From: dsugar@tresys.com (David Sugar) Date: Sun, 18 Feb 2018 01:58:33 +0000 Subject: [refpolicy] [PATCH 5/5] domtrans interface for chronyc In-Reply-To: References: Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com I noticed that I missed something related to this patch set. The chronyc_t domain needs to have locallogin_use_fds() and userdom_use_user_ttys() as this can be used in an interactive mode. Without those two interfaces running chronyc interactively fails. And additionally the chronyd_t domain needs capability chown as it chowns the directory /var/run/chrony (which contains a socket that chronyc can use to communicate with chronyd) I can submit these as an additional patch or update this one. I think this is where they most likely belong. Please let me know what is preferred. I can also work them in as I revise based on any comments. Dave Sugar dsugar at tresys.com ________________________________________ From: refpolicy-bounces@oss.tresys.com on behalf of David Sugar via refpolicy Sent: Friday, February 16, 2018 2:08:34 PM To: refpolicy at oss.tresys.com Subject: [refpolicy] [PATCH 5/5] domtrans interface for chronyc With the previous patch moving chronyc into a separate domain this adds interfaces to execute chronyc from the command line and have it run in the chronyc domain. Signed-off-by: Dave Sugar --- chronyd.if | 46 ++++++++++++++++++++++++++++++++++++++++++++++ chronyd.te | 4 ++++ 2 files changed, 50 insertions(+) diff --git a/chronyd.if b/chronyd.if index 02a1d81..4f302e8 100644 --- a/chronyd.if +++ b/chronyd.if @@ -19,6 +19,25 @@ interface(`chronyd_domtrans',` domtrans_pattern($1, chronyd_exec_t, chronyd_t) ') +##################################### +## +## Execute chronyc in the chronyc domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`chronyc_domtrans',` + gen_require(` + type chronyc_t, chronyc_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, chronyc_exec_t, chronyc_t) +') + ######################################## ## ## Execute chronyd server in the @@ -57,6 +76,33 @@ interface(`chronyd_exec',` can_exec($1, chronyd_exec_t) ') +######################################## +## +## Execute chronyc in the chronyc domain, +## and allow the specified roles the +## chronyc domain. +## +## +## +## Domain allowed to transition. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`chronyc_run',` + gen_require(` + attribute_role chronyc_roles; + ') + + chronyc_domtrans($1) + roleattribute $2 chronyc_roles; +') + ##################################### ## ## Read chronyd log files. diff --git a/chronyd.te b/chronyd.te index a6e814d..0bdd4ef 100644 --- a/chronyd.te +++ b/chronyd.te @@ -5,6 +5,8 @@ policy_module(chronyd, 1.5.0) # Declarations # +attribute_role chronyc_roles; + type chronyd_t; type chronyd_exec_t; init_daemon_domain(chronyd_t, chronyd_exec_t) @@ -12,6 +14,8 @@ init_daemon_domain(chronyd_t, chronyd_exec_t) type chronyc_t; type chronyc_exec_t; init_daemon_domain(chronyc_t, chronyc_exec_t) +application_domain(chronyc_t, chronyc_exec_t) +role chronyc_roles types chronyc_t; type chronyd_conf_t; files_config_file(chronyd_conf_t) -- 2.14.3