I'm seeing dbus send_msg denials when using timedatectl. This adds interface to allow the communication.
type=USER_AVC msg=audit(1513693376.372:155): pid=667 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.timedate1 member=SetNTP dest=org.freedesktop.timedate1 spid=1037 tpid=1038 scontext=staff_u:sysadm_r:applyconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ntpd_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
---
ntp.if | 28 ++++++++++++++++++++++------
1 file changed, 22 insertions(+), 6 deletions(-)
diff --git a/ntp.if b/ntp.if
index 00c7620..a6fe5b7 100644
--- a/ntp.if
+++ b/ntp.if
@@ -177,6 +177,27 @@ interface(`ntp_rw_shm',`
fs_search_tmpfs($1)
')
+########################################
+## <summary>
+## Send and receive messages from
+## ntp over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ntp_dbus_chat',`
+ gen_require(`
+ type ntpd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 ntpd_t:dbus send_msg;
+ allow ntpd_t $1:dbus send_msg;
+')
+
########################################
## <summary>
## All of the rules required to
@@ -225,11 +246,6 @@ interface(`ntp_admin',`
ntp_run($1, $2)
ifdef(`init_systemd',`
- gen_require(`
- class dbus send_msg;
- ')
-
- allow $1 ntpd_t:dbus send_msg;
- allow ntpd_t $1:dbus send_msg;
+ ntp_dbus_chat($1)
')
')
--
2.14.3
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20171219/120fb36f/attachment.html
On Tue, Dec 19, 2017 at 09:01:35PM +0000, David Sugar via refpolicy wrote:
> I'm seeing dbus send_msg denials when using timedatectl. This adds interface to allow the communication.
>
> type=USER_AVC msg=audit(1513693376.372:155): pid=667 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.timedate1 member=SetNTP dest=org.freedesktop.timedate1 spid=1037 tpid=1038 scontext=staff_u:sysadm_r:applyconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ntpd_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Ideally systemd-timedated shouldnt be associated with the ntpd_t domain in the first place, but i guess that ship has sailed
>
> ---
> ntp.if | 28 ++++++++++++++++++++++------
> 1 file changed, 22 insertions(+), 6 deletions(-)
>
> diff --git a/ntp.if b/ntp.if
> index 00c7620..a6fe5b7 100644
> --- a/ntp.if
> +++ b/ntp.if
> @@ -177,6 +177,27 @@ interface(`ntp_rw_shm',`
> fs_search_tmpfs($1)
> ')
>
> +########################################
> +## <summary>
> +## Send and receive messages from
> +## ntp over dbus.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`ntp_dbus_chat',`
> + gen_require(`
> + type ntpd_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 ntpd_t:dbus send_msg;
> + allow ntpd_t $1:dbus send_msg;
> +')
> +
> ########################################
> ## <summary>
> ## All of the rules required to
> @@ -225,11 +246,6 @@ interface(`ntp_admin',`
> ntp_run($1, $2)
>
> ifdef(`init_systemd',`
> - gen_require(`
> - class dbus send_msg;
> - ')
> -
> - allow $1 ntpd_t:dbus send_msg;
> - allow ntpd_t $1:dbus send_msg;
> + ntp_dbus_chat($1)
> ')
> ')
> --
> 2.14.3
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20171220/ac8a751b/attachment.bin
> -----Original Message-----
> From: refpolicy-bounces at oss.tresys.com [mailto:refpolicy-
> bounces at oss.tresys.com] On Behalf Of Dominick Grift via refpolicy
> Sent: Wednesday, December 20, 2017 10:41 AM
> To: refpolicy at oss.tresys.com
> Subject: Re: [refpolicy] [PATCH 1/1] Add interface for ntp_dbus_chat
>
> On Tue, Dec 19, 2017 at 09:01:35PM +0000, David Sugar via refpolicy
> wrote:
> > I'm seeing dbus send_msg denials when using timedatectl. This adds
> interface to allow the communication.
> >
> > type=USER_AVC msg=audit(1513693376.372:155): pid=667 uid=81
> auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-
> s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call
> interface=org.freedesktop.timedate1 member=SetNTP
> dest=org.freedesktop.timedate1 spid=1037 tpid=1038
> scontext=staff_u:sysadm_r:applyconfig_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:ntpd_t:s0 tclass=dbus exe="/usr/bin/dbus-
> daemon" sauid=81 hostname=? addr=? terminal=?'
>
> Ideally systemd-timedated shouldnt be associated with the ntpd_t domain
> in the first place, but i guess that ship has sailed
>
Yes, it appears that systemd-timedated is labeled ntpd_exec_t in ntp.fc. It probably could be changed, I don't know how many ntp files systemd-timedated is actually accessing. Or how much a change like that would break. It is my understanding that systemd-timedated does a subset of the ntpd features. At some level it makes sense.
> >
> > ---
> > ntp.if | 28 ++++++++++++++++++++++------
> > 1 file changed, 22 insertions(+), 6 deletions(-)
> >
> > diff --git a/ntp.if b/ntp.if
> > index 00c7620..a6fe5b7 100644
> > --- a/ntp.if
> > +++ b/ntp.if
> > @@ -177,6 +177,27 @@ interface(`ntp_rw_shm',`
> > fs_search_tmpfs($1)
> > ')
> >
> > +########################################
> > +## <summary>
> > +## Send and receive messages from
> > +## ntp over dbus.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`ntp_dbus_chat',`
> > + gen_require(`
> > + type ntpd_t;
> > + class dbus send_msg;
> > + ')
> > +
> > + allow $1 ntpd_t:dbus send_msg;
> > + allow ntpd_t $1:dbus send_msg;
> > +')
> > +
> > ########################################
> > ## <summary>
> > ## All of the rules required to
> > @@ -225,11 +246,6 @@ interface(`ntp_admin',`
> > ntp_run($1, $2)
> >
> > ifdef(`init_systemd',`
> > - gen_require(`
> > - class dbus send_msg;
> > - ')
> > -
> > - allow $1 ntpd_t:dbus send_msg;
> > - allow ntpd_t $1:dbus send_msg;
> > + ntp_dbus_chat($1)
> > ')
> > ')
> > --
> > 2.14.3
>
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
>
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift
On Wed, Dec 20, 2017 at 06:10:15PM +0000, David Sugar via refpolicy wrote:
> > -----Original Message-----
> > From: refpolicy-bounces at oss.tresys.com [mailto:refpolicy-
> > bounces at oss.tresys.com] On Behalf Of Dominick Grift via refpolicy
> > Sent: Wednesday, December 20, 2017 10:41 AM
> > To: refpolicy at oss.tresys.com
> > Subject: Re: [refpolicy] [PATCH 1/1] Add interface for ntp_dbus_chat
> >
> > On Tue, Dec 19, 2017 at 09:01:35PM +0000, David Sugar via refpolicy
> > wrote:
> > > I'm seeing dbus send_msg denials when using timedatectl. This adds
> > interface to allow the communication.
> > >
> > > type=USER_AVC msg=audit(1513693376.372:155): pid=667 uid=81
> > auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-
> > s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call
> > interface=org.freedesktop.timedate1 member=SetNTP
> > dest=org.freedesktop.timedate1 spid=1037 tpid=1038
> > scontext=staff_u:sysadm_r:applyconfig_t:s0-s0:c0.c1023
> > tcontext=system_u:system_r:ntpd_t:s0 tclass=dbus exe="/usr/bin/dbus-
> > daemon" sauid=81 hostname=? addr=? terminal=?'
> >
> > Ideally systemd-timedated shouldnt be associated with the ntpd_t domain
> > in the first place, but i guess that ship has sailed
> >
>
> Yes, it appears that systemd-timedated is labeled ntpd_exec_t in ntp.fc. It probably could be changed, I don't know how many ntp files systemd-timedated is actually accessing. Or how much a change like that would break. It is my understanding that systemd-timedated does a subset of the ntpd features. At some level it makes sense.
I think that systemd-timesyncd would probably be closer to ntpd than systemd-timedated, but neither, AFAIK, are actually (fully fledged) NTP daemons.
>
> > >
> > > ---
> > > ntp.if | 28 ++++++++++++++++++++++------
> > > 1 file changed, 22 insertions(+), 6 deletions(-)
> > >
> > > diff --git a/ntp.if b/ntp.if
> > > index 00c7620..a6fe5b7 100644
> > > --- a/ntp.if
> > > +++ b/ntp.if
> > > @@ -177,6 +177,27 @@ interface(`ntp_rw_shm',`
> > > fs_search_tmpfs($1)
> > > ')
> > >
> > > +########################################
> > > +## <summary>
> > > +## Send and receive messages from
> > > +## ntp over dbus.
> > > +## </summary>
> > > +## <param name="domain">
> > > +## <summary>
> > > +## Domain allowed access.
> > > +## </summary>
> > > +## </param>
> > > +#
> > > +interface(`ntp_dbus_chat',`
> > > + gen_require(`
> > > + type ntpd_t;
> > > + class dbus send_msg;
> > > + ')
> > > +
> > > + allow $1 ntpd_t:dbus send_msg;
> > > + allow ntpd_t $1:dbus send_msg;
> > > +')
> > > +
> > > ########################################
> > > ## <summary>
> > > ## All of the rules required to
> > > @@ -225,11 +246,6 @@ interface(`ntp_admin',`
> > > ntp_run($1, $2)
> > >
> > > ifdef(`init_systemd',`
> > > - gen_require(`
> > > - class dbus send_msg;
> > > - ')
> > > -
> > > - allow $1 ntpd_t:dbus send_msg;
> > > - allow ntpd_t $1:dbus send_msg;
> > > + ntp_dbus_chat($1)
> > > ')
> > > ')
> > > --
> > > 2.14.3
> >
> > > _______________________________________________
> > > refpolicy mailing list
> > > refpolicy at oss.tresys.com
> > > http://oss.tresys.com/mailman/listinfo/refpolicy
> >
> >
> > --
> > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> > Dominick Grift
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20171220/4e049a2c/attachment.bin