Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow ntp to bind and connect to ntske port. #1918

Merged
merged 1 commit into from
Nov 1, 2023
Merged

Allow ntp to bind and connect to ntske port. #1918

merged 1 commit into from
Nov 1, 2023

Conversation

jhamlin96
Copy link
Contributor

@jhamlin96 jhamlin96 commented Oct 30, 2023
edited
Loading

@packit-as-a-service
Copy link

Cockpit tests failed for commit 6f45af1. @martinpitt, @jelly, @mvollmer please check.

@martinpitt
Copy link
Contributor

cockpit-project/cockpit#19547 landed, so please either retry the rawhide:revdeps test or force-push this PR, or ignore the failure. Sorry for the noise!

@zpytela
Copy link
Contributor

zpytela commented Oct 31, 2023

@jhamlin96 Please add a note to the commit message, e. g. when this denial appears.

@jhamlin96
Copy link
Contributor Author

jhamlin96 commented Oct 31, 2023
edited
Loading

@zpytela Updated, thanks

@packit-as-a-service
Copy link

Cockpit tests failed for commit ccd6617. @martinpitt, @jelly, @mvollmer please check.

@zpytela
Copy link
Contributor

zpytela commented Oct 31, 2023

@jhamlin96 thank you, can you add one more thing: how to trigger it? some configuration change is needed

@jhamlin96
Copy link
Contributor Author

@zpytela testing PR exists and is awaiting review here: https://src.fedoraproject.org/tests/selinux/pull-request/445

Do you want the test steps listed in the commit message or PR description?

@zpytela
Copy link
Contributor

zpytela commented Nov 1, 2023

@jhamlin96 To the commit message please. The point is having the justification together with the changes so that it is more clear why the changes were made.

@jhamlin96
Allow ntp to bind and connect to ntske port.
bc3a72b 
The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(10/30/2023 04:46:52.693:699) : proctitle=/usr/sbin/ntpd -g -N -u ntp:ntp
type=SOCKADDR msg=audit(10/30/2023 04:46:52.693:699) : saddr={ saddr_fam=inet6 laddr=2001:67c:2550:d::7 lport=4460 }
type=SYSCALL msg=audit(10/30/2023 04:46:52.693:699) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x4 a1=0x7fdc94003570 a2=0x1c a3=0x4000 items=0 ppid=1 pid=4646 auid=unset uid=ntp gid=ntp euid=ntp suid=ntp fsuid=ntp egid=ntp sgid=ntp fsgid=ntp tty=(none) ses=unset comm=ntpd exe=/usr/sbin/ntpd subj=system_u:system_r:ntpd_t:s0 key=(null)
type=AVC msg=audit(10/30/2023 04:46:52.693:699) : avc:  denied  { name_connect } for  pid=4646 comm=ntpd dest=4460 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntske_port_t:s0 tclass=tcp_socket permissive=0

The NTP daemon can be configured as a NTS-enabled client or server.
For client, appending "server add.rr.eee.ss nts [other options]" to ntp.conf for connecting to an NTS-enabled server will trigger the above AVC denial.
For server, append "nts enable" "nts key /path/to/key.pem" "nts cert /path/to/cert.pem" lines in ntp.conf to enable NTS server functionality, which triggers a similar AVC denial attempting to bind to TCP port 4460.

Resolves: #2246805, RHEL-15085
@jhamlin96
Copy link
Contributor Author

@zpytela Updated

@zpytela
Copy link
Contributor

zpytela commented Nov 1, 2023

Perfect, thank you.

@zpytela zpytela merged commit f13d96b into fedora-selinux:rawhide Nov 1, 2023
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jhamlin96 @martinpitt @zpytela