Fix the ntp module by adding a new file context for the default
location of the drift file (frequency of the local clock oscillator)
and by adding the appropriate file transition interface call.
Otherwise, the drift file cannot be created and the following error
message is generated:
frequency file /etc/ntp.drift.TEMP: Permission denied
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/ntp.fc | 1 +
policy/modules/contrib/ntp.te | 1 +
2 files changed, 2 insertions(+)
--- a/policy/modules/contrib/ntp.fc 2017-05-23 21:34:17.435592081 +0200
+++ b/policy/modules/contrib/ntp.fc 2017-05-25 20:49:09.320348817 +0200
@@ -3,6 +3,7 @@
/etc/cron\.(daily|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0)
/etc/ntp\.conf -- gen_context(system_u:object_r:ntp_conf_t,s0)
+/etc/ntp\.drift -- gen_context(system_u:object_r:ntp_drift_t,s0)
/etc/ntpd.*\.conf.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0)
/etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
--- a/policy/modules/contrib/ntp.te 2017-05-23 21:34:17.435592081 +0200
+++ b/policy/modules/contrib/ntp.te 2017-05-25 21:13:04.625964958 +0200
@@ -65,6 +65,7 @@ allow ntpd_t ntp_conf_t:file read_file_p
manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
+files_etc_filetrans(ntpd_t, ntp_drift_t, file)
files_var_filetrans(ntpd_t, ntp_drift_t, file)
read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
On 05/25/2017 03:27 PM, Guido Trentalancia via refpolicy wrote:
> Fix the ntp module by adding a new file context for the default
> location of the drift file (frequency of the local clock oscillator)
> and by adding the appropriate file transition interface call.
>
> Otherwise, the drift file cannot be created and the following error
> message is generated:
>
> frequency file /etc/ntp.drift.TEMP: Permission denied
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/ntp.fc | 1 +
> policy/modules/contrib/ntp.te | 1 +
> 2 files changed, 2 insertions(+)
>
> --- a/policy/modules/contrib/ntp.fc 2017-05-23 21:34:17.435592081 +0200
> +++ b/policy/modules/contrib/ntp.fc 2017-05-25 20:49:09.320348817 +0200
> @@ -3,6 +3,7 @@
> /etc/cron\.(daily|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0)
>
> /etc/ntp\.conf -- gen_context(system_u:object_r:ntp_conf_t,s0)
> +/etc/ntp\.drift -- gen_context(system_u:object_r:ntp_drift_t,s0)
> /etc/ntpd.*\.conf.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
> /etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0)
> /etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
> --- a/policy/modules/contrib/ntp.te 2017-05-23 21:34:17.435592081 +0200
> +++ b/policy/modules/contrib/ntp.te 2017-05-25 21:13:04.625964958 +0200
> @@ -65,6 +65,7 @@ allow ntpd_t ntp_conf_t:file read_file_p
>
> manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
> manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
> +files_etc_filetrans(ntpd_t, ntp_drift_t, file)
> files_var_filetrans(ntpd_t, ntp_drift_t, file)
>
> read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
Merged.
--
Chris PeBenito