Re: chcon: failed to change context of '/usr/local/samba/var/lib/ntp_signd' to ‘system_u:object_r:ntpd_t:s0’: Permission denied.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,
Thank you.
Then, how can I configure SELinux for NTP?





On Monday, May 3, 2021, 12:21:45 PM GMT+4:30, Zdenek Pytela <zpytela@xxxxxxxxxx> wrote: 





On Sat, May 1, 2021 at 6:27 PM Jason Long <hack3rcon@xxxxxxxxx> wrote:
> Hello,
> According to "https://wiki.samba.org/index.php/Time_Synchronisation_-_SELinux_Labeling_and_Policy";, I want to set the SELinux, but I got below error:
> 
> # chcon -u system_u -t ntpd_t /usr/local/samba/var/lib/ntp_signd
> chcon: failed to change context of '/usr/local/samba/var/lib/ntp_signd' to ‘system_u:object_r:ntpd_t:s0’: Permission denied
> 
> # ps -eZ | grep ntpd_t
> system_u:system_r:ntpd_t:s0        2184 ?        00:00:00 ntpd
> 
> # sestatus 
> SELinux status:                 enabled
> SELinuxfs mount:                /sys/fs/selinux
> SELinux root directory:         /etc/selinux
> Loaded policy name:             targeted
> Current mode:                   enforcing
> Mode from config file:          enforcing
> Policy MLS status:              enabled
> Policy deny_unknown status:     allowed
> Memory protection checking:     actual (secure)
> Max kernel policy version:      33
> 
> 
> Why?
Hi Jason,

I am afraid the wiki page is incorrect regarding the ntpd_t type, and the selinux policy lower on the page is not something which I would recommend to use. 

The ntpd_t type is a domain type which cannot be assigned to a file. I am not aware of how the feature works so I cannot suggest further.
Note in current Fedora there are chronyd and systemd-timesyncd services for time synchronisation. The chrony.conf man page suggest to use
              ntpsigndsocket /var/lib/samba/ntp_signd
so it may be sufficient to leave it as is. If there is a regular service running in the initrc_t domain, it should be confined by SELinux, but that is a long term solution.

 

>  
 
>  
> 
> Thanks.
> 
> _______________________________________________
> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
> 


-- 

Zdenek Pytela
Security SELinux team

_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux