[Samba] Time Synchronisation - SELinux Labeling and Policy

Robert Marcano robert at marcanoonline.com
Tue Apr 16 18:03:04 UTC 2019

On 4/16/19 12:47 PM, Marco Gemignani via samba wrote:
> hi, i want set selinux to usw with ntpd
> but when i run (as described in wiki)
> semanage -a -t ntpd_t "/usr/local/samba/var/lib/ntp_signd"
> i have that error
> "
> usage: semanage [-h]
> {import,export,login,user,port,ibpkey,ibendport,interface,module,node,fcontext,boolean,permissive,dontaudit} 
>                  ...
> semanage: error: argument subcommand: invalid choice: 'ntpd_t' (choose 
> from 'import', 'export', 'login', 'user', 'port', 'ibpkey', 'ibendport', 
> 'interface', 'module', 'node', 'fcontext', 'boolean', 'permissive', 
> 'dontaudit')
> [root at dc ~]#
> "
> my sistem is a centos 7

I use chrony instead of ntpd on CentOS 7. This may help. Create the 
following files.

You will need to check the SELinux context of the socket (ls -Z) and use 
it instead of <sign_socket_context> on the files. I run a Samba 
container and those are different contexts than your specific Samba AD 
installation (compiled or 3rd party RPM)

Run make to build the SELinux module

Note: https://stopdisablingselinux.com/ :-)

You will need policycoreutils-python and checkpolicy in order to be able 
to build the SELinux module

==================== Makefile ========================
	checkmodule -M -m -o local.mod local.te
	semodule_package -o local.pp -m local.mod
	semodule -i local.pp

==================== local.te ========================

module local 1.0;

require {
     type ntpd_t;
     type <sign_socket_context>;
     class sock_file write;
     class dir search;

allow chronyd_t <sign_socket_context>:dir search;
allow chronyd_t <sign_socket_context>:sock_file write;


More information about the samba mailing list