From: dac.override@gmail.com (Dominick Grift)
Date: Wed, 20 Dec 2017 16:40:37 +0100
Subject: [refpolicy] [PATCH 1/1] Add interface for ntp_dbus_chat
In-Reply-To: <CO1PR15MB1032020FD9585582948168DBB90F0@CO1PR15MB1032.namprd15.prod.outlook.com>
References: <CO1PR15MB1032020FD9585582948168DBB90F0@CO1PR15MB1032.namprd15.prod.outlook.com>
Message-ID: <20171220154037.GA25507@julius.enp8s0.d30>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, Dec 19, 2017 at 09:01:35PM +0000, David Sugar via refpolicy wrote:
> I'm seeing dbus send_msg denials when using timedatectl.  This adds interface to allow the communication.
> 
> type=USER_AVC msg=audit(1513693376.372:155): pid=667 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied { send_msg } for msgtype=method_call interface=org.freedesktop.timedate1 member=SetNTP dest=org.freedesktop.timedate1 spid=1037 tpid=1038 scontext=staff_u:sysadm_r:applyconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ntpd_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Ideally systemd-timedated shouldnt be associated with the ntpd_t domain in the first place, but i guess that ship has sailed

> 
> ---
>  ntp.if | 28 ++++++++++++++++++++++------
>  1 file changed, 22 insertions(+), 6 deletions(-)
> 
> diff --git a/ntp.if b/ntp.if
> index 00c7620..a6fe5b7 100644
> --- a/ntp.if
> +++ b/ntp.if
> @@ -177,6 +177,27 @@ interface(`ntp_rw_shm',`
>          fs_search_tmpfs($1)
>  ')
> 
> +########################################
> +## <summary>
> +##     Send and receive messages from
> +##     ntp over dbus.
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed access.
> +##     </summary>
> +## </param>
> +#
> +interface(`ntp_dbus_chat',`
> +       gen_require(`
> +               type ntpd_t;
> +               class dbus send_msg;
> +       ')
> +
> +       allow $1 ntpd_t:dbus send_msg;
> +       allow ntpd_t $1:dbus send_msg;
> +')
> +
>  ########################################
>  ## <summary>
>  ##      All of the rules required to
> @@ -225,11 +246,6 @@ interface(`ntp_admin',`
>          ntp_run($1, $2)
> 
>          ifdef(`init_systemd',`
> -               gen_require(`
> -                       class dbus send_msg;
> -               ')
> -
> -               allow $1 ntpd_t:dbus send_msg;
> -               allow ntpd_t $1:dbus send_msg;
> +               ntp_dbus_chat($1)
>          ')
>  ')
> --
> 2.14.3

> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20171220/ac8a751b/attachment.bin