Marco Gemignani
2019-Apr-16 16:47 UTC
[Samba] Time Synchronisation - SELinux Labeling and Policy
hi, i want set selinux to usw with ntpd
but when i run (as described in wiki)
semanage -a -t ntpd_t "/usr/local/samba/var/lib/ntp_signd"
i have that error
"
usage: semanage [-h]
{import,export,login,user,port,ibpkey,ibendport,interface,module,node,fcontext,boolean,permissive,dontaudit}
...
semanage: error: argument subcommand: invalid choice: 'ntpd_t' (choose
from 'import', 'export', 'login', 'user',
'port', 'ibpkey', 'ibendport', 'interface',
'module', 'node', 'fcontext', 'boolean',
'permissive', 'dontaudit')
[root at dc ~]#
"
my sistem is a centos 7
Rowland Penny
2019-Apr-16 17:56 UTC
[Samba] Time Synchronisation - SELinux Labeling and Policy
On Tue, 16 Apr 2019 18:47:07 +0200 Marco Gemignani via samba <samba at lists.samba.org> wrote:> hi, i want set selinux to usw with ntpd > > > but when i run (as described in wiki) > > semanage -a -t ntpd_t "/usr/local/samba/var/lib/ntp_signd" > > > i have that error > " > usage: semanage [-h] > > {import,export,login,user,port,ibpkey,ibendport,interface,module,node,fcontext,boolean,permissive,dontaudit} > ... > semanage: error: argument subcommand: invalid choice: > 'ntpd_t' (choose from 'import', 'export', 'login', 'user', 'port', > 'ibpkey', 'ibendport', 'interface', 'module', 'node', 'fcontext', > 'boolean', 'permissive', 'dontaudit') [root at dc ~]# > > " > > my sistem is a centos 7 > >I am not an expert on selinux (I normally turn it off), but it sounds like you need some extra selinux packages installing, or to put it another way, it isn't really a Samba problem ;-) Rowland
Robert Marcano
2019-Apr-16 18:03 UTC
[Samba] Time Synchronisation - SELinux Labeling and Policy
On 4/16/19 12:47 PM, Marco Gemignani via samba wrote:> hi, i want set selinux to usw with ntpd > > > but when i run (as described in wiki) > > semanage -a -t ntpd_t "/usr/local/samba/var/lib/ntp_signd" > > > i have that error > " > usage: semanage [-h] > > > {import,export,login,user,port,ibpkey,ibendport,interface,module,node,fcontext,boolean,permissive,dontaudit} > > ... > semanage: error: argument subcommand: invalid choice: 'ntpd_t' (choose > from 'import', 'export', 'login', 'user', 'port', 'ibpkey', 'ibendport', > 'interface', 'module', 'node', 'fcontext', 'boolean', 'permissive', > 'dontaudit') > [root at dc ~]# > > " > > my sistem is a centos 7 > >I use chrony instead of ntpd on CentOS 7. This may help. Create the following files. You will need to check the SELinux context of the socket (ls -Z) and use it instead of <sign_socket_context> on the files. I run a Samba container and those are different contexts than your specific Samba AD installation (compiled or 3rd party RPM) Run make to build the SELinux module Note: https://stopdisablingselinux.com/ :-) You will need policycoreutils-python and checkpolicy in order to be able to build the SELinux module ==================== Makefile =======================module: checkmodule -M -m -o local.mod local.te semodule_package -o local.pp -m local.mod semodule -i local.pp ==================== local.te ======================= module local 1.0; require { type ntpd_t; type <sign_socket_context>; class sock_file write; class dir search; } allow chronyd_t <sign_socket_context>:dir search; allow chronyd_t <sign_socket_context>:sock_file write; ======================================================
Robert Marcano
2019-Apr-16 18:10 UTC
[Samba] Time Synchronisation - SELinux Labeling and Policy
On 4/16/19 2:03 PM, Robert Marcano wrote:> On 4/16/19 12:47 PM, Marco Gemignani via samba wrote:...> > allow chronyd_t <sign_socket_context>:dir search; > allow chronyd_t <sign_socket_context>:sock_file write;Sorry, these lines should be allow ntpd_t A good SELinux guide is at https://wiki.centos.org/HowTos/SELinux . These module for my chrony based installation was autogenerated by audit2allow You can get more SELinux help on CentOS/Fedora mailing lists
adam_xu at adagene.com.cn
2019-Apr-17 03:24 UTC
[Samba] Time Synchronisation - SELinux Labeling and Policy
Hi Marco Gemignani, sambalist,
that's easy. I use chrony. please run some commands like me:
semanage fcontext -a -t chronyd_var_lib_t
"/var/lib/samba/ntp_signd(/.*)?"
restorecon -Rv /var/lib/samba/ntp_signd
note: change your label to ntpd_t if you use ntpd.
Best,
yours Adam
From: Marco Gemignani via samba
Date: 2019-04-17 00:47
To: samba
Subject: [Samba] Time Synchronisation - SELinux Labeling and Policy
hi, i want set selinux to usw with ntpd
but when i run (as described in wiki)
semanage -a -t ntpd_t "/usr/local/samba/var/lib/ntp_signd"
i have that error
"
usage: semanage [-h]
{import,export,login,user,port,ibpkey,ibendport,interface,module,node,fcontext,boolean,permissive,dontaudit}
...
semanage: error: argument subcommand: invalid choice: 'ntpd_t' (choose
from 'import', 'export', 'login', 'user',
'port', 'ibpkey', 'ibendport', 'interface',
'module', 'node', 'fcontext', 'boolean',
'permissive', 'dontaudit')
[root at dc ~]#
"
my sistem is a centos 7
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba