From: dsugar@tresys.com (David Sugar)
Date: Wed, 20 Dec 2017 18:10:15 +0000
Subject: [refpolicy] [PATCH 1/1] Add interface for ntp_dbus_chat
In-Reply-To: <20171220154037.GA25507@julius.enp8s0.d30>
References: <CO1PR15MB1032020FD9585582948168DBB90F0@CO1PR15MB1032.namprd15.prod.outlook.com>
	<20171220154037.GA25507@julius.enp8s0.d30>
Message-ID: <CO1PR15MB10320C2A919D1B5F28F60624B90C0@CO1PR15MB1032.namprd15.prod.outlook.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

> -----Original Message-----
> From: refpolicy-bounces at oss.tresys.com [mailto:refpolicy-
> bounces at oss.tresys.com] On Behalf Of Dominick Grift via refpolicy
> Sent: Wednesday, December 20, 2017 10:41 AM
> To: refpolicy at oss.tresys.com
> Subject: Re: [refpolicy] [PATCH 1/1] Add interface for ntp_dbus_chat
> 
> On Tue, Dec 19, 2017 at 09:01:35PM +0000, David Sugar via refpolicy
> wrote:
> > I'm seeing dbus send_msg denials when using timedatectl.  This adds
> interface to allow the communication.
> >
> > type=USER_AVC msg=audit(1513693376.372:155): pid=667 uid=81
> auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-
> s0:c0.c1023 msg='avc:  denied { send_msg } for msgtype=method_call
> interface=org.freedesktop.timedate1 member=SetNTP
> dest=org.freedesktop.timedate1 spid=1037 tpid=1038
> scontext=staff_u:sysadm_r:applyconfig_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:ntpd_t:s0 tclass=dbus exe="/usr/bin/dbus-
> daemon" sauid=81 hostname=? addr=? terminal=?'
> 
> Ideally systemd-timedated shouldnt be associated with the ntpd_t domain
> in the first place, but i guess that ship has sailed
> 

Yes, it appears that systemd-timedated is labeled ntpd_exec_t in ntp.fc.  It probably could be changed, I don't know how many ntp files systemd-timedated is actually accessing.  Or how much a change like that would break.  It is my understanding that systemd-timedated does a subset of the ntpd features.  At some level it makes sense.

> >
> > ---
> >  ntp.if | 28 ++++++++++++++++++++++------
> >  1 file changed, 22 insertions(+), 6 deletions(-)
> >
> > diff --git a/ntp.if b/ntp.if
> > index 00c7620..a6fe5b7 100644
> > --- a/ntp.if
> > +++ b/ntp.if
> > @@ -177,6 +177,27 @@ interface(`ntp_rw_shm',`
> >          fs_search_tmpfs($1)
> >  ')
> >
> > +########################################
> > +## <summary>
> > +##     Send and receive messages from
> > +##     ntp over dbus.
> > +## </summary>
> > +## <param name="domain">
> > +##     <summary>
> > +##     Domain allowed access.
> > +##     </summary>
> > +## </param>
> > +#
> > +interface(`ntp_dbus_chat',`
> > +       gen_require(`
> > +               type ntpd_t;
> > +               class dbus send_msg;
> > +       ')
> > +
> > +       allow $1 ntpd_t:dbus send_msg;
> > +       allow ntpd_t $1:dbus send_msg;
> > +')
> > +
> >  ########################################
> >  ## <summary>
> >  ##      All of the rules required to
> > @@ -225,11 +246,6 @@ interface(`ntp_admin',`
> >          ntp_run($1, $2)
> >
> >          ifdef(`init_systemd',`
> > -               gen_require(`
> > -                       class dbus send_msg;
> > -               ')
> > -
> > -               allow $1 ntpd_t:dbus send_msg;
> > -               allow ntpd_t $1:dbus send_msg;
> > +               ntp_dbus_chat($1)
> >          ')
> >  ')
> > --
> > 2.14.3
> 
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
> 
> 
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift