Hi, the instructions for "Time Synchronisation - SELinux Labeling and Policy" on https://wiki.samba.org/index.php/Time_Synchronisation_-_SELinux_Labeling_and_Policy don't seem to work on CentOS 8. Using chrony I tried to adapt them (with very limited SELinux knowledge) like this: chcon -u system_u -t chronyd_exec_t /var/lib/samba/ntp_signd semanage fcontext -a -t chronyd_exec_t "/var/lib/samba/ntp_signd(/.*)?" restorecon -R -v /var/lib/samba/ntp_signd This seems to work on one DC, on the other I'm seeing this in the logs: "platform-python[1654]: SELinux is preventing chronyd from search access on the directory ntp_signd." Correspondingly I'm seeing ntpclient errors for this DC on a Windows member. Thx for any advice Matthias
On 11/3/20 10:02 AM, Matthias Leopold via samba wrote:> Hi, > > the instructions for "Time Synchronisation - SELinux Labeling and > Policy" on > https://wiki.samba.org/index.php/Time_Synchronisation_-_SELinux_Labeling_and_Policy > don't seem to work on CentOS 8. Using chrony I tried to adapt them (with > very limited SELinux knowledge) like this: > > chcon -u system_u -t chronyd_exec_t /var/lib/samba/ntp_signd > semanage fcontext -a -t chronyd_exec_t "/var/lib/samba/ntp_signd(/.*)?" > restorecon -R -v? /var/lib/samba/ntp_signd > > This seems to work on one DC, on the other I'm seeing this in the logs: > "platform-python[1654]: SELinux is preventing chronyd from search access > on the directory ntp_signd." > Correspondingly I'm seeing ntpclient errors for this DC on a Windows > member. > > Thx for any advice > Matthias > >Instesad of changing the context of ntp_signd and probably have problems with Samba trying to create or write to it because it doesn't have the appropriate Samba context, Let chrony access the Samba labeled files with a SELinux module like: =====================module local 1.0; require { type chronyd_t; type container_file_t; class sock_file write; class dir search; } allow chronyd_t container_file_t:dir search; allow chronyd_t container_file_t:sock_file write; ===================== Note: I use container_file_t because my Samba is containerized, but you should use samba_var_t since your Samba is running on the host /var/lib/samba directory.
On 11/3/20 11:53 AM, Robert Marcano wrote:> On 11/3/20 10:02 AM, Matthias Leopold via samba wrote: >> Hi, >> >> the instructions for "Time Synchronisation - SELinux Labeling and >> Policy" on >> https://wiki.samba.org/index.php/Time_Synchronisation_-_SELinux_Labeling_and_Policy >> don't seem to work on CentOS 8. Using chrony I tried to adapt them >> (with very limited SELinux knowledge) like this: >> >> chcon -u system_u -t chronyd_exec_t /var/lib/samba/ntp_signd >> semanage fcontext -a -t chronyd_exec_t "/var/lib/samba/ntp_signd(/.*)?" >> restorecon -R -v? /var/lib/samba/ntp_signd >> >> This seems to work on one DC, on the other I'm seeing this in the logs: >> "platform-python[1654]: SELinux is preventing chronyd from search >> access on the directory ntp_signd." >> Correspondingly I'm seeing ntpclient errors for this DC on a Windows >> member. >> >> Thx for any advice >> Matthias >> >> > > Instesad of changing the context of ntp_signd and probably have problems > with Samba trying to create or write to it because it doesn't have the > appropriate Samba context, Let chrony access the Samba labeled files > with a SELinux module like: > > =====================> module local 1.0; > > require { > ??? type chronyd_t; > ??? type container_file_t; > ??? class sock_file write; > ??? class dir search; > } > > allow chronyd_t container_file_t:dir search; > allow chronyd_t container_file_t:sock_file write; > =====================> > Note: I use container_file_t because my Samba is containerized, but you > should use samba_var_t since your Samba is running on the host > /var/lib/samba directory.Forgot to add that I think the Wiki works for many people because it is for a Samba built to use /usr/local/samba/var, not /var. So there are no SELinux rules in place for these files. /var/lib/samba has rules already defined on the system SELinux policy.
Am 03.11.20 um 16:53 schrieb Robert Marcano via samba:> On 11/3/20 10:02 AM, Matthias Leopold via samba wrote: >> Hi, >> >> the instructions for "Time Synchronisation - SELinux Labeling and >> Policy" on >> https://wiki.samba.org/index.php/Time_Synchronisation_-_SELinux_Labeling_and_Policy >> don't seem to work on CentOS 8. Using chrony I tried to adapt them >> (with very limited SELinux knowledge) like this: >> >> chcon -u system_u -t chronyd_exec_t /var/lib/samba/ntp_signd >> semanage fcontext -a -t chronyd_exec_t "/var/lib/samba/ntp_signd(/.*)?" >> restorecon -R -v? /var/lib/samba/ntp_signd >> >> This seems to work on one DC, on the other I'm seeing this in the logs: >> "platform-python[1654]: SELinux is preventing chronyd from search >> access on the directory ntp_signd." >> Correspondingly I'm seeing ntpclient errors for this DC on a Windows >> member. >> >> Thx for any advice >> Matthias >> >> > > Instesad of changing the context of ntp_signd and probably have problems > with Samba trying to create or write to it because it doesn't have the > appropriate Samba context, Let chrony access the Samba labeled files > with a SELinux module like: > > =====================> module local 1.0; > > require { > ??? type chronyd_t; > ??? type container_file_t; > ??? class sock_file write; > ??? class dir search; > } > > allow chronyd_t container_file_t:dir search; > allow chronyd_t container_file_t:sock_file write; > =====================> > Note: I use container_file_t because my Samba is containerized, but you > should use samba_var_t since your Samba is running on the host > /var/lib/samba directory. >this actually worked, thanks a lot Matthias