From: dsugar@tresys.com (David Sugar) Date: Tue, 19 Dec 2017 21:01:35 +0000 Subject: [refpolicy] [PATCH 1/1] Add interface for ntp_dbus_chat Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com I'm seeing dbus send_msg denials when using timedatectl. This adds interface to allow the communication. type=USER_AVC msg=audit(1513693376.372:155): pid=667 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.timedate1 member=SetNTP dest=org.freedesktop.timedate1 spid=1037 tpid=1038 scontext=staff_u:sysadm_r:applyconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ntpd_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' --- ntp.if | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/ntp.if b/ntp.if index 00c7620..a6fe5b7 100644 --- a/ntp.if +++ b/ntp.if @@ -177,6 +177,27 @@ interface(`ntp_rw_shm',` fs_search_tmpfs($1) ') +######################################## +## +## Send and receive messages from +## ntp over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`ntp_dbus_chat',` + gen_require(` + type ntpd_t; + class dbus send_msg; + ') + + allow $1 ntpd_t:dbus send_msg; + allow ntpd_t $1:dbus send_msg; +') + ######################################## ## ## All of the rules required to @@ -225,11 +246,6 @@ interface(`ntp_admin',` ntp_run($1, $2) ifdef(`init_systemd',` - gen_require(` - class dbus send_msg; - ') - - allow $1 ntpd_t:dbus send_msg; - allow ntpd_t $1:dbus send_msg; + ntp_dbus_chat($1) ') ') -- 2.14.3 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20171219/120fb36f/attachment.html