Hi, Thank you. Then, how can I configure SELinux for NTP? On Monday, May 3, 2021, 12:21:45 PM GMT+4:30, Zdenek Pytela <zpytela@xxxxxxxxxx> wrote: On Sat, May 1, 2021 at 6:27 PM Jason Long <hack3rcon@xxxxxxxxx> wrote: > Hello, > According to "https://wiki.samba.org/index.php/Time_Synchronisation_-_SELinux_Labeling_and_Policy", I want to set the SELinux, but I got below error: > > # chcon -u system_u -t ntpd_t /usr/local/samba/var/lib/ntp_signd > chcon: failed to change context of '/usr/local/samba/var/lib/ntp_signd' to ‘system_u:object_r:ntpd_t:s0’: Permission denied > > # ps -eZ | grep ntpd_t > system_u:system_r:ntpd_t:s0 2184 ? 00:00:00 ntpd > > # sestatus > SELinux status: enabled > SELinuxfs mount: /sys/fs/selinux > SELinux root directory: /etc/selinux > Loaded policy name: targeted > Current mode: enforcing > Mode from config file: enforcing > Policy MLS status: enabled > Policy deny_unknown status: allowed > Memory protection checking: actual (secure) > Max kernel policy version: 33 > > > Why? Hi Jason, I am afraid the wiki page is incorrect regarding the ntpd_t type, and the selinux policy lower on the page is not something which I would recommend to use. The ntpd_t type is a domain type which cannot be assigned to a file. I am not aware of how the feature works so I cannot suggest further. Note in current Fedora there are chronyd and systemd-timesyncd services for time synchronisation. The chrony.conf man page suggest to use ntpsigndsocket /var/lib/samba/ntp_signd so it may be sufficient to leave it as is. If there is a regular service running in the initrc_t domain, it should be confined by SELinux, but that is a long term solution. > > > > Thanks. > > _______________________________________________ > selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure > -- Zdenek Pytela Security SELinux team _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure