Discussion:
chcon: failed to change context of '/usr/local/samba/var/lib/ntp_signd' to ‘system_u:object_r:ntpd_t:s0’: Permission denied.
Jason Long
2021-05-01 16:20:36 UTC
Permalink
Hello,
According to "https://wiki.samba.org/index.php/Time_Synchronisation_-_SELinux_Labeling_and_Policy", I want to set the SELinux, but I got below error:

# chcon -u system_u -t ntpd_t /usr/local/samba/var/lib/ntp_signd
chcon: failed to change context of '/usr/local/samba/var/lib/ntp_signd' to ‘system_u:object_r:ntpd_t:s0’: Permission denied

# ps -eZ | grep ntpd_t
system_u:system_r:ntpd_t:s0        2184 ?        00:00:00 ntpd

# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33


Why?


Thanks.
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infr
Zdenek Pytela
2021-05-03 07:51:18 UTC
Permalink
Post by Jason Long
Hello,
According to "
https://wiki.samba.org/index.php/Time_Synchronisation_-_SELinux_Labeling_and_Policy",
# chcon -u system_u -t ntpd_t /usr/local/samba/var/lib/ntp_signd
chcon: failed to change context of '/usr/local/samba/var/lib/ntp_signd' to
‘system_u:object_r:ntpd_t:s0’: Permission denied
# ps -eZ | grep ntpd_t
system_u:system_r:ntpd_t:s0 2184 ? 00:00:00 ntpd
# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
Why?
Hi Jason,

I am afraid the wiki page is incorrect regarding the ntpd_t type, and the
selinux policy lower on the page is not something which I would recommend
to use.

The ntpd_t type is a domain type which cannot be assigned to a file. I am
not aware of how the feature works so I cannot suggest further.
Note in current Fedora there are chronyd and systemd-timesyncd services for
time synchronisation. The chrony.conf man page suggest to use
ntpsigndsocket /var/lib/samba/ntp_signd
so it may be sufficient to leave it as is. If there is a regular service
running in the initrc_t domain, it should be confined by SELinux, but that
is a long term solution.
Post by Jason Long
Thanks.
_______________________________________________
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
https://pagure.io/fedora-infrastructure
--
Zdenek Pytela
Security SELinux team
Jason Long
2021-05-17 08:38:39 UTC
Permalink
Hi,
Thank you.
Then, how can I configure SELinux for NTP?
Post by Jason Long
Hello,
# chcon -u system_u -t ntpd_t /usr/local/samba/var/lib/ntp_signd
chcon: failed to change context of '/usr/local/samba/var/lib/ntp_signd' to ‘system_u:object_r:ntpd_t:s0’: Permission denied
# ps -eZ | grep ntpd_t
system_u:system_r:ntpd_t:s0        2184 ?        00:00:00 ntpd
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
Why?
Hi Jason,

I am afraid the wiki page is incorrect regarding the ntpd_t type, and the selinux policy lower on the page is not something which I would recommend to use.

The ntpd_t type is a domain type which cannot be assigned to a file. I am not aware of how the feature works so I cannot suggest further.
Note in current Fedora there are chronyd and systemd-timesyncd services for time synchronisation. The chrony.conf man page suggest to use
              ntpsigndsocket /var/lib/samba/ntp_signd
so it may be sufficient to leave it as is. If there is a regular service running in the initrc_t domain, it should be confined by SELinux, but that is a long term solution.

 
Post by Jason Long
  
 
Post by Jason Long
  
Thanks.
_______________________________________________
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
--

Zdenek Pytela
Security SELinux team

_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fe
Zdenek Pytela
2021-05-19 09:26:41 UTC
Permalink
Hi,

As I already stated, I have no experience with setting up this feature. I
can describe the solution in general:
- assign a type for the directory and socket file
- a file transition may be needed if the directory is not packaged or the
socket is not permanent
- allow both services (one is the ntp providing service, I am not sure
which is the other one) appropriate access to the directory and socket file
- allow both services interprocess communication

This needs to be resolved in cooperation with samba developers and the wiki
page needs updating. In Fedora, the legacy ntp service is not supported any
longer, there are chronyd and systemd-timesync. Chrony directly mentions
support for ntp_signd.
Post by Jason Long
Hi,
Thank you.
Then, how can I configure SELinux for NTP?
On Monday, May 3, 2021, 12:21:45 PM GMT+4:30, Zdenek Pytela <
Post by Jason Long
Hello,
According to "
https://wiki.samba.org/index.php/Time_Synchronisation_-_SELinux_Labeling_and_Policy",
Post by Jason Long
# chcon -u system_u -t ntpd_t /usr/local/samba/var/lib/ntp_signd
chcon: failed to change context of '/usr/local/samba/var/lib/ntp_signd'
to ‘system_u:object_r:ntpd_t:s0’: Permission denied
Post by Jason Long
# ps -eZ | grep ntpd_t
system_u:system_r:ntpd_t:s0 2184 ? 00:00:00 ntpd
# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
Why?
Hi Jason,
I am afraid the wiki page is incorrect regarding the ntpd_t type, and the
selinux policy lower on the page is not something which I would recommend
to use.
The ntpd_t type is a domain type which cannot be assigned to a file. I am
not aware of how the feature works so I cannot suggest further.
Note in current Fedora there are chronyd and systemd-timesyncd services
for time synchronisation. The chrony.conf man page suggest to use
ntpsigndsocket /var/lib/samba/ntp_signd
so it may be sufficient to leave it as is. If there is a regular service
running in the initrc_t domain, it should be confined by SELinux, but that
is a long term solution.
Post by Jason Long
Thanks.
_______________________________________________
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
Post by Jason Long
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
https://pagure.io/fedora-infrastructure
--
Zdenek Pytela
Security SELinux team
_______________________________________________
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
https://pagure.io/fedora-infrastructure
--
Zdenek Pytela
Security SELinux team
Loading...