Samba 4 AD - selinux ntpd AVC denial sock_file on w32tm /resync

asked 2016-07-31 00:19:03 -0500

Hello - I'm new to this. The samba documentation / google results is not great/flawed. I tried modifying samab4.te etc. with no success. See QUESTION: WHY? below.

[ajm@ajmfdr23-01 ~]$ cat /etc/*-release Fedora release 23 (Twenty Three) NAME=Fedora VERSION="23 (Server Edition)" ...

[ajm@ajmfdr23-01 ~]$ /usr/local/samba/sbin/samba --version Version 4.3.4

[ajm@ajmfdr23-01 ~]$ ntpd --version ntpd 4.2.6p5

If I setenforce 0 all is fine:

C:\WINDOWS\system32>w32tm /resync Sending resync command to local computer The command completed successfully.

If I setenforce 1 I get the windows client w32tm /resync error:

C:\WINDOWS\system32>w32tm /resync Sending resync command to local computer The computer did not resync because no time data was available.

Some info:

[ajm@ajmfdr23-01 ~]$ sudo ls -lZR /usr/local/samba/var/lib/ [sudo] password for ajm: /usr/local/samba/var/lib/: total 0 drwxr-x---. 2 root ntp system_u:object_r:ntpd_exec_t:s0 20 Jul 30 16:51 ntp_signd

/usr/local/samba/var/lib/ntp_signd: total 0

srwxrwxrwx. 1 root root system_u:object_r:ntpd_exec_t:s0 0 Jul 30 16:51 socket

[ajm@ajmfdr23-01 ~]$ sudo ps -efZ | grep -i ntp

system_u:system_r:ntpd_t:s0 ntp 892 1 0 16:51 ? 00:00:00 /usr/sbin/ntpd -u ntp:ntp -g

[ajm@ajmfdr23-01 ~]$ sudo semanage fcontext -l | grep -i ntp ... /usr/local/samba/var/lib/ntp_signd all files system_u:object_r:ntpd_exec_t:s0 /usr/local/samba/var/lib/ntp_signd/socket all files system_u:object_r:ntpd_exec_t:s0

...

[ajm@ajmfdr23-01 ~]$ sudo setenforce 0 [ajm@ajmfdr23-01 ~]$ sudo tail -f /var/log/audit/audit.log | grep -I ntp type=AVC msg=audit(1469939445.969:993): avc: denied { write } for pid=892 comm="ntpd" name="socket" dev="dm-0" ino=67530432 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntpd_exec_t:s0 tclass=sock_file permissive=1

QUESTION: WHY?


[ajm@ajmfdr23-01 ~]$ cat /etc/ntp.conf driftfile /var/lib/ntp/drift restrict default kod mssntp nomodify nopeer notrap restrict 127.0.0.1 restrict ::1 server us.pool.ntp.org iburst prefer includefile /etc/ntp/crypto/pw keys /etc/ntp/keys ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/ fudge 127.127.1.0 stratum 10 server 127.127.1.0

restrict us.pool.ntp.org mask 255.255.255.255 nomodify nopeer noquery notrap

[ajm@ajmfdr23-01 ~]$ cat /etc/samba/smb.conf [global] workgroup = AJM realm = AJM.NET netbios name = AJMFDR23-01 server role = active directory domain controller # dns forwarder = 192.168.0.1 dns forwarder = 75.75.75.75 allow dns updates = signed idmap_ldb:use rfc2307 = yes

    max protocol = SMB2

[netlogon] path = /usr/local/samba/var/locks/sysvol/ajm.net/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No ...

Thanks for any help on QUESTION: WHY? above!!

Adam.

edit retag flag offensive close merge delete