[Samba] ntp/chrony on AD DC and SELinux

Robert Marcano robert at marcanoonline.com
Tue Nov 3 15:58:58 UTC 2020

On 11/3/20 11:53 AM, Robert Marcano wrote:
> On 11/3/20 10:02 AM, Matthias Leopold via samba wrote:
>> Hi,
>> the instructions for "Time Synchronisation - SELinux Labeling and 
>> Policy" on 
>> https://wiki.samba.org/index.php/Time_Synchronisation_-_SELinux_Labeling_and_Policy 
>> don't seem to work on CentOS 8. Using chrony I tried to adapt them 
>> (with very limited SELinux knowledge) like this:
>> chcon -u system_u -t chronyd_exec_t /var/lib/samba/ntp_signd
>> semanage fcontext -a -t chronyd_exec_t "/var/lib/samba/ntp_signd(/.*)?"
>> restorecon -R -v  /var/lib/samba/ntp_signd
>> This seems to work on one DC, on the other I'm seeing this in the logs:
>> "platform-python[1654]: SELinux is preventing chronyd from search 
>> access on the directory ntp_signd."
>> Correspondingly I'm seeing ntpclient errors for this DC on a Windows 
>> member.
>> Thx for any advice
>> Matthias
> Instesad of changing the context of ntp_signd and probably have problems 
> with Samba trying to create or write to it because it doesn't have the 
> appropriate Samba context, Let chrony access the Samba labeled files 
> with a SELinux module like:
> ======================
> module local 1.0;
> require {
>      type chronyd_t;
>      type container_file_t;
>      class sock_file write;
>      class dir search;
> }
> allow chronyd_t container_file_t:dir search;
> allow chronyd_t container_file_t:sock_file write;
> ======================
> Note: I use container_file_t because my Samba is containerized, but you 
> should use samba_var_t since your Samba is running on the host 
> /var/lib/samba directory.

Forgot to add that I think the Wiki works for many people because it is 
for a Samba built to use /usr/local/samba/var, not /var. So there are no 
SELinux rules in place for these files.

/var/lib/samba has rules already defined on the system SELinux policy.

More information about the samba mailing list