On Sun, 7 Oct 2007 17:40:19 GMT [EMAIL PROTECTED] (Nigel Henry) wrote: > On Sunday 07 October 2007 18:28, Michael B Allen wrote: > > On Sun, 7 Oct 2007 11:57:39 -0400 > > > > Michael B Allen <[EMAIL PROTECTED]> wrote: > > > On Sun, 7 Oct 2007 14:24:39 +0200 > > > > > > "Maarten Wiltink" <[EMAIL PROTECTED]> wrote: > > > > You, on the other hand, have Problems. With the cut down config file, > > > > at least NTP is now starting, but you're not getting any traffic even > > > > without the restrictions. Review your firewall again, this time under > > > > the assumption that you do have one. > > > > > > No firewalls. From the capture I can clearly see only a request and > > > reply. There's no attempt to communicate with the time server at all. > > > > It was SELinux. Somehow the distro I'm using managed to ship an ntpd > > that was not compatible with the their selinux config. > > > > Thanks, > > Mike > > I read some years ago, that you can have so much security on your machine, > that you can't do anything with it anymore. > > For the first time, when I installed Fedora 7, I left selinux enabled in > enforcing mode. Ntpd is running, but only getting it's time from my other > machine on the LAN, which is getting it's time from Internet time servers, > and ntp is working ok on Fedora 7. I did have a problem in not being able to > ftp into the Fedora 7 machine from the other machine, but running > setroubleshoot told how to resolve that problem. > > I don't have SElinux enabled on any of the other distros I run on my 2 > machines. I'm only a home user, so perhaps not as paranoid about security as > someone using their machines in the corporate/business environment.
Yeah, for IntrAnet stuff SELinux probably overkill. Usually SELinux problems are easily spotted because they generate audit messages in syslog. But in this particular case the broken SELinux config was also breaking syslog so all my important log files were empty leaving me completely in the dark. I ended up diverting ntpd messages to a separate file, and found an error that I traced to SELinux. Ultimately the problem was that the distro's default SELinux config was completely busted. It's CentOS 5.0 so I guess it pays to wait for a .1 or .2 or higher. The problem with Linux is that distros EOL so fast you get two years and then you have to start recompiling source packages and then finally throw in the towel and reinstall with a new OS. So I went with .0 to try and reduce that burden (and despite this problem I'm thinking it's probably still going to be worth it). Mike _______________________________________________ questions mailing list [email protected] https://lists.ntp.org/mailman/listinfo/questions
