From: dsugar@tresys.com (Dave Sugar) Date: Mon, 5 Mar 2018 09:03:01 -0500 Subject: [refpolicy] [PATCH 4/5-v4] Policy for chronyc - it was running in init_t domain In-Reply-To: <20180305140302.31341-1-dsugar@tresys.com> References: <20180305140302.31341-1-dsugar@tresys.com> Message-ID: <20180305140302.31341-5-dsugar@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch is creating a new domain for /usr/bin/chronyc. This is a cli program that talks to a running chronyd process. chronyc is used by chrony-wait.service and I was seeing chronyc running in the init_t domain when started this way. Interface name updated based on suggestions. Signed-off-by: Dave Sugar --- chronyd.fc | 1 + chronyd.if | 20 ++++++++++++++++++++ chronyd.te | 46 ++++++++++++++++++++++++++++++++++++++++++++-- 3 files changed, 65 insertions(+), 2 deletions(-) diff --git a/chronyd.fc b/chronyd.fc index 3a5dad7..7d4d1c1 100644 --- a/chronyd.fc +++ b/chronyd.fc @@ -9,6 +9,7 @@ /usr/lib/systemd/system/[^/]*chrony-wait.* -- gen_context(system_u:object_r:chronyd_unit_t,s0) /usr/lib/systemd/system/[^/]*chronyd.* -- gen_context(system_u:object_r:chronyd_unit_t,s0) +/usr/bin/chronyc -- gen_context(system_u:object_r:chronyc_exec_t,s0) /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0) /var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0) diff --git a/chronyd.if b/chronyd.if index a42bc4f..3298891 100644 --- a/chronyd.if +++ b/chronyd.if @@ -252,6 +252,26 @@ interface(`chronyd_status',` allow $1 chronyd_unit_t:service status; ') +######################################## +## +## Send to chronyd command line interface using a unix domain +## datagram socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`chronyd_dgram_send_cli',` + gen_require(` + type chronyc_t, chronyd_var_run_t; + ') + + files_search_pids($1) + dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyc_t) +') + #################################### ## ## All of the rules required to diff --git a/chronyd.te b/chronyd.te index f28dd5e..0634548 100644 --- a/chronyd.te +++ b/chronyd.te @@ -9,6 +9,10 @@ type chronyd_t; type chronyd_exec_t; init_daemon_domain(chronyd_t, chronyd_exec_t) +type chronyc_t; +type chronyc_exec_t; +init_daemon_domain(chronyc_t, chronyc_exec_t) + type chronyd_conf_t; files_config_file(chronyd_conf_t) @@ -35,10 +39,10 @@ init_daemon_pid_file(chronyd_var_run_t, dir, "chrony") ######################################## # -# Local policy +# chronyd local policy # -allow chronyd_t self:capability { dac_override ipc_lock setgid setuid sys_resource sys_time }; +allow chronyd_t self:capability { chown dac_override ipc_lock setgid setuid sys_resource sys_time }; allow chronyd_t self:process { getcap setcap setrlimit signal }; allow chronyd_t self:shm create_shm_perms; allow chronyd_t self:fifo_file rw_fifo_file_perms; @@ -91,6 +95,7 @@ logging_send_syslog_msg(chronyd_t) miscfiles_read_localization(chronyd_t) +chronyd_dgram_send_cli(chronyd_t) chronyd_read_config(chronyd_t) optional_policy(` @@ -100,3 +105,40 @@ optional_policy(` optional_policy(` mta_send_mail(chronyd_t) ') + +######################################## +# +# chronyc local policy +# + +allow chronyc_t self:capability { dac_override }; +allow chronyc_t self:process { signal }; +allow chronyc_t self:udp_socket create_socket_perms; +allow chronyc_t self:netlink_route_socket create_netlink_socket_perms; + +manage_dirs_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t) +manage_files_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t) +manage_sock_files_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t) +files_pid_filetrans(chronyc_t, chronyd_var_run_t, { dir file sock_file }) + +corenet_all_recvfrom_unlabeled(chronyc_t) +corenet_all_recvfrom_netlabel(chronyc_t) +corenet_udp_sendrecv_generic_if(chronyc_t) +corenet_udp_sendrecv_generic_node(chronyc_t) + +corenet_sendrecv_chronyd_client_packets(chronyc_t) +corenet_udp_sendrecv_chronyd_port(chronyc_t) + +files_read_etc_files(chronyc_t) +files_read_usr_files(chronyc_t) + +logging_send_syslog_msg(chronyc_t) + +sysnet_read_config(chronyc_t) +sysnet_dns_name_resolve(chronyc_t) + +miscfiles_read_localization(chronyc_t) + +chronyd_dgram_send(chronyc_t) +chronyd_read_config(chronyc_t) + -- 2.14.3