This patch is creating a new domain for /usr/bin/chronyc. This is a cli program that talks to a running chronyd process. chronyc is used by chrony-wait.service and I was seeing chronyc running in the init_t domain when started this way.
I'm open to suggestions for the interface name here (chronyd_command_dgram_send) it might be OK (maybe not). It is the best I could come up with, but I'm happy to change if someone has a better suggestion.
Signed-off-by: Dave Sugar <[email protected]>
---
chronyd.fc | 1 +
chronyd.if | 20 ++++++++++++++++++++
chronyd.te | 44 +++++++++++++++++++++++++++++++++++++++++++-
3 files changed, 64 insertions(+), 1 deletion(-)
diff --git a/chronyd.fc b/chronyd.fc
index 3a5dad7..7d4d1c1 100644
--- a/chronyd.fc
+++ b/chronyd.fc
@@ -9,6 +9,7 @@
/usr/lib/systemd/system/[^/]*chrony-wait.* -- gen_context(system_u:object_r:chronyd_unit_t,s0)
/usr/lib/systemd/system/[^/]*chronyd.* -- gen_context(system_u:object_r:chronyd_unit_t,s0)
+/usr/bin/chronyc -- gen_context(system_u:object_r:chronyc_exec_t,s0)
/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
/var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
diff --git a/chronyd.if b/chronyd.if
index 45863dc..02a1d81 100644
--- a/chronyd.if
+++ b/chronyd.if
@@ -252,6 +252,26 @@ interface(`chronyd_status',`
allow $1 chronyd_unit_t:service status;
')
+########################################
+## <summary>
+## Send to chronyd command line interface using a unix domain
+## datagram socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`chronyd_command_dgram_send',`
+ gen_require(`
+ type chronyc_t, chronyd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyc_t)
+')
+
####################################
## <summary>
## All of the rules required to
diff --git a/chronyd.te b/chronyd.te
index 101fb4e..a6e814d 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -9,6 +9,10 @@ type chronyd_t;
type chronyd_exec_t;
init_daemon_domain(chronyd_t, chronyd_exec_t)
+type chronyc_t;
+type chronyc_exec_t;
+init_daemon_domain(chronyc_t, chronyc_exec_t)
+
type chronyd_conf_t;
files_config_file(chronyd_conf_t)
@@ -35,7 +39,7 @@ init_daemon_pid_file(chronyd_var_run_t, dir, "chrony")
########################################
#
-# Local policy
+# chronyd local policy
#
allow chronyd_t self:capability { dac_override ipc_lock setgid setuid sys_resource sys_time };
@@ -95,6 +99,7 @@ logging_send_syslog_msg(chronyd_t)
miscfiles_read_localization(chronyd_t)
chronyd_read_config(chronyd_t)
+chronyd_command_dgram_send(chronyd_t)
optional_policy(`
gpsd_rw_shm(chronyd_t)
@@ -103,3 +108,40 @@ optional_policy(`
optional_policy(`
mta_send_mail(chronyd_t)
')
+
+########################################
+#
+# chronyc local policy
+#
+
+allow chronyc_t self:capability { dac_override };
+allow chronyc_t self:process { signal };
+allow chronyc_t self:udp_socket create_socket_perms;
+allow chronyc_t self:netlink_route_socket create_netlink_socket_perms;
+
+manage_dirs_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t)
+manage_files_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t)
+manage_sock_files_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t)
+files_pid_filetrans(chronyc_t, chronyd_var_run_t, { dir file sock_file })
+
+corenet_all_recvfrom_unlabeled(chronyc_t)
+corenet_all_recvfrom_netlabel(chronyc_t)
+corenet_udp_sendrecv_generic_if(chronyc_t)
+corenet_udp_sendrecv_generic_node(chronyc_t)
+
+corenet_sendrecv_chronyd_client_packets(chronyc_t)
+corenet_udp_sendrecv_chronyd_port(chronyc_t)
+
+files_read_etc_files(chronyc_t)
+files_read_usr_files(chronyc_t)
+
+logging_send_syslog_msg(chronyc_t)
+
+sysnet_read_config(chronyc_t)
+sysnet_dns_name_resolve(chronyc_t)
+
+miscfiles_read_localization(chronyc_t)
+
+chronyd_dgram_send(chronyc_t)
+chronyd_read_config(chronyc_t)
+
--
2.14.3
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20180216/7c796c6a/attachment-0001.html
On 02/16/2018 02:07 PM, David Sugar via refpolicy wrote:
> This patch is creating a new domain for /usr/bin/chronyc.? This is a cli
> program that talks to a running chronyd process.? chronyc is used by
> chrony-wait.service and I was seeing chronyc running in the init_t
> domain when started this way.
>
> I'm open to suggestions for the interface name here
> (chronyd_command_dgram_send) it might be OK (maybe not).? It is the best
> I could come up with, but I'm happy to change if someone has a better
> suggestion.
> +########################################
> +## <summary>
> +##???? Send to chronyd command line interface using a unix domain
> +##???? datagram socket.
> +## </summary>
> +## <param name="domain">
> +##???? <summary>
> +##???? Domain allowed access.
> +##???? </summary>
> +## </param>
> +#
> +interface(`chronyd_command_dgram_send',`
> +?????? gen_require(`
> +?????????????? type chronyc_t, chronyd_var_run_t;
> +?????? ')
> +
> +?????? files_search_pids($1)
> +?????? dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t,
> chronyc_t)
> +')
> +
It would have to be something like chronyd_dgram_send_cli or
chronyd_dgram_send_client.
--
Chris PeBenito