LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   SELinux and NTP problem. (https://www.linuxquestions.org/questions/linux-security-4/selinux-and-ntp-problem-4175694602/)

n00b_noob 05-02-2021 07:28 AM
SELinux and NTP problem.
 
Hello,
I use the last version of the Fedora Server and I want to configure SELinux for the NTP service.
According to https://wiki.samba.org/index.php/Tim...ing_and_Policy tutorial, I tried to configure SELinux, but I got below error:
Code:
# chcon -u system_u -t ntpd_t /usr/local/samba/var/lib/ntp_signd
chcon: failed to change context of '/usr/local/samba/var/lib/ntp_signd' to ‘system_u:object_r:ntpd_t:s0’: Permission denied
And my SELinux status is:
Code:
# sestatus
SELinux status:                enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:        /etc/selinux
Loaded policy name:            targeted
Current mode:                  enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:    allowed
Memory protection checking:    actual (secure)
Max kernel policy version:      33
To solve this problem, SELinux suggested:
https://paste.ubuntu.com/p/JnxMtTsqg5/
And I did:
Code:
# ausearch -c 'chcon' --raw | audit2allow -M my-chcon
# semodule -X 300 -i my-chcon.pp
But problem not solved.
How can I solve it?

Thank you.

computersavvy 05-02-2021 01:02 PM
the command "seinfo -afile_type -x" for me gives the following file types for ntpd.
Code:
# seinfo -afile_type -x | grep ntp
        ntp_conf_t
        ntp_drift_t
        ntpd_exec_t
        ntpd_initrc_exec_t
        ntpd_key_t
        ntpd_log_t
        ntpd_tmp_t
        ntpd_tmpfs_t
        ntpd_unit_file_t
        ntpd_var_run_t
        ntpdate_exec_t
Did you try what was suggested in what you pasted there?
Try using a valid file type.

n00b_noob 05-14-2021 09:52 AM
Thanks you.
I got below error:
Code:
# seinfo -afile_type -x | grep ntp
-bash: seinfo: command not found
And:
Code:
# dnf install seinfo
Last metadata expiration check: 2:19:59 ago on Fri 14 May 2021 04:58:15 PM +0430.
No match for argument: seinfo
Error: Unable to find a match: seinfo

dc.901 05-14-2021 06:12 PM
Quote:
Originally Posted by n00b_noob (Post 6250748)
Thanks you.
I got below error:
Code:
# seinfo -afile_type -x | grep ntp
-bash: seinfo: command not found
And:
Code:
# dnf install seinfo
Last metadata expiration check: 2:19:59 ago on Fri 14 May 2021 04:58:15 PM +0430.
No match for argument: seinfo
Error: Unable to find a match: seinfo
Check output of following command to get your answer:

Code:
sudo yum whatprovides seinfo

berndbausch 05-14-2021 07:01 PM
From https://docs.fedoraproject.org/en-US...icy_Suite.html, I gather that seinfo doesn't exist anymore as a command (although it's not stated very clearly), but only as a python module.

shruggy 05-15-2021 04:10 AM
@berndbausch. No, it still does. See https://github.com/SELinuxProject/setools/wiki.

berndbausch 05-15-2021 09:30 PM
Well, by "exists" I meant "available in Fedora repos". Of course, there is plenty of software that you can install on your operating system without endorsement from the distro. Installing SEtools on Fedora seems to be requiring a fair bit of hoop-jumping.

shruggy 05-16-2021 05:48 AM
The thing is setools are part of Fedora. Particularly, seinfo is provided by package setools-console.

n00b_noob 05-16-2021 07:46 AM
Quote:
Originally Posted by shruggy (Post 6251203)
The thing is setools are part of Fedora. Particularly, seinfo is provided by package setools-console.
Thank you.

n00b_noob 05-16-2021 07:46 AM
Quote:
Originally Posted by computersavvy (Post 6247283)
the command "seinfo -afile_type -x" for me gives the following file types for ntpd.
Code:
# seinfo -afile_type -x | grep ntp
        ntp_conf_t
        ntp_drift_t
        ntpd_exec_t
        ntpd_initrc_exec_t
        ntpd_key_t
        ntpd_log_t
        ntpd_tmp_t
        ntpd_tmpfs_t
        ntpd_unit_file_t
        ntpd_var_run_t
        ntpdate_exec_t
Did you try what was suggested in what you pasted there?
Try using a valid file type.
I did:
Code:
# seinfo -afile_type -x | grep ntp
        ntp_conf_t
        ntp_drift_t
        ntpd_exec_t
        ntpd_initrc_exec_t
        ntpd_key_t
        ntpd_log_t
        ntpd_tmp_t
        ntpd_tmpfs_t
        ntpd_unit_file_t
        ntpd_var_run_t
        ntpdate_exec_t
Which one is valid?

berndbausch 05-16-2021 10:45 AM
Quote:
Originally Posted by shruggy (Post 6251203)
The thing is setools are part of Fedora. Particularly, seinfo is provided by package setools-console.
Thanks for the correction.

Quote:
Originally Posted by n00b_noob (Post 6251222)
I did:
Code:
# seinfo -afile_type -x | grep ntp
        ...
Which one is valid?
They are documented in the ntp selinux manual page.


All times are GMT -5. The time now is 10:36 AM.