Time Synchronisation - SELinux Labeling and Policy

From SambaWiki
Jump to: navigation, search

Set policy for Windows client time sync:

# chcon -u system_u -t ntpd_t /usr/local/samba/var/lib/ntp_signd

Make the policy permanent

# semanage -a -t ntpd_t "/usr/local/samba/var/lib/ntp_signd"

Verify the change

# cat /etc/selinux/targeted/contexts/files/file_contexts.local

You should see a line like:

/usr/local/samba/var/lib/ntp_signd    system_u:object_r:ntpd_t:s0

The below policy file is based on 4.1.6 on RHEL 6.5 and should be for reference only. Always run the below egrep command, after you have a base policy file created. Then stop / start ntpd and Samba AD services on your system and add to the base policy until competed.

egrep "samba|ntpd" /var/log/audit/audit.log | audit2allow

If all is fine, you'll see this for each "allow" line below in the policy file.

#!!! This avc is allowed in the current policy
allow ntpd_t self:capability sys_admin;
etc.

samba4.te policy:

module samba4 1.0;
  
require {
  type ntpd_t;
  type usr_t;
  type initrc_t;
  type fs_t;
  type setfiles_t;
  type lib_t;
  type unconfined_t;
  type locate_t;
  class dir write;
  class dir search;
  class dir open;
  class dir read;
  class dir getattr;
  class dir remove_name;
  class dir add_name;
  class dir relabelto;
  class unix_stream_socket connectto;
  class sock_file write;
  class sock_file create;
  class sock_file unlink;
  class filesystem associate;
  class capability sys_admin;
}
 
#============= initrc_t ==============
allow initrc_t ntpd_t:dir { write remove_name add_name };
allow initrc_t ntpd_t:sock_file create;
allow initrc_t ntpd_t:sock_file unlink;

#============= ntpd_t ==============
allow ntpd_t usr_t:sock_file write;
allow ntpd_t initrc_t:unix_stream_socket connectto;
allow ntpd_t fs_t:filesystem associate;
allow ntpd_t lib_t:sock_file write;
allow ntpd_t unconfined_t:unix_stream_socket connectto;
allow ntpd_t self:sock_file write;
allow ntpd_t self:capability sys_admin;

#============= locate_t ==============
allow locate_t ntpd_t:dir { read getattr open search };

#============= setfiles_t ==============
allow setfiles_t ntpd_t:dir relabelto;  

Check and load policy:

$ checkmodule -M -m -o samba4.mod samba4.te 
$ semodule_package -o samba4.pp -m samba4.mod
$ semodule -i samba4.pp