From: dsugar@tresys.com (Dave Sugar) Date: Mon, 5 Mar 2018 09:03:02 -0500 Subject: [refpolicy] [PATCH 5/5-v4] Allow execution of chronyc from commandline In-Reply-To: <20180305140302.31341-1-dsugar@tresys.com> References: <20180305140302.31341-1-dsugar@tresys.com> Message-ID: <20180305140302.31341-6-dsugar@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com With the previous patch moving chronyc into a separate domain this adds interfaces to execute chronyc from the command line and have it run in the chronyc_t domain. Updated interface names based on suggestion, added missing permission to allow chronyc_t domain access to tty. Signed-off-by: Dave Sugar --- chronyd.if | 46 ++++++++++++++++++++++++++++++++++++++++++++++ chronyd.te | 8 ++++++++ 2 files changed, 54 insertions(+) diff --git a/chronyd.if b/chronyd.if index 3298891..bc4ba69 100644 --- a/chronyd.if +++ b/chronyd.if @@ -19,6 +19,25 @@ interface(`chronyd_domtrans',` domtrans_pattern($1, chronyd_exec_t, chronyd_t) ') +##################################### +## +## Execute chronyc in the chronyc domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`chronyd_domtrans_cli',` + gen_require(` + type chronyc_t, chronyc_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, chronyc_exec_t, chronyc_t) +') + ######################################## ## ## Execute chronyd server in the @@ -57,6 +76,33 @@ interface(`chronyd_exec',` can_exec($1, chronyd_exec_t) ') +######################################## +## +## Execute chronyc in the chronyc domain, +## and allow the specified roles the +## chronyc domain. +## +## +## +## Domain allowed to transition. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`chronyd_run_cli',` + gen_require(` + attribute_role chronyc_roles; + ') + + chronyd_domtrans_cli($1) + roleattribute $2 chronyc_roles; +') + ##################################### ## ## Read chronyd log files. diff --git a/chronyd.te b/chronyd.te index 0634548..8277ef8 100644 --- a/chronyd.te +++ b/chronyd.te @@ -5,6 +5,8 @@ policy_module(chronyd, 1.5.0) # Declarations # +attribute_role chronyc_roles; + type chronyd_t; type chronyd_exec_t; init_daemon_domain(chronyd_t, chronyd_exec_t) @@ -12,6 +14,8 @@ init_daemon_domain(chronyd_t, chronyd_exec_t) type chronyc_t; type chronyc_exec_t; init_daemon_domain(chronyc_t, chronyc_exec_t) +application_domain(chronyc_t, chronyc_exec_t) +role chronyc_roles types chronyc_t; type chronyd_conf_t; files_config_file(chronyd_conf_t) @@ -132,6 +136,8 @@ corenet_udp_sendrecv_chronyd_port(chronyc_t) files_read_etc_files(chronyc_t) files_read_usr_files(chronyc_t) +locallogin_use_fds(chronyc_t) + logging_send_syslog_msg(chronyc_t) sysnet_read_config(chronyc_t) @@ -139,6 +145,8 @@ sysnet_dns_name_resolve(chronyc_t) miscfiles_read_localization(chronyc_t) +userdom_use_user_ttys(chronyc_t) + chronyd_dgram_send(chronyc_t) chronyd_read_config(chronyc_t) -- 2.14.3