Source: selinux-policy-default Version: 2:2.20140206-1 Severity: normal The init script for ntpd in Debian is named /etc/init.d/ntp. The fcontext module for ntpd (modules/contrib/ntp.fc) expects it to be named /etc/(rc.d/)init.d/ntpd instead (that is, with a trailing 'd'). As a result ntpd runs under the wrong label and generates lots of spurious AVC messages.
I think the cure is as simple as adding /etc/rc\.d/init\.d/ntp -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0) right after the existing /etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0) in ntp.fc. (Or you could change "ntpd" to "ntpd?" on the existing line, making that regex match both possible names, but that might not be understood as easily.) zw -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (501, 'unstable'), (500, 'testing'), (101, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.13-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org