[Samba] ntp/chrony on AD DC and SELinux

Robert Marcano robert at marcanoonline.com
Tue Nov 3 15:53:30 UTC 2020

On 11/3/20 10:02 AM, Matthias Leopold via samba wrote:
> Hi,
> the instructions for "Time Synchronisation - SELinux Labeling and 
> Policy" on 
> https://wiki.samba.org/index.php/Time_Synchronisation_-_SELinux_Labeling_and_Policy 
> don't seem to work on CentOS 8. Using chrony I tried to adapt them (with 
> very limited SELinux knowledge) like this:
> chcon -u system_u -t chronyd_exec_t /var/lib/samba/ntp_signd
> semanage fcontext -a -t chronyd_exec_t "/var/lib/samba/ntp_signd(/.*)?"
> restorecon -R -v  /var/lib/samba/ntp_signd
> This seems to work on one DC, on the other I'm seeing this in the logs:
> "platform-python[1654]: SELinux is preventing chronyd from search access 
> on the directory ntp_signd."
> Correspondingly I'm seeing ntpclient errors for this DC on a Windows 
> member.
> Thx for any advice
> Matthias

Instesad of changing the context of ntp_signd and probably have problems 
with Samba trying to create or write to it because it doesn't have the 
appropriate Samba context, Let chrony access the Samba labeled files 
with a SELinux module like:

module local 1.0;

require {
     type chronyd_t;
     type container_file_t;
     class sock_file write;
     class dir search;

allow chronyd_t container_file_t:dir search;
allow chronyd_t container_file_t:sock_file write;

Note: I use container_file_t because my Samba is containerized, but you 
should use samba_var_t since your Samba is running on the host 
/var/lib/samba directory.

More information about the samba mailing list