From: guido@trentalancia.com (Guido Trentalancia) Date: Thu, 25 May 2017 21:27:17 +0200 Subject: [refpolicy] [PATCH] ntp: fix the drift file context and transition Message-ID: <1495740437.4595.0.camel@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Fix the ntp module by adding a new file context for the default location of the drift file (frequency of the local clock oscillator) and by adding the appropriate file transition interface call. Otherwise, the drift file cannot be created and the following error message is generated: frequency file /etc/ntp.drift.TEMP: Permission denied Signed-off-by: Guido Trentalancia --- policy/modules/contrib/ntp.fc | 1 + policy/modules/contrib/ntp.te | 1 + 2 files changed, 2 insertions(+) --- a/policy/modules/contrib/ntp.fc 2017-05-23 21:34:17.435592081 +0200 +++ b/policy/modules/contrib/ntp.fc 2017-05-25 20:49:09.320348817 +0200 @@ -3,6 +3,7 @@ /etc/cron\.(daily|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0) /etc/ntp\.conf -- gen_context(system_u:object_r:ntp_conf_t,s0) +/etc/ntp\.drift -- gen_context(system_u:object_r:ntp_drift_t,s0) /etc/ntpd.*\.conf.* -- gen_context(system_u:object_r:ntp_conf_t,s0) /etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0) /etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) --- a/policy/modules/contrib/ntp.te 2017-05-23 21:34:17.435592081 +0200 +++ b/policy/modules/contrib/ntp.te 2017-05-25 21:13:04.625964958 +0200 @@ -65,6 +65,7 @@ allow ntpd_t ntp_conf_t:file read_file_p manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t) manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t) +files_etc_filetrans(ntpd_t, ntp_drift_t, file) files_var_filetrans(ntpd_t, ntp_drift_t, file) read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)