Hi,
Thank you.
Then, how can I configure SELinux for NTP?
On Monday, May 3, 2021, 12:21:45 PM GMT+4:30, Zdenek Pytela <zpytela(a)redhat.com>
wrote:
On Sat, May 1, 2021 at 6:27 PM Jason Long <hack3rcon(a)yahoo.com> wrote:
Hello,
According to
"https://wiki.samba.org/index.php/Time_Synchronisation_-_SELinux_Labeling_and_Policy",
I want to set the SELinux, but I got below error:
# chcon -u system_u -t ntpd_t /usr/local/samba/var/lib/ntp_signd
chcon: failed to change context of '/usr/local/samba/var/lib/ntp_signd' to
‘system_u:object_r:ntpd_t:s0’: Permission denied
# ps -eZ | grep ntpd_t
system_u:system_r:ntpd_t:s0 2184 ? 00:00:00 ntpd
# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
Why?
Hi Jason,
I am afraid the wiki page is incorrect regarding the ntpd_t type, and the selinux policy
lower on the page is not something which I would recommend to use.
The ntpd_t type is a domain type which cannot be assigned to a file. I am not aware of how
the feature works so I cannot suggest further.
Note in current Fedora there are chronyd and systemd-timesyncd services for time
synchronisation. The chrony.conf man page suggest to use
ntpsigndsocket /var/lib/samba/ntp_signd
so it may be sufficient to leave it as is. If there is a regular service running in the
initrc_t domain, it should be confined by SELinux, but that is a long term solution.
>
> Thanks.
>
> _______________________________________________
> selinux mailing list -- selinux(a)lists.fedoraproject.org
> To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
> Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
>
--
Zdenek Pytela
Security SELinux team
_______________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure