 31 04:52:14 removed ntpd[5161]: DNS: dns_check: processing nts.netnod.se:4460, 1, 21901
      Oct 31 04:52:14 removed ntpd[5161]: DNS: dns_take_status: nts.netnod.se:4460=>error, 12

      Please provide the package NVR for which bug is seen:

      ntpsec-1.2.2a-1.el9.x86_64
      selinux-policy-38.1.23-1.el9.noarch
      selinux-policy-targeted-38.1.23-1.el9.noarch

      How reproducible:

      always

      Steps to reproduce

      1. get a RHEL-9.3 machine (targeted policy is active)
      2. install the ntpsec package (from EPEL repository)
      3. modify the ntp configuration to use at least 1 NTS server
      4. start the ntpd service
      5. search for SELinux denials

      Expected results

      No SELinux denials.

      Actual results

      ----
type=PROCTITLE msg=audit(10/31/2023 04:52:14.458:379) : proctitle=/usr/sbin/ntpd -g -N -u ntp:ntp 
type=SOCKADDR msg=audit(10/31/2023 04:52:14.458:379) : saddr={ saddr_fam=inet6 laddr=2001:67c:2550:d::7 lport=4460 } 
type=SYSCALL msg=audit(10/31/2023 04:52:14.458:379) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x4 a1=0x7f01d8001bd0 a2=0x1c a3=0x4000 items=0 ppid=1 pid=5161 auid=unset uid=ntp gid=ntp euid=ntp suid=ntp fsuid=ntp egid=ntp sgid=ntp fsgid=ntp tty=(none) ses=unset comm=ntpd exe=/usr/sbin/ntpd subj=system_u:system_r:ntpd_t:s0 key=(null) 
type=AVC msg=audit(10/31/2023 04:52:14.458:379) : avc:  denied  { name_connect } for  pid=5161 comm=ntpd dest=4460 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntske_port_t:s0 tclass=tcp_socket permissive=0 
----

            rhn-support-zpytela Zdenek Pytela
            mmalik@redhat.com Milos Malik
            Nikola Kňažeková Nikola Kňažeková (Inactive)
            Milos Malik Milos Malik
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: