From: dsugar@tresys.com (David Sugar) Date: Fri, 16 Feb 2018 19:07:38 +0000 Subject: [refpolicy] [PATCH 4/5] Policy for chronyc - it was running in init_t domain Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch is creating a new domain for /usr/bin/chronyc. This is a cli program that talks to a running chronyd process. chronyc is used by chrony-wait.service and I was seeing chronyc running in the init_t domain when started this way. I'm open to suggestions for the interface name here (chronyd_command_dgram_send) it might be OK (maybe not). It is the best I could come up with, but I'm happy to change if someone has a better suggestion. Signed-off-by: Dave Sugar --- chronyd.fc | 1 + chronyd.if | 20 ++++++++++++++++++++ chronyd.te | 44 +++++++++++++++++++++++++++++++++++++++++++- 3 files changed, 64 insertions(+), 1 deletion(-) diff --git a/chronyd.fc b/chronyd.fc index 3a5dad7..7d4d1c1 100644 --- a/chronyd.fc +++ b/chronyd.fc @@ -9,6 +9,7 @@ /usr/lib/systemd/system/[^/]*chrony-wait.* -- gen_context(system_u:object_r:chronyd_unit_t,s0) /usr/lib/systemd/system/[^/]*chronyd.* -- gen_context(system_u:object_r:chronyd_unit_t,s0) +/usr/bin/chronyc -- gen_context(system_u:object_r:chronyc_exec_t,s0) /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0) /var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0) diff --git a/chronyd.if b/chronyd.if index 45863dc..02a1d81 100644 --- a/chronyd.if +++ b/chronyd.if @@ -252,6 +252,26 @@ interface(`chronyd_status',` allow $1 chronyd_unit_t:service status; ') +######################################## +## +## Send to chronyd command line interface using a unix domain +## datagram socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`chronyd_command_dgram_send',` + gen_require(` + type chronyc_t, chronyd_var_run_t; + ') + + files_search_pids($1) + dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyc_t) +') + #################################### ## ## All of the rules required to diff --git a/chronyd.te b/chronyd.te index 101fb4e..a6e814d 100644 --- a/chronyd.te +++ b/chronyd.te @@ -9,6 +9,10 @@ type chronyd_t; type chronyd_exec_t; init_daemon_domain(chronyd_t, chronyd_exec_t) +type chronyc_t; +type chronyc_exec_t; +init_daemon_domain(chronyc_t, chronyc_exec_t) + type chronyd_conf_t; files_config_file(chronyd_conf_t) @@ -35,7 +39,7 @@ init_daemon_pid_file(chronyd_var_run_t, dir, "chrony") ######################################## # -# Local policy +# chronyd local policy # allow chronyd_t self:capability { dac_override ipc_lock setgid setuid sys_resource sys_time }; @@ -95,6 +99,7 @@ logging_send_syslog_msg(chronyd_t) miscfiles_read_localization(chronyd_t) chronyd_read_config(chronyd_t) +chronyd_command_dgram_send(chronyd_t) optional_policy(` gpsd_rw_shm(chronyd_t) @@ -103,3 +108,40 @@ optional_policy(` optional_policy(` mta_send_mail(chronyd_t) ') + +######################################## +# +# chronyc local policy +# + +allow chronyc_t self:capability { dac_override }; +allow chronyc_t self:process { signal }; +allow chronyc_t self:udp_socket create_socket_perms; +allow chronyc_t self:netlink_route_socket create_netlink_socket_perms; + +manage_dirs_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t) +manage_files_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t) +manage_sock_files_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t) +files_pid_filetrans(chronyc_t, chronyd_var_run_t, { dir file sock_file }) + +corenet_all_recvfrom_unlabeled(chronyc_t) +corenet_all_recvfrom_netlabel(chronyc_t) +corenet_udp_sendrecv_generic_if(chronyc_t) +corenet_udp_sendrecv_generic_node(chronyc_t) + +corenet_sendrecv_chronyd_client_packets(chronyc_t) +corenet_udp_sendrecv_chronyd_port(chronyc_t) + +files_read_etc_files(chronyc_t) +files_read_usr_files(chronyc_t) + +logging_send_syslog_msg(chronyc_t) + +sysnet_read_config(chronyc_t) +sysnet_dns_name_resolve(chronyc_t) + +miscfiles_read_localization(chronyc_t) + +chronyd_dgram_send(chronyc_t) +chronyd_read_config(chronyc_t) + -- 2.14.3 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20180216/7c796c6a/attachment-0001.html