Hi,
I have installed both a 32-bit and a 64-bit instance of RedHat Enterprise Linux version 4 update 3 ( on two different machines, so there should be no interference between them ), and have been getting messages on the consoles of both at about one per hour as follows:
audit(1150376049.972:12) : avc : denied { write } for pid=2701 comm="ntpd" name="ntp" dev=hda2 ino=3222935 scontext=user_u:system_r:ntpd_t tcontext=system_u
bject_r:etc_t tclass=dir
( all on one line rather than wrapped as here )
Here is what I have been able to determine so far:
pid points to ntpd running as ntp
/dev/hda2 and inode 3222935 points to /etc/ntp directory.
/etc is owned by root:root /etc/ntp is owned by ntp:root
Write permissions are set for both owner and group on both /etc and /etc/ntp. I have tried a number of settings to see if opening it further would make this message go away. It did not.
I assume it is trying to write a drift file, which is not appearing. I explicitly created a drift file as follows /etc/ntp/drift to match the entry in /etc/ntp.conf and opened it for write both by owner and group. Still no joy.
I am about out of ideas. What is the message really trying to tell me and how can make it stop? By the way, ntp seems to be running fine, as it responds to ntptrace and ntpq and appears to be synchronized to the servers here on the site, just as intended. Or am I barking up the wrong tree altogether and the problem is with auditing? Even if so, I still need to make it stop.
Thanks for any help you can give!!!
Wilville
I have installed both a 32-bit and a 64-bit instance of RedHat Enterprise Linux version 4 update 3 ( on two different machines, so there should be no interference between them ), and have been getting messages on the consoles of both at about one per hour as follows:
audit(1150376049.972:12) : avc : denied { write } for pid=2701 comm="ntpd" name="ntp" dev=hda2 ino=3222935 scontext=user_u:system_r:ntpd_t tcontext=system_u
bject_r:etc_t tclass=dir( all on one line rather than wrapped as here )
Here is what I have been able to determine so far:
pid points to ntpd running as ntp
/dev/hda2 and inode 3222935 points to /etc/ntp directory.
/etc is owned by root:root /etc/ntp is owned by ntp:root
Write permissions are set for both owner and group on both /etc and /etc/ntp. I have tried a number of settings to see if opening it further would make this message go away. It did not.
I assume it is trying to write a drift file, which is not appearing. I explicitly created a drift file as follows /etc/ntp/drift to match the entry in /etc/ntp.conf and opened it for write both by owner and group. Still no joy.
I am about out of ideas. What is the message really trying to tell me and how can make it stop? By the way, ntp seems to be running fine, as it responds to ntptrace and ntpq and appears to be synchronized to the servers here on the site, just as intended. Or am I barking up the wrong tree altogether and the problem is with auditing? Even if so, I still need to make it stop.
Thanks for any help you can give!!!
Wilville