chcon: failed to change context of '/usr/local/samba/var/lib/ntp_signd' to ‘system_u:object_r:ntpd_t:s0’: Permission denied.
11:20 a.m.
Hello,
According to
"https://wiki.samba.org/index.php/Time_Synchronisation_-_SELinux_Labeling_and_Policy",
I want to set the SELinux, but I got below error:
# chcon -u system_u -t ntpd_t /usr/local/samba/var/lib/ntp_signd
chcon: failed to change context of '/usr/local/samba/var/lib/ntp_signd' to
‘system_u:object_r:ntpd_t:s0’: Permission denied
# ps -eZ | grep ntpd_t
system_u:system_r:ntpd_t:s0 2184 ? 00:00:00 ntpd
# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
Why?
Thanks.
2:51 a.m.
On Sat, May 1, 2021 at 6:27 PM Jason Long <hack3rcon(a)yahoo.com> wrote:
Hello,
According to "
https://wiki.samba.org/index.php/Time_Synchronisation_-_SELinux_Labeling_...;,
I want to set the SELinux, but I got below error:
# chcon -u system_u -t ntpd_t /usr/local/samba/var/lib/ntp_signd
chcon: failed to change context of '/usr/local/samba/var/lib/ntp_signd' to
‘system_u:object_r:ntpd_t:s0’: Permission denied
# ps -eZ | grep ntpd_t
system_u:system_r:ntpd_t:s0 2184 ? 00:00:00 ntpd
# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
Why?
Hi Jason,
I am afraid the wiki page is incorrect regarding the ntpd_t type, and the
selinux policy lower on the page is not something which I would recommend
to use.
The ntpd_t type is a domain type which cannot be assigned to a file. I am
not aware of how the feature works so I cannot suggest further.
Note in current Fedora there are chronyd and systemd-timesyncd services for
time synchronisation. The chrony.conf man page suggest to use
ntpsigndsocket /var/lib/samba/ntp_signd
so it may be sufficient to leave it as is. If there is a regular service
running in the initrc_t domain, it should be confined by SELinux, but that
is a long term solution.
Thanks.
_______________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
--
Zdenek Pytela
Security SELinux team
3:38 a.m.
Hi,
Thank you.
Then, how can I configure SELinux for NTP?
On Monday, May 3, 2021, 12:21:45 PM GMT+4:30, Zdenek Pytela <zpytela(a)redhat.com>
wrote:
On Sat, May 1, 2021 at 6:27 PM Jason Long <hack3rcon(a)yahoo.com> wrote:
>
> Thanks.
>
> _______________________________________________
> selinux mailing list -- selinux(a)lists.fedoraproject.org
> To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
>
--
Zdenek Pytela
Security SELinux team
_______________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Hello,
According to
"https://wiki.samba.org/index.php/Time_Synchronisation_-_SELinux_Labeling_and_Policy",
I want to set the SELinux, but I got below error:
# chcon -u system_u -t ntpd_t /usr/local/samba/var/lib/ntp_signd
chcon: failed to change context of '/usr/local/samba/var/lib/ntp_signd' to
‘system_u:object_r:ntpd_t:s0’: Permission denied
# ps -eZ | grep ntpd_t
system_u:system_r:ntpd_t:s0 2184 ? 00:00:00 ntpd
# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
Why?
Hi Jason,
I am afraid the wiki page is incorrect regarding the ntpd_t type, and the selinux policy
lower on the page is not something which I would recommend to use.
The ntpd_t type is a domain type which cannot be assigned to a file. I am not aware of how
the feature works so I cannot suggest further.
Note in current Fedora there are chronyd and systemd-timesyncd services for time
synchronisation. The chrony.conf man page suggest to use
ntpsigndsocket /var/lib/samba/ntp_signd
so it may be sufficient to leave it as is. If there is a regular service running in the
initrc_t domain, it should be confined by SELinux, but that is a long term solution.
4:26 a.m.
Hi,
As I already stated, I have no experience with setting up this feature. I
can describe the solution in general:
- assign a type for the directory and socket file
- a file transition may be needed if the directory is not packaged or the
socket is not permanent
- allow both services (one is the ntp providing service, I am not sure
which is the other one) appropriate access to the directory and socket file
- allow both services interprocess communication
This needs to be resolved in cooperation with samba developers and the wiki
page needs updating. In Fedora, the legacy ntp service is not supported any
longer, there are chronyd and systemd-timesync. Chrony directly mentions
support for ntp_signd.
On Mon, May 17, 2021 at 10:38 AM Jason Long <hack3rcon(a)yahoo.com> wrote:
Hi,
Thank you.
Then, how can I configure SELinux for NTP?
On Monday, May 3, 2021, 12:21:45 PM GMT+4:30, Zdenek Pytela <
zpytela(a)redhat.com> wrote:
On Sat, May 1, 2021 at 6:27 PM Jason Long <hack3rcon(a)yahoo.com> wrote:
> Hello,
> According to "
https://wiki.samba.org/index.php/Time_Synchronisation_-_SELinux_Labeling_...;,
I want to set the SELinux, but I got below error:
>
> # chcon -u system_u -t ntpd_t /usr/local/samba/var/lib/ntp_signd
> chcon: failed to change context of '/usr/local/samba/var/lib/ntp_signd'
to ‘system_u:object_r:ntpd_t:s0’: Permission denied
>
> # ps -eZ | grep ntpd_t
> system_u:system_r:ntpd_t:s0 2184 ? 00:00:00 ntpd
>
> # sestatus
> SELinux status: enabled
> SELinuxfs mount: /sys/fs/selinux
> SELinux root directory: /etc/selinux
> Loaded policy name: targeted
> Current mode: enforcing
> Mode from config file: enforcing
> Policy MLS status: enabled
> Policy deny_unknown status: allowed
> Memory protection checking: actual (secure)
> Max kernel policy version: 33
>
>
> Why?
Hi Jason,
I am afraid the wiki page is incorrect regarding the ntpd_t type, and the
selinux policy lower on the page is not something which I would recommend
to use.
The ntpd_t type is a domain type which cannot be assigned to a file. I am
not aware of how the feature works so I cannot suggest further.
Note in current Fedora there are chronyd and systemd-timesyncd services
for time synchronisation. The chrony.conf man page suggest to use
ntpsigndsocket /var/lib/samba/ntp_signd
so it may be sufficient to leave it as is. If there is a regular service
running in the initrc_t domain, it should be confined by SELinux, but that
is a long term solution.
>
>
>
> Thanks.
>
> _______________________________________________
> selinux mailing list -- selinux(a)lists.fedoraproject.org
> To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
> Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
>
--
Zdenek Pytela
Security SELinux team
_______________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
--
Zdenek Pytela
Security SELinux team
1081
days inactive
1099
days old
selinux@lists.fedoraproject.org
3 comments
2 participants
participants (2)
-
Jason Long -
Zdenek Pytela