LinuxQuestions.org
Visit Jeremy's Blog.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page SELinux and NTP problem.
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-02-2021, 07:28 AM   #1
n00b_noob
Member
 
Registered: Sep 2020
Posts: 436

Rep: Reputation: Disabled
Post SELinux and NTP problem.

Hello,
I use the last version of the Fedora Server and I want to configure SELinux for the NTP service.
According to https://wiki.samba.org/index.php/Tim...ing_and_Policy tutorial, I tried to configure SELinux, but I got below error:
Code:
# chcon -u system_u -t ntpd_t /usr/local/samba/var/lib/ntp_signd
chcon: failed to change context of '/usr/local/samba/var/lib/ntp_signd' to ‘system_u:object_r:ntpd_t:s0’: Permission denied
And my SELinux status is:
Code:
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
To solve this problem, SELinux suggested:
https://paste.ubuntu.com/p/JnxMtTsqg5/
And I did:
Code:
# ausearch -c 'chcon' --raw | audit2allow -M my-chcon
# semodule -X 300 -i my-chcon.pp
But problem not solved.
How can I solve it?

Thank you.
 
Old 05-02-2021, 01:02 PM   #2
computersavvy
Senior Member
 
Registered: Aug 2016
Posts: 3,345

Rep: Reputation: 1484Reputation: 1484Reputation: 1484Reputation: 1484Reputation: 1484Reputation: 1484Reputation: 1484Reputation: 1484Reputation: 1484Reputation: 1484
the command "seinfo -afile_type -x" for me gives the following file types for ntpd.
Code:
# seinfo -afile_type -x | grep ntp
	ntp_conf_t
	ntp_drift_t
	ntpd_exec_t
	ntpd_initrc_exec_t
	ntpd_key_t
	ntpd_log_t
	ntpd_tmp_t
	ntpd_tmpfs_t
	ntpd_unit_file_t
	ntpd_var_run_t
	ntpdate_exec_t
Did you try what was suggested in what you pasted there?
Try using a valid file type.
 
Old 05-14-2021, 09:52 AM   #3
n00b_noob
Member
 
Registered: Sep 2020
Posts: 436

Original Poster
Rep: Reputation: Disabled
Thanks you.
I got below error:
Code:
# seinfo -afile_type -x | grep ntp
-bash: seinfo: command not found
And:
Code:
# dnf install seinfo
Last metadata expiration check: 2:19:59 ago on Fri 14 May 2021 04:58:15 PM +0430.
No match for argument: seinfo
Error: Unable to find a match: seinfo
 
Old 05-14-2021, 06:12 PM   #4
dc.901
Senior Member
 
Registered: Aug 2018
Location: Atlanta, GA - USA
Distribution: CentOS/RHEL, openSuSE/SLES, Ubuntu
Posts: 1,005

Rep: Reputation: 370Reputation: 370Reputation: 370Reputation: 370
Quote:
Originally Posted by n00b_noob View Post
Thanks you.
I got below error:
Code:
# seinfo -afile_type -x | grep ntp
-bash: seinfo: command not found
And:
Code:
# dnf install seinfo
Last metadata expiration check: 2:19:59 ago on Fri 14 May 2021 04:58:15 PM +0430.
No match for argument: seinfo
Error: Unable to find a match: seinfo
Check output of following command to get your answer:

Code:
sudo yum whatprovides seinfo
 
Old 05-14-2021, 07:01 PM   #5
berndbausch
LQ Addict
 
Registered: Nov 2013
Location: Tokyo
Distribution: Mostly Ubuntu and Centos
Posts: 6,316

Rep: Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002
From https://docs.fedoraproject.org/en-US...icy_Suite.html, I gather that seinfo doesn't exist anymore as a command (although it's not stated very clearly), but only as a python module.
 
Old 05-15-2021, 04:10 AM   #6
shruggy
Senior Member
 
Registered: Mar 2020
Posts: 3,677

Rep: Reputation: Disabled
@berndbausch. No, it still does. See https://github.com/SELinuxProject/setools/wiki.
 
Old 05-15-2021, 09:30 PM   #7
berndbausch
LQ Addict
 
Registered: Nov 2013
Location: Tokyo
Distribution: Mostly Ubuntu and Centos
Posts: 6,316

Rep: Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002
Well, by "exists" I meant "available in Fedora repos". Of course, there is plenty of software that you can install on your operating system without endorsement from the distro. Installing SEtools on Fedora seems to be requiring a fair bit of hoop-jumping.
 
Old 05-16-2021, 05:48 AM   #8
shruggy
Senior Member
 
Registered: Mar 2020
Posts: 3,677

Rep: Reputation: Disabled
The thing is setools are part of Fedora. Particularly, seinfo is provided by package setools-console.
 
2 members found this post helpful.
Old 05-16-2021, 07:46 AM   #9
n00b_noob
Member
 
Registered: Sep 2020
Posts: 436

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by shruggy View Post
The thing is setools are part of Fedora. Particularly, seinfo is provided by package setools-console.
Thank you.
 
Old 05-16-2021, 07:46 AM   #10
n00b_noob
Member
 
Registered: Sep 2020
Posts: 436

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by computersavvy View Post
the command "seinfo -afile_type -x" for me gives the following file types for ntpd.
Code:
# seinfo -afile_type -x | grep ntp
	ntp_conf_t
	ntp_drift_t
	ntpd_exec_t
	ntpd_initrc_exec_t
	ntpd_key_t
	ntpd_log_t
	ntpd_tmp_t
	ntpd_tmpfs_t
	ntpd_unit_file_t
	ntpd_var_run_t
	ntpdate_exec_t
Did you try what was suggested in what you pasted there?
Try using a valid file type.
I did:
Code:
# seinfo -afile_type -x | grep ntp
	ntp_conf_t
	ntp_drift_t
	ntpd_exec_t
	ntpd_initrc_exec_t
	ntpd_key_t
	ntpd_log_t
	ntpd_tmp_t
	ntpd_tmpfs_t
	ntpd_unit_file_t
	ntpd_var_run_t
	ntpdate_exec_t
Which one is valid?
 
Old 05-16-2021, 10:45 AM   #11
berndbausch
LQ Addict
 
Registered: Nov 2013
Location: Tokyo
Distribution: Mostly Ubuntu and Centos
Posts: 6,316

Rep: Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002
Quote:
Originally Posted by shruggy View Post
The thing is setools are part of Fedora. Particularly, seinfo is provided by package setools-console.
Thanks for the correction.

Quote:
Originally Posted by n00b_noob View Post
I did:
Code:
# seinfo -afile_type -x | grep ntp
	...
Which one is valid?
They are documented in the ntp selinux manual page.
Last edited by berndbausch; 05-16-2021 at 10:46 AM.
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ntp: pool and nopeer in ntp.conf (-current) drumz Slackware 2 04-13-2021 03:47 PM
LXer: How To Install And Configure NTP Server And NTP Client In Linux? LXer Syndicated Linux News 0 03-31-2019 10:12 PM
[SOLVED] some issues with CentOSv7 and NTP with timedatectl set-ntp yes lleb Linux - Server 3 03-30-2015 08:45 PM
ntp drift file in /etc/ntp instead of /var/lib/ntp - suggestion for a patch in Slack niels.horn Slackware 16 05-07-2009 07:35 PM
NTP cannot use server, NTP -d can jerryvapps Linux - Newbie 0 07-28-2004 02:22 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:26 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration