[ntp:questions] [solved] ntpd just not working

Michael B Allen ioplex at gmail.com
Sun Oct 7 20:24:51 UTC 2007


On Sun, 7 Oct 2007 17:40:19 GMT
cave.dnb at tiscali.fr (Nigel Henry) wrote:

> On Sunday 07 October 2007 18:28, Michael B Allen wrote:
> > On Sun, 7 Oct 2007 11:57:39 -0400
> >
> > Michael B Allen <ioplex at gmail.com> wrote:
> > > On Sun, 7 Oct 2007 14:24:39 +0200
> > >
> > > "Maarten Wiltink" <maarten at kittensandcats.net> wrote:
> > > > You, on the other hand, have Problems. With the cut down config file,
> > > > at least NTP is now starting, but you're not getting any traffic even
> > > > without the restrictions. Review your firewall again, this time under
> > > > the assumption that you do have one.
> > >
> > > No firewalls. From the capture I can clearly see only a request and
> > > reply. There's no attempt to communicate with the time server at all.
> >
> > It was SELinux. Somehow the distro I'm using managed to ship an ntpd
> > that was not compatible with the their selinux config.
> >
> > Thanks,
> > Mike
> 
> I read some years ago, that you can have so much security on your machine, 
> that you can't do anything with it anymore.
> 
> For the first time, when I installed Fedora 7, I left selinux enabled in 
> enforcing mode. Ntpd is running, but only getting it's time from my other 
> machine on the LAN, which is getting it's time from Internet time servers, 
> and ntp is working ok on Fedora 7. I did have a problem in not being able to 
> ftp into the Fedora 7 machine from the other machine, but running 
> setroubleshoot told how to resolve that problem.
> 
> I don't have SElinux enabled on any of the other distros I run on my 2 
> machines. I'm only a home user, so perhaps not as paranoid about security as 
> someone using their machines in the corporate/business environment.

Yeah, for IntrAnet stuff SELinux probably overkill.

Usually SELinux problems are easily spotted because they generate audit
messages in syslog. But in this particular case the broken SELinux
config was also breaking syslog so all my important log files were empty
leaving me completely in the dark. I ended up diverting ntpd messages
to a separate file, and found an error that I traced to SELinux.

Ultimately the problem was that the distro's default SELinux config was
completely busted. It's CentOS 5.0 so I guess it pays to wait for a .1
or .2 or higher. The problem with Linux is that distros EOL so fast you
get two years and then you have to start recompiling source packages
and then finally throw in the towel and reinstall with a new OS. So I
went with .0 to try and reduce that burden (and despite this problem
I'm thinking it's probably still going to be worth it).

Mike




More information about the questions mailing list