[Samba] ntp/chrony on AD DC and SELinux
Matthias Leopold
matthias.leopold at meduniwien.ac.at
Wed Nov 4 16:07:40 UTC 2020
Am 03.11.20 um 16:53 schrieb Robert Marcano via samba:
> On 11/3/20 10:02 AM, Matthias Leopold via samba wrote:
>> Hi,
>>
>> the instructions for "Time Synchronisation - SELinux Labeling and
>> Policy" on
>> https://wiki.samba.org/index.php/Time_Synchronisation_-_SELinux_Labeling_and_Policy
>> don't seem to work on CentOS 8. Using chrony I tried to adapt them
>> (with very limited SELinux knowledge) like this:
>>
>> chcon -u system_u -t chronyd_exec_t /var/lib/samba/ntp_signd
>> semanage fcontext -a -t chronyd_exec_t "/var/lib/samba/ntp_signd(/.*)?"
>> restorecon -R -v /var/lib/samba/ntp_signd
>>
>> This seems to work on one DC, on the other I'm seeing this in the logs:
>> "platform-python[1654]: SELinux is preventing chronyd from search
>> access on the directory ntp_signd."
>> Correspondingly I'm seeing ntpclient errors for this DC on a Windows
>> member.
>>
>> Thx for any advice
>> Matthias
>>
>>
>
> Instesad of changing the context of ntp_signd and probably have problems
> with Samba trying to create or write to it because it doesn't have the
> appropriate Samba context, Let chrony access the Samba labeled files
> with a SELinux module like:
>
> ======================
> module local 1.0;
>
> require {
> type chronyd_t;
> type container_file_t;
> class sock_file write;
> class dir search;
> }
>
> allow chronyd_t container_file_t:dir search;
> allow chronyd_t container_file_t:sock_file write;
> ======================
>
> Note: I use container_file_t because my Samba is containerized, but you
> should use samba_var_t since your Samba is running on the host
> /var/lib/samba directory.
>
this actually worked, thanks a lot
Matthias
More information about the samba
mailing list