With the previous patch moving chronyc into a separate domain this adds interfaces to execute chronyc from the command line and have it run in the chronyc domain.
Signed-off-by: Dave Sugar <[email protected]>
---
chronyd.if | 46 ++++++++++++++++++++++++++++++++++++++++++++++
chronyd.te | 4 ++++
2 files changed, 50 insertions(+)
diff --git a/chronyd.if b/chronyd.if
index 02a1d81..4f302e8 100644
--- a/chronyd.if
+++ b/chronyd.if
@@ -19,6 +19,25 @@ interface(`chronyd_domtrans',`
domtrans_pattern($1, chronyd_exec_t, chronyd_t)
')
+#####################################
+## <summary>
+## Execute chronyc in the chronyc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`chronyc_domtrans',`
+ gen_require(`
+ type chronyc_t, chronyc_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, chronyc_exec_t, chronyc_t)
+')
+
########################################
## <summary>
## Execute chronyd server in the
@@ -57,6 +76,33 @@ interface(`chronyd_exec',`
can_exec($1, chronyd_exec_t)
')
+########################################
+## <summary>
+## Execute chronyc in the chronyc domain,
+## and allow the specified roles the
+## chronyc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`chronyc_run',`
+ gen_require(`
+ attribute_role chronyc_roles;
+ ')
+
+ chronyc_domtrans($1)
+ roleattribute $2 chronyc_roles;
+')
+
#####################################
## <summary>
## Read chronyd log files.
diff --git a/chronyd.te b/chronyd.te
index a6e814d..0bdd4ef 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -5,6 +5,8 @@ policy_module(chronyd, 1.5.0)
# Declarations
#
+attribute_role chronyc_roles;
+
type chronyd_t;
type chronyd_exec_t;
init_daemon_domain(chronyd_t, chronyd_exec_t)
@@ -12,6 +14,8 @@ init_daemon_domain(chronyd_t, chronyd_exec_t)
type chronyc_t;
type chronyc_exec_t;
init_daemon_domain(chronyc_t, chronyc_exec_t)
+application_domain(chronyc_t, chronyc_exec_t)
+role chronyc_roles types chronyc_t;
type chronyd_conf_t;
files_config_file(chronyd_conf_t)
--
2.14.3
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20180216/03b1ac0d/attachment.html
I noticed that I missed something related to this patch set. The chronyc_t domain needs to have locallogin_use_fds() and userdom_use_user_ttys() as this can be used in an interactive mode. Without those two interfaces running chronyc interactively fails.
And additionally the chronyd_t domain needs capability chown as it chowns the directory /var/run/chrony (which contains a socket that chronyc can use to communicate with chronyd)
I can submit these as an additional patch or update this one. I think this is where they most likely belong.
Please let me know what is preferred. I can also work them in as I revise based on any comments.
Dave Sugar
dsugar at tresys.com
________________________________________
From: [email protected] <[email protected]> on behalf of David Sugar via refpolicy <[email protected]>
Sent: Friday, February 16, 2018 2:08:34 PM
To: refpolicy at oss.tresys.com
Subject: [refpolicy] [PATCH 5/5] domtrans interface for chronyc
With the previous patch moving chronyc into a separate domain this adds interfaces to execute chronyc from the command line and have it run in the chronyc domain.
Signed-off-by: Dave Sugar <[email protected]>
---
chronyd.if | 46 ++++++++++++++++++++++++++++++++++++++++++++++
chronyd.te | 4 ++++
2 files changed, 50 insertions(+)
diff --git a/chronyd.if b/chronyd.if
index 02a1d81..4f302e8 100644
--- a/chronyd.if
+++ b/chronyd.if
@@ -19,6 +19,25 @@ interface(`chronyd_domtrans',`
domtrans_pattern($1, chronyd_exec_t, chronyd_t)
')
+#####################################
+## <summary>
+## Execute chronyc in the chronyc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`chronyc_domtrans',`
+ gen_require(`
+ type chronyc_t, chronyc_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, chronyc_exec_t, chronyc_t)
+')
+
########################################
## <summary>
## Execute chronyd server in the
@@ -57,6 +76,33 @@ interface(`chronyd_exec',`
can_exec($1, chronyd_exec_t)
')
+########################################
+## <summary>
+## Execute chronyc in the chronyc domain,
+## and allow the specified roles the
+## chronyc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`chronyc_run',`
+ gen_require(`
+ attribute_role chronyc_roles;
+ ')
+
+ chronyc_domtrans($1)
+ roleattribute $2 chronyc_roles;
+')
+
#####################################
## <summary>
## Read chronyd log files.
diff --git a/chronyd.te b/chronyd.te
index a6e814d..0bdd4ef 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -5,6 +5,8 @@ policy_module(chronyd, 1.5.0)
# Declarations
#
+attribute_role chronyc_roles;
+
type chronyd_t;
type chronyd_exec_t;
init_daemon_domain(chronyd_t, chronyd_exec_t)
@@ -12,6 +14,8 @@ init_daemon_domain(chronyd_t, chronyd_exec_t)
type chronyc_t;
type chronyc_exec_t;
init_daemon_domain(chronyc_t, chronyc_exec_t)
+application_domain(chronyc_t, chronyc_exec_t)
+role chronyc_roles types chronyc_t;
type chronyd_conf_t;
files_config_file(chronyd_conf_t)
--
2.14.3
On 02/16/2018 02:08 PM, David Sugar via refpolicy wrote:
> With the previous patch moving chronyc into a separate domain this adds
> interfaces to execute chronyc from the command line and have it run in
> the chronyc domain.
>
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> ?chronyd.if | 46 ++++++++++++++++++++++++++++++++++++++++++++++
> ?chronyd.te |? 4 ++++
> ?2 files changed, 50 insertions(+)
>
> diff --git a/chronyd.if b/chronyd.if
> index 02a1d81..4f302e8 100644
> --- a/chronyd.if
> +++ b/chronyd.if
> @@ -19,6 +19,25 @@ interface(`chronyd_domtrans',`
> ???????? domtrans_pattern($1, chronyd_exec_t, chronyd_t)
> ?')
>
> +#####################################
> +## <summary>
> +##???? Execute chronyc in the chronyc domain.
> +## </summary>
> +## <param name="domain">
> +##???? <summary>
> +##???? Domain allowed to transition.
> +##???? </summary>
> +## </param>
> +#
> +interface(`chronyc_domtrans',`
> +?????? gen_require(`
> +?????????????? type chronyc_t, chronyc_exec_t;
> +?????? ')
> +
> +?????? corecmd_search_bin($1)
> +?????? domtrans_pattern($1, chronyc_exec_t, chronyc_t)
> +')
> +
> ?########################################
> ?## <summary>
> ?##????? Execute chronyd server in the
> @@ -57,6 +76,33 @@ interface(`chronyd_exec',`
> ???????? can_exec($1, chronyd_exec_t)
> ?')
>
> +########################################
> +## <summary>
> +##???? Execute chronyc in the chronyc domain,
> +##???? and allow the specified roles the
> +##???? chronyc domain.
> +## </summary>
> +## <param name="domain">
> +##???? <summary>
> +##???? Domain allowed to transition.
> +##???? </summary>
> +## </param>
> +## <param name="role">
> +##???? <summary>
> +##???? Role allowed access.
> +##???? </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`chronyc_run',`
> +?????? gen_require(`
> +?????????????? attribute_role chronyc_roles;
> +?????? ')
> +
> +?????? chronyc_domtrans($1)
> +?????? roleattribute $2 chronyc_roles;
> +')
> +
These would have to be similar to the dgram_send interface in the other
patch. chronyd_run_cli, chronyd_run_client, or something similar.
--
Chris PeBenito