BugZero | Red Hat BugID RHEL-15085 - SELinux prevents the ntpd service (ntpsec) from na...

Red Hat - Defect ID: RHEL-15085

SELinux prevents the ntpd service (ntpsec) from name_connect to 4460/tcp (NTS)

Red Hat - Defect ID: RHEL-15085

SELinux prevents the ntpd service (ntpsec) from name_connect to 4460/tcp (NTS)

Last updated on 9/23/2024

Overall: 6.36.3

Severity: 6.46.4

Community: 66.0

Lifecycle: 9.49.4

What is the BugZero Risk Score?

Vendor details

Priority: Major
Status: Closed
Impact Category: selinux-policy

Overall: 6.36.3

Severity: 6.46.4

Community: 66.0

Lifecycle: 9.49.4

What is the BugZero Risk Score?

Vendor details

Priority: Major
Status: Closed
Impact Category: selinux-policy

Issue

The following BZ is reproducible on RHEL-9.3: https://bugzilla.redhat.com/show_bug.cgi?id=2246805 What were you trying to do that didn't work? The ntpd service runs in enforcing mode but the following messages appear in the systemd journal: Oct 31 04:52:13 removed ntpd[5161]: DNS: dns_probe: nts.netnod.se:4460, cast_flags:1, flags:21901 Oct 31 04:52:14 removed ntpd[5161]: NTSc: DNS lookup of nts.netnod.se:4460 took 0.488 sec Oct 31 04:52:14 removed ntpd[5161]: NTSc: connecting to nts.netnod.se:4460 => [2001:67c:2550:d::7]:4460 Oct 31 04:52:14 removed ntpd[5161]: NTSc: connect_TCP_socket: connect failed: Permission denied Oct 31 04:52:14 removed ntpd[5161]: DNS: dns_check: processing nts.netnod.se:4460, 1, 21901 Oct 31 04:52:14 removed ntpd[5161]: DNS: dns_take_status: nts.netnod.se:4460=>error, 12 Please provide the package NVR for which bug is seen: ntpsec-1.2.2a-1.el9.x86_64 selinux-policy-38.1.23-1.el9.noarch selinux-policy-targeted-38.1.23-1.el9.noarch How reproducible: always Steps to reproduce get a RHEL-9.3 machine (targeted policy is active) install the ntpsec package (from EPEL repository) modify the ntp configuration to use at least 1 NTS server start the ntpd service search for SELinux denials Expected results No SELinux denials. Actual results ---- type=PROCTITLE msg=audit(10/31/2023 04:52:14.458:379) : proctitle=/usr/sbin/ntpd -g -N -u ntp:ntp type=SOCKADDR msg=audit(10/31/2023 04:52:14.458:379) : saddr={ saddr_fam=inet6 laddr=2001:67c:2550:d::7 lport=4460 } type=SYSCALL msg=audit(10/31/2023 04:52:14.458:379) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x4 a1=0x7f01d8001bd0 a2=0x1c a3=0x4000 items=0 ppid=1 pid=5161 auid=unset uid=ntp gid=ntp euid=ntp suid=ntp fsuid=ntp egid=ntp sgid=ntp fsgid=ntp tty=(none) ses=unset comm=ntpd exe=/usr/sbin/ntpd subj=system_u:system_r:ntpd_t:s0 key=(null) type=AVC msg=audit(10/31/2023 04:52:14.458:379) : avc: denied { name_connect } for pid=5161 comm=ntpd dest=4460 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntske_port_t:s0 tclass=tcp_socket permissive=0 ----

Release Notes

No. of Comments

Resolution

Done-Errata

No bugs this month

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Red Hat - Defect ID: RHEL-15085

SELinux prevents the ntpd service (ntpsec) from name_connect to 4460/tcp (NTS)

Red Hat - Defect ID: RHEL-15085

SELinux prevents the ntpd service (ntpsec) from name_connect to 4460/tcp (NTS)

Last updated on 9/23/2024

Vendor details

Vendor details

Description

Issue

Release Notes

No. of Comments

Resolution

Links

Top Red Hat defects by risk score

Ready to prevent the next vendor outage?