Web lists-archives.com

Re: [Samba] Time Synchronisation - SELinux Labeling and Policy




On 4/16/19 12:47 PM, Marco Gemignani via samba wrote:
hi, i want set selinux to usw with ntpd


but when i run (as described in wiki)

semanage -a -t ntpd_t "/usr/local/samba/var/lib/ntp_signd"


i have that error
"
usage: semanage [-h]

{import,export,login,user,port,ibpkey,ibendport,interface,module,node,fcontext,boolean,permissive,dontaudit}
                 ...
semanage: error: argument subcommand: invalid choice: 'ntpd_t' (choose from 'import', 'export', 'login', 'user', 'port', 'ibpkey', 'ibendport', 'interface', 'module', 'node', 'fcontext', 'boolean', 'permissive', 'dontaudit')
[root@dc ~]#

"

my sistem is a centos 7



I use chrony instead of ntpd on CentOS 7. This may help. Create the following files.

You will need to check the SELinux context of the socket (ls -Z) and use it instead of <sign_socket_context> on the files. I run a Samba container and those are different contexts than your specific Samba AD installation (compiled or 3rd party RPM)

Run make to build the SELinux module

Note: https://stopdisablingselinux.com/ :-)

You will need policycoreutils-python and checkpolicy in order to be able to build the SELinux module

==================== Makefile ========================
module:
	checkmodule -M -m -o local.mod local.te
	semodule_package -o local.pp -m local.mod
	semodule -i local.pp

==================== local.te ========================

module local 1.0;

require {
    type ntpd_t;
    type <sign_socket_context>;
    class sock_file write;
    class dir search;
}

allow chronyd_t <sign_socket_context>:dir search;
allow chronyd_t <sign_socket_context>:sock_file write;

======================================================



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba