On Sat, May 1, 2021 at 6:27 PM Jason Long <hack3rcon@yahoo.com> wrote:
According to "https://wiki.samba.org/index.php/Time_Synchronisation_-_SELinux_Labeling_and_Policy", I want to set the SELinux, but I got below error:

# chcon -u system_u -t ntpd_t /usr/local/samba/var/lib/ntp_signd
chcon: failed to change context of '/usr/local/samba/var/lib/ntp_signd' to ‘system_u:object_r:ntpd_t:s0’: Permission denied

# ps -eZ | grep ntpd_t
system_u:system_r:ntpd_t:s0        2184 ?        00:00:00 ntpd

# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

Hi Jason,

I am afraid the wiki page is incorrect regarding the ntpd_t type, and the selinux policy lower on the page is not something which I would recommend to use.

The ntpd_t type is a domain type which cannot be assigned to a file. I am not aware of how the feature works so I cannot suggest further.
Note in current Fedora there are chronyd and systemd-timesyncd services for time synchronisation. The chrony.conf man page suggest to use
              ntpsigndsocket /var/lib/samba/ntp_signd
so it may be sufficient to leave it as is. If there is a regular service running in the initrc_t domain, it should be confined by SELinux, but that is a long term solution.


selinux mailing list -- selinux@lists.fedoraproject.org
To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure


Zdenek Pytela
Security SELinux team