From: pebenito@ieee.org (Chris PeBenito)
Date: Sun, 18 Feb 2018 11:14:09 -0500
Subject: [refpolicy] [PATCH 4/5] Policy for chronyc - it was running in
 init_t domain
In-Reply-To: <MWHPR15MB1853A1AC3CACF44CD88C9ACAB9CB0@MWHPR15MB1853.namprd15.prod.outlook.com>
References: <MWHPR15MB1853A1AC3CACF44CD88C9ACAB9CB0@MWHPR15MB1853.namprd15.prod.outlook.com>
Message-ID: <b64a077c-fade-ef31-a7de-2e645f05750d@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 02/16/2018 02:07 PM, David Sugar via refpolicy wrote:
> This patch is creating a new domain for /usr/bin/chronyc.? This is a cli 
> program that talks to a running chronyd process.? chronyc is used by 
> chrony-wait.service and I was seeing chronyc running in the init_t 
> domain when started this way.
> 
> I'm open to suggestions for the interface name here 
> (chronyd_command_dgram_send) it might be OK (maybe not).? It is the best 
> I could come up with, but I'm happy to change if someone has a better 
> suggestion.

> +########################################
> +## <summary>
> +##???? Send to chronyd command line interface using a unix domain
> +##???? datagram socket.
> +## </summary>
> +## <param name="domain">
> +##???? <summary>
> +##???? Domain allowed access.
> +##???? </summary>
> +## </param>
> +#
> +interface(`chronyd_command_dgram_send',`
> +?????? gen_require(`
> +?????????????? type chronyc_t, chronyd_var_run_t;
> +?????? ')
> +
> +?????? files_search_pids($1)
> +?????? dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, 
> chronyc_t)
> +')
> +

It would have to be something like chronyd_dgram_send_cli or 
chronyd_dgram_send_client.




-- 
Chris PeBenito