[Samba] ntp/chrony on AD DC and SELinux
Robert Marcano
robert at marcanoonline.com
Tue Nov 3 15:53:30 UTC 2020
On 11/3/20 10:02 AM, Matthias Leopold via samba wrote:
> Hi,
>
> the instructions for "Time Synchronisation - SELinux Labeling and
> Policy" on
> https://wiki.samba.org/index.php/Time_Synchronisation_-_SELinux_Labeling_and_Policy
> don't seem to work on CentOS 8. Using chrony I tried to adapt them (with
> very limited SELinux knowledge) like this:
>
> chcon -u system_u -t chronyd_exec_t /var/lib/samba/ntp_signd
> semanage fcontext -a -t chronyd_exec_t "/var/lib/samba/ntp_signd(/.*)?"
> restorecon -R -v /var/lib/samba/ntp_signd
>
> This seems to work on one DC, on the other I'm seeing this in the logs:
> "platform-python[1654]: SELinux is preventing chronyd from search access
> on the directory ntp_signd."
> Correspondingly I'm seeing ntpclient errors for this DC on a Windows
> member.
>
> Thx for any advice
> Matthias
>
>
Instesad of changing the context of ntp_signd and probably have problems
with Samba trying to create or write to it because it doesn't have the
appropriate Samba context, Let chrony access the Samba labeled files
with a SELinux module like:
======================
module local 1.0;
require {
type chronyd_t;
type container_file_t;
class sock_file write;
class dir search;
}
allow chronyd_t container_file_t:dir search;
allow chronyd_t container_file_t:sock_file write;
======================
Note: I use container_file_t because my Samba is containerized, but you
should use samba_var_t since your Samba is running on the host
/var/lib/samba directory.
More information about the samba
mailing list