FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Hardened

 
 
LinkBack Thread Tools
 
Old 12-31-2007, 03:48 PM
Peter Humphrey
 
Default How to set up for chrony?

On Monday 31 December 2007 16:39:30 brant williams wrote:

> If grsec is denying the write, it should show up in your syslog.

That's where I found the error message.

> Are you running grsec's RBAC system?

Yes; what would you like to know about it?

> Can you paste the error you're referring to?

Ah. No, not at the moment. I uninstalled it, so I'll have to reinstall it to
try it again.

--
Rgds
Peter
--
gentoo-hardened@gentoo.org mailing list
 
Old 12-31-2007, 04:23 PM
brant williams
 
Default How to set up for chrony?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


Okay, if grsec's RBAC system denies the write (or whatever operation), the
syslog entry will show which role that the process is currently using.
Whichever role it is (probably root), it'll need the right permissions in
/etc/grsec/policy.


The error message is the key...


brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002



On Mon, 31 Dec 2007, Peter Humphrey wrote:


Date: Mon, 31 Dec 2007 16:48:33 +0000
From: Peter Humphrey <prh@gotadsl.co.uk>
Reply-To: gentoo-hardened@lists.gentoo.org
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] How to set up for chrony?

On Monday 31 December 2007 16:39:30 brant williams wrote:


If grsec is denying the write, it should show up in your syslog.


That's where I found the error message.


Are you running grsec's RBAC system?


Yes; what would you like to know about it?


Can you paste the error you're referring to?


Ah. No, not at the moment. I uninstalled it, so I'll have to reinstall it to
try it again.

--
Rgds
Peter
--
gentoo-hardened@gentoo.org mailing list



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)

iD8DBQFHeSWtdCBnhE3rYAIRCF/3AJwLzS4JACbA+Sz+B7Puf/e5UHdI7gCfRbNq
G/t4Mtna0mJWptgH6kL5/Gg=
=Mtpt
-----END PGP SIGNATURE-----
--
gentoo-hardened@gentoo.org mailing list
 
Old 12-31-2007, 04:44 PM
Peter Humphrey
 
Default How to set up for chrony?

On Monday 31 December 2007 16:39:30 brant williams wrote:

> Can you paste the error you're referring to?

Here goes (sorry if line wrapping spoils it), with my four comments:

Dec 31 17:32:55 gate chronyd[23772]: chronyd exiting on signal # I'd restarted it; no mention of file operations, note
Dec 31 17:32:55 gate chronyd[23855]: chronyd version 1.21 starting
Dec 31 17:32:55 gate chronyd[23855]: Could not open RTC file /etc/chrony/chrony.rtc for reading # because it wasn't there
Dec 31 17:32:56 gate grsec: From 192.168.129.25: time set by /usr/sbin/chronyd[chronyd:23855] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/chronyd[chronyd:23854] uid/euid:0/0 gid/egid:0/0 # I was ssh'd in from that IP address (this box is headless)
Dec 31 17:32:56 gate chronyd[23855]: Initial txc.tick=10000 txc.freq=0 (0.00000000) txc.offset=0 => hz=100 shift_hz=7
Dec 31 17:32:56 gate chronyd[23855]: set_config_hz=0 hz=100 shift_hz=7 basic_freq_scale=1.28000000 nominal_tick=10000 slew_delta_tick=833 max_tick_bias=1000
Dec 31 17:32:56 gate chronyd[23855]: Linux kernel major=2 minor=6 patch=23
Dec 31 17:32:56 gate chronyd[23855]: calculated_freq_scale=0.99902439 freq_scale=0.99902439
Dec 31 17:33:03 gate chronyd[23855]: No valid file coefficients, cannot trim system time # I don't understand what that means

So it looks as though chrony can set the system clock, but not write /etc/chrony/chrony.rtc - but it has written /etc/chrony/chrony.drift!

$ ls -ld /etc/chrony
drwxr-xr-x 2 root root 4096 2007-12-31 17:38 /etc/chrony
$ ls -l /etc/chrony
total 24
-rw-r--r-- 1 root root 12395 2007-12-31 17:29 chrony.conf
-rw-r--r-- 1 root root 42 2007-12-31 17:39 chrony.drift
-rw-r--r-- 1 root root 1172 2007-12-31 17:31 chrony.keys

I tried touching /etc/chrony/chrony.conf, but it remained empty.

$ uname -a
Linux gate 2.6.23-hardened-r4-gr #4 Sun Dec 30 16:58:09 GMT 2007 i686 Intel(R) Pentium(R) 4 CPU 2.00GHz GenuineIntel GNU/Linux

I'm beginning to wonder whether chrony is capable of running on this box.

--
Rgds
Peter
--
gentoo-hardened@gentoo.org mailing list
 
Old 12-31-2007, 05:06 PM
brant williams
 
Default How to set up for chrony?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


Well, it's not an RBAC/role problem, otherwise you'd see more 'grsec:'
lines in syslog. Based on this info, chrony is setting the time
correctly. You might want to look at mailing lists for this daemon and/or
google for the errors you get.



brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002



On Mon, 31 Dec 2007, Peter Humphrey wrote:


Date: Mon, 31 Dec 2007 17:44:14 +0000
From: Peter Humphrey <prh@gotadsl.co.uk>
Reply-To: gentoo-hardened@lists.gentoo.org
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] How to set up for chrony?

On Monday 31 December 2007 16:39:30 brant williams wrote:


Can you paste the error you're referring to?


Here goes (sorry if line wrapping spoils it), with my four comments:

Dec 31 17:32:55 gate chronyd[23772]: chronyd exiting on signal # I'd restarted it; no mention of file operations, note
Dec 31 17:32:55 gate chronyd[23855]: chronyd version 1.21 starting
Dec 31 17:32:55 gate chronyd[23855]: Could not open RTC file /etc/chrony/chrony.rtc for reading # because it wasn't there
Dec 31 17:32:56 gate grsec: From 192.168.129.25: time set by /usr/sbin/chronyd[chronyd:23855] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/chronyd[chronyd:23854] uid/euid:0/0 gid/egid:0/0 # I was ssh'd in from that IP address (this box is headless)
Dec 31 17:32:56 gate chronyd[23855]: Initial txc.tick=10000 txc.freq=0 (0.00000000) txc.offset=0 => hz=100 shift_hz=7
Dec 31 17:32:56 gate chronyd[23855]: set_config_hz=0 hz=100 shift_hz=7 basic_freq_scale=1.28000000 nominal_tick=10000 slew_delta_tick=833 max_tick_bias=1000
Dec 31 17:32:56 gate chronyd[23855]: Linux kernel major=2 minor=6 patch=23
Dec 31 17:32:56 gate chronyd[23855]: calculated_freq_scale=0.99902439 freq_scale=0.99902439
Dec 31 17:33:03 gate chronyd[23855]: No valid file coefficients, cannot trim system time # I don't understand what that means

So it looks as though chrony can set the system clock, but not write /etc/chrony/chrony.rtc - but it has written /etc/chrony/chrony.drift!

$ ls -ld /etc/chrony
drwxr-xr-x 2 root root 4096 2007-12-31 17:38 /etc/chrony
$ ls -l /etc/chrony
total 24
-rw-r--r-- 1 root root 12395 2007-12-31 17:29 chrony.conf
-rw-r--r-- 1 root root 42 2007-12-31 17:39 chrony.drift
-rw-r--r-- 1 root root 1172 2007-12-31 17:31 chrony.keys

I tried touching /etc/chrony/chrony.conf, but it remained empty.

$ uname -a
Linux gate 2.6.23-hardened-r4-gr #4 Sun Dec 30 16:58:09 GMT 2007 i686 Intel(R) Pentium(R) 4 CPU 2.00GHz GenuineIntel GNU/Linux

I'm beginning to wonder whether chrony is capable of running on this box.

--
Rgds
Peter
--
gentoo-hardened@gentoo.org mailing list



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)

iD8DBQFHeS+NdCBnhE3rYAIRCNaHAJ9w0teLjOpugdN7OKdNIL wQQfkGqwCfSvm1
lDws0NyTa4DoP8mOeHZ1jSc=
=VQQM
-----END PGP SIGNATURE-----
--
gentoo-hardened@gentoo.org mailing list
 
Old 12-31-2007, 05:54 PM
 
Default How to set up for chrony?

Brant Williams asked for the Grsecurity _RBAC_ denial messages.

Do you have Grsecurity RBAC enabled? Hardened Gentoo has several flavors:
you can use either SELinux, RSBAC or Grsecurity (or Apparmor) for access
control purposes.

What access control mechanism do you use? Do you use Grsecurity?
If you do: you should have some denial error messages in your system log.
One exception for this if you use "h" option in your policy to suppress
denial messages. You should remove it from the responsible location.
Have you (ever) fine tuned your Grsec policy? If not: please see Grsec
documentation and search for learning mode.

If you have your grsec denials: you should incorporate the necessary
rights in your policy for chronyd.

Regards,
Dw.
--
dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, 06-30-5962-962
Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962

On Hét, December 31, 2007 18:44, Peter Humphrey wrote:
> On Monday 31 December 2007 16:39:30 brant williams wrote:
>
>> Can you paste the error you're referring to?
>
> Here goes (sorry if line wrapping spoils it), with my four comments:
>
> Dec 31 17:32:55 gate chronyd[23772]: chronyd exiting on signal # I'd
> restarted it; no mention of file operations, note
> Dec 31 17:32:55 gate chronyd[23855]: chronyd version 1.21 starting
> Dec 31 17:32:55 gate chronyd[23855]: Could not open RTC file
> /etc/chrony/chrony.rtc for reading # because it wasn't there
> Dec 31 17:32:56 gate grsec: From 192.168.129.25: time set by
> /usr/sbin/chronyd[chronyd:23855] uid/euid:0/0 gid/egid:0/0, parent
> /usr/sbin/chronyd[chronyd:23854] uid/euid:0/0 gid/egid:0/0 # I was ssh'd
> in from that IP address (this box is headless)
> Dec 31 17:32:56 gate chronyd[23855]: Initial txc.tick=10000 txc.freq=0
> (0.00000000) txc.offset=0 => hz=100 shift_hz=7
> Dec 31 17:32:56 gate chronyd[23855]: set_config_hz=0 hz=100 shift_hz=7
> basic_freq_scale=1.28000000 nominal_tick=10000 slew_delta_tick=833
> max_tick_bias=1000
> Dec 31 17:32:56 gate chronyd[23855]: Linux kernel major=2 minor=6 patch=23
> Dec 31 17:32:56 gate chronyd[23855]: calculated_freq_scale=0.99902439
> freq_scale=0.99902439
> Dec 31 17:33:03 gate chronyd[23855]: No valid file coefficients, cannot
> trim system time # I don't understand what that means
>
> So it looks as though chrony can set the system clock, but not write
> /etc/chrony/chrony.rtc - but it has written /etc/chrony/chrony.drift!
>
> $ ls -ld /etc/chrony
> drwxr-xr-x 2 root root 4096 2007-12-31 17:38 /etc/chrony
> $ ls -l /etc/chrony
> total 24
> -rw-r--r-- 1 root root 12395 2007-12-31 17:29 chrony.conf
> -rw-r--r-- 1 root root 42 2007-12-31 17:39 chrony.drift
> -rw-r--r-- 1 root root 1172 2007-12-31 17:31 chrony.keys
>
> I tried touching /etc/chrony/chrony.conf, but it remained empty.
>
> $ uname -a
> Linux gate 2.6.23-hardened-r4-gr #4 Sun Dec 30 16:58:09 GMT 2007 i686
> Intel(R) Pentium(R) 4 CPU 2.00GHz GenuineIntel GNU/Linux
>
> I'm beginning to wonder whether chrony is capable of running on this box.
>
> --
> Rgds
> Peter
> --
> gentoo-hardened@gentoo.org mailing list
>


--
gentoo-hardened@gentoo.org mailing list
 
Old 01-01-2008, 09:21 AM
Peter Humphrey
 
Default How to set up for chrony?

On Monday 31 December 2007 18:54:49 atoth@atoth.sote.hu wrote:

> Brant Williams asked for the Grsecurity _RBAC_ denial messages.

What I quoted was all I get, so there aren't any.

> Do you have Grsecurity RBAC enabled? Hardened Gentoo has several flavors:
> you can use either SELinux, RSBAC or Grsecurity (or Apparmor) for access
> control purposes.

All I've done so far is to compile the kernel with the options set for grsec
with rbac. I haven't got round to setting it all up properly yet.

> Have you (ever) fine tuned your Grsec policy? If not: please see Grsec
> documentation and search for learning mode.

Yes, I think it's about time I got round to that. Thanks to you and Brant.

--
Rgds
Peter
--
gentoo-hardened@gentoo.org mailing list
 

Thread Tools




All times are GMT. The time now is 04:59 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org