From: dsugar@tresys.com (David Sugar) Date: Wed, 20 Dec 2017 18:28:41 +0000 Subject: [refpolicy] [PATCH 1/1] Add interface for ntp_dbus_chat References: <20171220154037.GA25507@julius.enp8s0.d30> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com > -----Original Message----- > From: David Sugar > Sent: Wednesday, December 20, 2017 1:10 PM > To: refpolicy at oss.tresys.com > Subject: RE: [refpolicy] [PATCH 1/1] Add interface for ntp_dbus_chat > > > -----Original Message----- > > From: refpolicy-bounces at oss.tresys.com [mailto:refpolicy- > > bounces at oss.tresys.com] On Behalf Of Dominick Grift via refpolicy > > Sent: Wednesday, December 20, 2017 10:41 AM > > To: refpolicy at oss.tresys.com > > Subject: Re: [refpolicy] [PATCH 1/1] Add interface for ntp_dbus_chat > > > > On Tue, Dec 19, 2017 at 09:01:35PM +0000, David Sugar via refpolicy > > wrote: > > > I'm seeing dbus send_msg denials when using timedatectl. This adds > > interface to allow the communication. > > > > > > type=USER_AVC msg=audit(1513693376.372:155): pid=667 uid=81 > > auid=4294967295 ses=4294967295 > > subj=system_u:system_r:system_dbusd_t:s0- > > s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call > > interface=org.freedesktop.timedate1 member=SetNTP > > dest=org.freedesktop.timedate1 spid=1037 tpid=1038 > > scontext=staff_u:sysadm_r:applyconfig_t:s0-s0:c0.c1023 > > tcontext=system_u:system_r:ntpd_t:s0 tclass=dbus exe="/usr/bin/dbus- > > daemon" sauid=81 hostname=? addr=? terminal=?' > > > > Ideally systemd-timedated shouldnt be associated with the ntpd_t > > domain in the first place, but i guess that ship has sailed > > > > Yes, it appears that systemd-timedated is labeled ntpd_exec_t in ntp.fc. > It probably could be changed, I don't know how many ntp files systemd- > timedated is actually accessing. Or how much a change like that would > break. It is my understanding that systemd-timedated does a subset of > the ntpd features. At some level it makes sense. > And looking more closely I am seeing some denials when starting systemd-timedated (unrelated to the dbus stuff). Maybe it is worth exploring moving away from this domain for this process. Do we know the history of the change to label systemd-timedaed as ntpd_exec_t and if moving it will cause major problems for someone? > > > > > > --- > > > ntp.if | 28 ++++++++++++++++++++++------ > > > 1 file changed, 22 insertions(+), 6 deletions(-) > > > > > > diff --git a/ntp.if b/ntp.if > > > index 00c7620..a6fe5b7 100644 > > > --- a/ntp.if > > > +++ b/ntp.if > > > @@ -177,6 +177,27 @@ interface(`ntp_rw_shm',` > > > fs_search_tmpfs($1) > > > ') > > > > > > +######################################## > > > +##

> > > +## Send and receive messages from > > > +## ntp over dbus. > > > +##

> > > +## > > > +##

> > > +## Domain allowed access. > > > +##

> > > +## > > > +# > > > +interface(`ntp_dbus_chat',` > > > + gen_require(` > > > + type ntpd_t; > > > + class dbus send_msg; > > > + ') > > > + > > > + allow $1 ntpd_t:dbus send_msg; > > > + allow ntpd_t $1:dbus send_msg; > > > +') > > > + > > > ######################################## > > > ##

> > > ## All of the rules required to > > > @@ -225,11 +246,6 @@ interface(`ntp_admin',` > > > ntp_run($1, $2) > > > > > > ifdef(`init_systemd',` > > > - gen_require(` > > > - class dbus send_msg; > > > - ') > > > - > > > - allow $1 ntpd_t:dbus send_msg; > > > - allow ntpd_t $1:dbus send_msg; > > > + ntp_dbus_chat($1) > > > ') > > > ') > > > -- > > > 2.14.3 > > > > > _______________________________________________ > > > refpolicy mailing list > > > refpolicy at oss.tresys.com > > > http://oss.tresys.com/mailman/listinfo/refpolicy > > > > > > -- > > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > > Dominick Grift