Re: [gentoo-hardened] How to set up for chrony?

Brant Williams asked for the Grsecurity _RBAC_ denial messages.

Do you have Grsecurity RBAC enabled? Hardened Gentoo has several flavors: you can use either SELinux, RSBAC or Grsecurity (or Apparmor) for access control purposes.

What access control mechanism do you use? Do you use Grsecurity? If you do: you should have some denial error messages in your system log. One exception for this if you use "h" option in your policy to suppress denial messages. You should remove it from the responsible location. Have you (ever) fine tuned your Grsec policy? If not: please see Grsec documentation and search for learning mode.

If you have your grsec denials: you should incorporate the necessary rights in your policy for chronyd.

Regards,
Dw. -- dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, 06-30-5962-962 Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962 On Hét, December 31, 2007 18:44, Peter Humphrey wrote:
> On Monday 31 December 2007 16:39:30 brant williams wrote:
>
>> Can you paste the error you're referring to?
>
> Here goes (sorry if line wrapping spoils it), with my four comments:
>
> Dec 31 17:32:55 gate chronyd[23772]: chronyd exiting on signal # I'd
> restarted it; no mention of file operations, note
> Dec 31 17:32:55 gate chronyd[23855]: chronyd version 1.21 starting
> Dec 31 17:32:55 gate chronyd[23855]: Could not open RTC file
> /etc/chrony/chrony.rtc for reading # because it wasn't there
> Dec 31 17:32:56 gate grsec: From 192.168.129.25: time set by
> /usr/sbin/chronyd[chronyd:23855] uid/euid:0/0 gid/egid:0/0, parent
> /usr/sbin/chronyd[chronyd:23854] uid/euid:0/0 gid/egid:0/0 # I was ssh'd
> in from that IP address (this box is headless)
> Dec 31 17:32:56 gate chronyd[23855]: Initial txc.tick=10000 txc.freq=0
> (0.00000000) txc.offset=0 => hz=100 shift_hz=7
> Dec 31 17:32:56 gate chronyd[23855]: set_config_hz=0 hz=100 shift_hz=7
> basic_freq_scale=1.28000000 nominal_tick=10000 slew_delta_tick=833
> max_tick_bias=1000
> Dec 31 17:32:56 gate chronyd[23855]: Linux kernel major=2 minor=6 patch=23
> Dec 31 17:32:56 gate chronyd[23855]: calculated_freq_scale=0.99902439
> freq_scale=0.99902439
> Dec 31 17:33:03 gate chronyd[23855]: No valid file coefficients, cannot
> trim system time # I don't understand what that means
>
> So it looks as though chrony can set the system clock, but not write
> /etc/chrony/chrony.rtc - but it has written /etc/chrony/chrony.drift!
>
> $ ls -ld /etc/chrony
> drwxr-xr-x 2 root root 4096 2007-12-31 17:38 /etc/chrony
> $ ls -l /etc/chrony
> total 24
> -rw-r--r-- 1 root root 12395 2007-12-31 17:29 chrony.conf
> -rw-r--r-- 1 root root 42 2007-12-31 17:39 chrony.drift
> -rw-r--r-- 1 root root 1172 2007-12-31 17:31 chrony.keys
>
> I tried touching /etc/chrony/chrony.conf, but it remained empty.
>
> $ uname -a
> Linux gate 2.6.23-hardened-r4-gr #4 Sun Dec 30 16:58:09 GMT 2007 i686
> Intel(R) Pentium(R) 4 CPU 2.00GHz GenuineIntel GNU/Linux
>
> I'm beginning to wonder whether chrony is capable of running on this box.
>
> --
> Rgds
> Peter
> --
> gentoo-hardened@gentoo.org mailing list
>
-- gentoo-hardened@gentoo.org mailing list

• This message: [ Message body ]
• Previous message: brant williams: "Re: [gentoo-hardened] How to set up for chrony?"
• In reply to: Peter Humphrey: "Re: [gentoo-hardened] How to set up for chrony?"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]