Time Synchronisation - SELinux Labeling and Policy

From SambaWiki
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Set policy for Windows client time sync: 

# chcon -u system_u -t ntpd_t /usr/local/samba/var/lib/ntp_signd

Make the policy permanent 

# semanage -a -t ntpd_t "/usr/local/samba/var/lib/ntp_signd"

Verify the change 

# cat /etc/selinux/targeted/contexts/files/file_contexts.local

You should see a line like: 

/usr/local/samba/var/lib/ntp_signd    system_u:object_r:ntpd_t:s0

The below policy file is based on 4.1.6 on RHEL 6.5 and should be for reference only. Always run the below egrep command, after you have a base policy file created. Then stop / start ntpd and Samba AD services on your system and add to the base policy until competed. 

egrep "samba|ntpd" /var/log/audit/audit.log | audit2allow

If all is fine, you'll see this for each "allow" line below in the policy file. 

#!!! This avc is allowed in the current policy
allow ntpd_t self:capability sys_admin;
etc.

samba4.te policy: 

module samba4 1.0;
  
require {
  type ntpd_t;
  type usr_t;
  type initrc_t;
  type fs_t;
  type setfiles_t;
  type lib_t;
  type unconfined_t;
  type locate_t;
  class dir write;
  class dir search;
  class dir open;
  class dir read;
  class dir getattr;
  class dir remove_name;
  class dir add_name;
  class dir relabelto;
  class unix_stream_socket connectto;
  class sock_file write;
  class sock_file create;
  class sock_file unlink;
  class filesystem associate;
  class capability sys_admin;
}
 
#============= initrc_t ==============
allow initrc_t ntpd_t:dir { write remove_name add_name };
allow initrc_t ntpd_t:sock_file create;
allow initrc_t ntpd_t:sock_file unlink;

#============= ntpd_t ==============
allow ntpd_t usr_t:sock_file write;
allow ntpd_t initrc_t:unix_stream_socket connectto;
allow ntpd_t fs_t:filesystem associate;
allow ntpd_t lib_t:sock_file write;
allow ntpd_t unconfined_t:unix_stream_socket connectto;
allow ntpd_t self:sock_file write;
allow ntpd_t self:capability sys_admin;

#============= locate_t ==============
allow locate_t ntpd_t:dir { read getattr open search };

#============= setfiles_t ==============
allow setfiles_t ntpd_t:dir relabelto;

Check and load policy: 

$ checkmodule -M -m -o samba4.mod samba4.te 
$ semodule_package -o samba4.pp -m samba4.mod
$ semodule -i samba4.pp
Retrieved from "https://wiki.samba.org/index.php?title=Time_Synchronisation_-_SELinux_Labeling_and_Policy&oldid=11889"