[Samba] Time Synchronisation - SELinux Labeling and Policy
Robert Marcano
robert at marcanoonline.com
Tue Apr 16 18:03:04 UTC 2019
On 4/16/19 12:47 PM, Marco Gemignani via samba wrote:
> hi, i want set selinux to usw with ntpd
>
>
> but when i run (as described in wiki)
>
> semanage -a -t ntpd_t "/usr/local/samba/var/lib/ntp_signd"
>
>
> i have that error
> "
> usage: semanage [-h]
>
>
> {import,export,login,user,port,ibpkey,ibendport,interface,module,node,fcontext,boolean,permissive,dontaudit}
>
> ...
> semanage: error: argument subcommand: invalid choice: 'ntpd_t' (choose
> from 'import', 'export', 'login', 'user', 'port', 'ibpkey', 'ibendport',
> 'interface', 'module', 'node', 'fcontext', 'boolean', 'permissive',
> 'dontaudit')
> [root at dc ~]#
>
> "
>
> my sistem is a centos 7
>
>
I use chrony instead of ntpd on CentOS 7. This may help. Create the
following files.
You will need to check the SELinux context of the socket (ls -Z) and use
it instead of <sign_socket_context> on the files. I run a Samba
container and those are different contexts than your specific Samba AD
installation (compiled or 3rd party RPM)
Run make to build the SELinux module
Note: https://stopdisablingselinux.com/ :-)
You will need policycoreutils-python and checkpolicy in order to be able
to build the SELinux module
==================== Makefile ========================
module:
checkmodule -M -m -o local.mod local.te
semodule_package -o local.pp -m local.mod
semodule -i local.pp
==================== local.te ========================
module local 1.0;
require {
type ntpd_t;
type <sign_socket_context>;
class sock_file write;
class dir search;
}
allow chronyd_t <sign_socket_context>:dir search;
allow chronyd_t <sign_socket_context>:sock_file write;
======================================================
More information about the samba
mailing list