Hi,
As I already stated, I have no experience with setting up this feature. I can describe the solution in general:
- assign a type for the directory and socket file
- a file transition may be needed if the directory is not packaged or the socket is not permanent
- allow both services (one is the ntp providing service, I am not sure which is the other one) appropriate access to the directory and socket file
- allow both services interprocess communication
This needs to be resolved in cooperation with samba developers and the wiki page needs updating. In Fedora, the legacy ntp service is not supported any longer, there are chronyd and systemd-timesync. Chrony directly mentions support for ntp_signd.
Hi,
Thank you.
Then, how can I configure SELinux for NTP?
On Monday, May 3, 2021, 12:21:45 PM GMT+4:30, Zdenek Pytela <zpytela@redhat.com> wrote:
On Sat, May 1, 2021 at 6:27 PM Jason Long <hack3rcon@yahoo.com> wrote:
> Hello,
> According to "https://wiki.samba.org/index.php/Time_Synchronisation_-_SELinux_Labeling_and_Policy", I want to set the SELinux, but I got below error:
>
> # chcon -u system_u -t ntpd_t /usr/local/samba/var/lib/ntp_signd
> chcon: failed to change context of '/usr/local/samba/var/lib/ntp_signd' to ‘system_u:object_r:ntpd_t:s0’: Permission denied
>
> # ps -eZ | grep ntpd_t
> system_u:system_r:ntpd_t:s0 2184 ? 00:00:00 ntpd
>
> # sestatus
> SELinux status: enabled
> SELinuxfs mount: /sys/fs/selinux
> SELinux root directory: /etc/selinux
> Loaded policy name: targeted
> Current mode: enforcing
> Mode from config file: enforcing
> Policy MLS status: enabled
> Policy deny_unknown status: allowed
> Memory protection checking: actual (secure)
> Max kernel policy version: 33
>
>
> Why?
Hi Jason,
I am afraid the wiki page is incorrect regarding the ntpd_t type, and the selinux policy lower on the page is not something which I would recommend to use.
The ntpd_t type is a domain type which cannot be assigned to a file. I am not aware of how the feature works so I cannot suggest further.
Note in current Fedora there are chronyd and systemd-timesyncd services for time synchronisation. The chrony.conf man page suggest to use
ntpsigndsocket /var/lib/samba/ntp_signd
so it may be sufficient to leave it as is. If there is a regular service running in the initrc_t domain, it should be confined by SELinux, but that is a long term solution.
>
>
>
> Thanks.
>
> _______________________________________________
> selinux mailing list -- selinux@lists.fedoraproject.org
> To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.org
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
>
--
Zdenek Pytela
Security SELinux team
_______________________________________________
selinux mailing list -- selinux@lists.fedoraproject.org
To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
--
Zdenek Pytela
Security SELinux team