Re: [chrony-users] question about chrony-DNS

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]


chronyd could access the udp port 123 of remote server, this was verified by using IP address of a NTP server
but chronyd cannot get the IP address of a NTP server by its DNS name by using DNS service, which might be blocked by the system and/or incorrect setting of local DNS service.

if yours "the status of selinux is disable" meant to set the SELinux to allow app to access any port, then you might not do it correctly since the chronyd still cannot access UDP port 53, the DNS service. but nslookup could ...


On Thu, Mar 30, 2023 at 8:07 PM chengyechun <chengyechun1@xxxxxxxxxx> wrote:

Thank you for replying. Is it a question that I express or a question that I understand? As mentioned earlier, the status of selinux is disable, which means selinux is disabled. Even so, can it still work?

 

发件人: chuang213 [mailto:chuang213@xxxxxxxxx]
发送时间: 2023331 10:05
收件人: chrony-users@xxxxxxxxxxxxxxxxxxxx
主题: Re: [chrony-users] question about chrony-DNS

 

Yes, this means the SELinux does not block the chronyd to access the network, but it does block the chronyd to use resolver(DNS service) to find server's IP addresses

 

On Thu, Mar 30, 2023 at 5:44PM chengyechun <chengyechun1@xxxxxxxxxx> wrote:

Thank you for replying. After the IP address is replaced, the service is normal. Does this mean that the selinux does not restrict the chronyd process to access the server?

 

发件人: chuang213 [mailto:chuang213@xxxxxxxxx]
发送时间: 2023331 1:49
收件人: chrony-users@xxxxxxxxxxxxxxxxxxxx
主题: Re: [chrony-users] question about chrony-DNS

 

you could check if it is due to SELinux's access restrictions by replacing the server name with its IP address, then restart the chronyd to see if the issue is gone.

 

Frank

 

 

On Wed, Mar 29, 2023 at 6:07PM chengyechun <chengyechun1@xxxxxxxxxx> wrote:

Thanks. Yes. The SELinux status is disable.

 

发件人: chuang213 [mailto:chuang213@xxxxxxxxx]
发送时间: 2023330 1:24
收件人: chrony-users@xxxxxxxxxxxxxxxxxxxx
主题: Re: [chrony-users] question about chrony-DNS

 

The link you mentioned had a resolution for this issue, did you ever try?

 

quoted from the link

" SELinux blocks resolver access from chronyd, simply disabling it allows you to test if this is the cause or add an exception. "

 

On Wed, Mar 29, 2023 at 2:04AM chengyechun <chengyechun1@xxxxxxxxxx> wrote:

HI all:

I'm using chrony-3.2 on linux, and there's a problem similar to the problem in this link, but when I shut down selinux and manually start the chronyd service using the /usr/bin/chronyd command, it still doesn't synchronize properly. Did I miss something?

https://unix.stackexchange.com/questions/550423/chrony-sources-are-with-unknown-address



Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/