From: dac.override@gmail.com (Dominick Grift) Date: Wed, 20 Dec 2017 16:40:37 +0100 Subject: [refpolicy] [PATCH 1/1] Add interface for ntp_dbus_chat In-Reply-To: References: Message-ID: <20171220154037.GA25507@julius.enp8s0.d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, Dec 19, 2017 at 09:01:35PM +0000, David Sugar via refpolicy wrote: > I'm seeing dbus send_msg denials when using timedatectl. This adds interface to allow the communication. > > type=USER_AVC msg=audit(1513693376.372:155): pid=667 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.timedate1 member=SetNTP dest=org.freedesktop.timedate1 spid=1037 tpid=1038 scontext=staff_u:sysadm_r:applyconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ntpd_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Ideally systemd-timedated shouldnt be associated with the ntpd_t domain in the first place, but i guess that ship has sailed > > --- > ntp.if | 28 ++++++++++++++++++++++------ > 1 file changed, 22 insertions(+), 6 deletions(-) > > diff --git a/ntp.if b/ntp.if > index 00c7620..a6fe5b7 100644 > --- a/ntp.if > +++ b/ntp.if > @@ -177,6 +177,27 @@ interface(`ntp_rw_shm',` > fs_search_tmpfs($1) > ') > > +######################################## > +## > +## Send and receive messages from > +## ntp over dbus. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`ntp_dbus_chat',` > + gen_require(` > + type ntpd_t; > + class dbus send_msg; > + ') > + > + allow $1 ntpd_t:dbus send_msg; > + allow ntpd_t $1:dbus send_msg; > +') > + > ######################################## > ## > ## All of the rules required to > @@ -225,11 +246,6 @@ interface(`ntp_admin',` > ntp_run($1, $2) > > ifdef(`init_systemd',` > - gen_require(` > - class dbus send_msg; > - ') > - > - allow $1 ntpd_t:dbus send_msg; > - allow ntpd_t $1:dbus send_msg; > + ntp_dbus_chat($1) > ') > ') > -- > 2.14.3 > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20171220/ac8a751b/attachment.bin