This patch set is several changes to the chronyd module to achieve the following things:
1) Separate type for /etc/chrony.conf along with interfaces.
v2 - fix a comment in the patch
2) Interfaces to start/stop/status/etc.. the chronyd service
v2 - fix a comment in the patch
3) Allow chronyd to send/recv ntp client packets
4) New type for chronyc - it is run from chrony-wait.service but it was running in init_t domain
v2 - incorporate feedback on interface names & fix denial related to chowning /var/run/chrony
5) Add interface to domtrans into chronyc domain
v2 - incorporate feedback on interface names & allow cli access to tty
v4 - Try one last time to submit via email. If this still fails I will try a pull request on GitHub.
chronyd.fc | 2 +
chronyd.if | 161 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
chronyd.te | 60 ++++++++++++++++++++++-
3 files changed, 221 insertions(+), 2 deletions(-)
--
2.14.3
Separate label for /etc/chrony.conf (chronyd_conf_t) with interfaces to allow read-only or read/write access. Needed as I have a process that alters chrony.conf but I didn't want this process to have access to write all etc_t files.
Fixed summary for chronyd_rw_config interface from previous submission.
Signed-off-by: Dave Sugar <[email protected]>
---
chronyd.fc | 1 +
chronyd.if | 38 ++++++++++++++++++++++++++++++++++++++
chronyd.te | 5 +++++
3 files changed, 44 insertions(+)
diff --git a/chronyd.fc b/chronyd.fc
index 5ee3551..3a5dad7 100644
--- a/chronyd.fc
+++ b/chronyd.fc
@@ -1,3 +1,4 @@
+/etc/chrony\.conf -- gen_context(system_u:object_r:chronyd_conf_t,s0)
/etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0)
/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
diff --git a/chronyd.if b/chronyd.if
index 3d45be4..e0a751a 100644
--- a/chronyd.if
+++ b/chronyd.if
@@ -76,6 +76,44 @@ interface(`chronyd_read_log',`
read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t)
')
+#####################################
+## <summary>
+## Read chronyd config file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`chronyd_read_config',`
+ gen_require(`
+ type chronyd_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 chronyd_conf_t:file read_file_perms;
+')
+
+#####################################
+## <summary>
+## Read and write chronyd config file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`chronyd_rw_config',`
+ gen_require(`
+ type chronyd_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 chronyd_conf_t:file rw_file_perms;
+')
+
########################################
## <summary>
## Read and write chronyd shared memory.
diff --git a/chronyd.te b/chronyd.te
index 0de7b52..09d7f83 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -9,6 +9,9 @@ type chronyd_t;
type chronyd_exec_t;
init_daemon_domain(chronyd_t, chronyd_exec_t)
+type chronyd_conf_t;
+files_config_file(chronyd_conf_t)
+
type chronyd_initrc_exec_t;
init_script_file(chronyd_initrc_exec_t)
@@ -87,6 +90,8 @@ logging_send_syslog_msg(chronyd_t)
miscfiles_read_localization(chronyd_t)
+chronyd_read_config(chronyd_t)
+
optional_policy(`
gpsd_rw_shm(chronyd_t)
')
--
2.14.3
Add interfaces to allow process to systemctl start, stop, enable, disable, and status of chronyd.service
Fix summary for chronyd_startstop from previous submission
Signed-off-by: Dave Sugar <[email protected]>
---
chronyd.if | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 57 insertions(+)
diff --git a/chronyd.if b/chronyd.if
index e0a751a..a42bc4f 100644
--- a/chronyd.if
+++ b/chronyd.if
@@ -195,6 +195,63 @@ interface(`chronyd_read_key_files',`
read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
')
+########################################
+## <summary>
+## Allow specified domain to enable and disable chronyd unit
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`chronyd_enabledisable',`
+ gen_require(`
+ type chronyd_unit_t;
+ class service { enable disable };
+ ')
+
+ allow $1 chronyd_unit_t:service { enable disable };
+')
+
+########################################
+## <summary>
+## Allow specified domain to start and stop chronyd unit
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`chronyd_startstop',`
+ gen_require(`
+ type chronyd_unit_t;
+ class service { start stop };
+ ')
+
+ allow $1 chronyd_unit_t:service { start stop };
+')
+
+########################################
+## <summary>
+## Allow specified domain to get status of chronyd unit
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`chronyd_status',`
+ gen_require(`
+ type chronyd_unit_t;
+ class service status;
+ ')
+
+ allow $1 chronyd_unit_t:service status;
+')
+
####################################
## <summary>
## All of the rules required to
--
2.14.3
chronyd is an NTP client along with an NTP server. Change to allow chronyd to send/recv ntp client packets.
Signed-off-by: Dave Sugar <[email protected]>
---
chronyd.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/chronyd.te b/chronyd.te
index 09d7f83..f28dd5e 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -74,6 +74,7 @@ corenet_udp_sendrecv_generic_if(chronyd_t)
corenet_udp_sendrecv_generic_node(chronyd_t)
corenet_udp_bind_generic_node(chronyd_t)
+corenet_sendrecv_ntp_client_packets(chronyd_t)
corenet_sendrecv_ntp_server_packets(chronyd_t)
corenet_udp_bind_ntp_port(chronyd_t)
corenet_udp_sendrecv_ntp_port(chronyd_t)
--
2.14.3
This patch is creating a new domain for /usr/bin/chronyc. This is a cli program that talks to a running chronyd process. chronyc is used by chrony-wait.service and I was seeing chronyc running in the init_t domain when started this way.
Interface name updated based on suggestions.
Signed-off-by: Dave Sugar <[email protected]>
---
chronyd.fc | 1 +
chronyd.if | 20 ++++++++++++++++++++
chronyd.te | 46 ++++++++++++++++++++++++++++++++++++++++++++--
3 files changed, 65 insertions(+), 2 deletions(-)
diff --git a/chronyd.fc b/chronyd.fc
index 3a5dad7..7d4d1c1 100644
--- a/chronyd.fc
+++ b/chronyd.fc
@@ -9,6 +9,7 @@
/usr/lib/systemd/system/[^/]*chrony-wait.* -- gen_context(system_u:object_r:chronyd_unit_t,s0)
/usr/lib/systemd/system/[^/]*chronyd.* -- gen_context(system_u:object_r:chronyd_unit_t,s0)
+/usr/bin/chronyc -- gen_context(system_u:object_r:chronyc_exec_t,s0)
/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
/var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
diff --git a/chronyd.if b/chronyd.if
index a42bc4f..3298891 100644
--- a/chronyd.if
+++ b/chronyd.if
@@ -252,6 +252,26 @@ interface(`chronyd_status',`
allow $1 chronyd_unit_t:service status;
')
+########################################
+## <summary>
+## Send to chronyd command line interface using a unix domain
+## datagram socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`chronyd_dgram_send_cli',`
+ gen_require(`
+ type chronyc_t, chronyd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyc_t)
+')
+
####################################
## <summary>
## All of the rules required to
diff --git a/chronyd.te b/chronyd.te
index f28dd5e..0634548 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -9,6 +9,10 @@ type chronyd_t;
type chronyd_exec_t;
init_daemon_domain(chronyd_t, chronyd_exec_t)
+type chronyc_t;
+type chronyc_exec_t;
+init_daemon_domain(chronyc_t, chronyc_exec_t)
+
type chronyd_conf_t;
files_config_file(chronyd_conf_t)
@@ -35,10 +39,10 @@ init_daemon_pid_file(chronyd_var_run_t, dir, "chrony")
########################################
#
-# Local policy
+# chronyd local policy
#
-allow chronyd_t self:capability { dac_override ipc_lock setgid setuid sys_resource sys_time };
+allow chronyd_t self:capability { chown dac_override ipc_lock setgid setuid sys_resource sys_time };
allow chronyd_t self:process { getcap setcap setrlimit signal };
allow chronyd_t self:shm create_shm_perms;
allow chronyd_t self:fifo_file rw_fifo_file_perms;
@@ -91,6 +95,7 @@ logging_send_syslog_msg(chronyd_t)
miscfiles_read_localization(chronyd_t)
+chronyd_dgram_send_cli(chronyd_t)
chronyd_read_config(chronyd_t)
optional_policy(`
@@ -100,3 +105,40 @@ optional_policy(`
optional_policy(`
mta_send_mail(chronyd_t)
')
+
+########################################
+#
+# chronyc local policy
+#
+
+allow chronyc_t self:capability { dac_override };
+allow chronyc_t self:process { signal };
+allow chronyc_t self:udp_socket create_socket_perms;
+allow chronyc_t self:netlink_route_socket create_netlink_socket_perms;
+
+manage_dirs_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t)
+manage_files_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t)
+manage_sock_files_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t)
+files_pid_filetrans(chronyc_t, chronyd_var_run_t, { dir file sock_file })
+
+corenet_all_recvfrom_unlabeled(chronyc_t)
+corenet_all_recvfrom_netlabel(chronyc_t)
+corenet_udp_sendrecv_generic_if(chronyc_t)
+corenet_udp_sendrecv_generic_node(chronyc_t)
+
+corenet_sendrecv_chronyd_client_packets(chronyc_t)
+corenet_udp_sendrecv_chronyd_port(chronyc_t)
+
+files_read_etc_files(chronyc_t)
+files_read_usr_files(chronyc_t)
+
+logging_send_syslog_msg(chronyc_t)
+
+sysnet_read_config(chronyc_t)
+sysnet_dns_name_resolve(chronyc_t)
+
+miscfiles_read_localization(chronyc_t)
+
+chronyd_dgram_send(chronyc_t)
+chronyd_read_config(chronyc_t)
+
--
2.14.3
With the previous patch moving chronyc into a separate domain this adds interfaces to execute chronyc from the command line and have it run in the chronyc_t domain.
Updated interface names based on suggestion, added missing permission to allow chronyc_t domain access to tty.
Signed-off-by: Dave Sugar <[email protected]>
---
chronyd.if | 46 ++++++++++++++++++++++++++++++++++++++++++++++
chronyd.te | 8 ++++++++
2 files changed, 54 insertions(+)
diff --git a/chronyd.if b/chronyd.if
index 3298891..bc4ba69 100644
--- a/chronyd.if
+++ b/chronyd.if
@@ -19,6 +19,25 @@ interface(`chronyd_domtrans',`
domtrans_pattern($1, chronyd_exec_t, chronyd_t)
')
+#####################################
+## <summary>
+## Execute chronyc in the chronyc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`chronyd_domtrans_cli',`
+ gen_require(`
+ type chronyc_t, chronyc_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, chronyc_exec_t, chronyc_t)
+')
+
########################################
## <summary>
## Execute chronyd server in the
@@ -57,6 +76,33 @@ interface(`chronyd_exec',`
can_exec($1, chronyd_exec_t)
')
+########################################
+## <summary>
+## Execute chronyc in the chronyc domain,
+## and allow the specified roles the
+## chronyc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`chronyd_run_cli',`
+ gen_require(`
+ attribute_role chronyc_roles;
+ ')
+
+ chronyd_domtrans_cli($1)
+ roleattribute $2 chronyc_roles;
+')
+
#####################################
## <summary>
## Read chronyd log files.
diff --git a/chronyd.te b/chronyd.te
index 0634548..8277ef8 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -5,6 +5,8 @@ policy_module(chronyd, 1.5.0)
# Declarations
#
+attribute_role chronyc_roles;
+
type chronyd_t;
type chronyd_exec_t;
init_daemon_domain(chronyd_t, chronyd_exec_t)
@@ -12,6 +14,8 @@ init_daemon_domain(chronyd_t, chronyd_exec_t)
type chronyc_t;
type chronyc_exec_t;
init_daemon_domain(chronyc_t, chronyc_exec_t)
+application_domain(chronyc_t, chronyc_exec_t)
+role chronyc_roles types chronyc_t;
type chronyd_conf_t;
files_config_file(chronyd_conf_t)
@@ -132,6 +136,8 @@ corenet_udp_sendrecv_chronyd_port(chronyc_t)
files_read_etc_files(chronyc_t)
files_read_usr_files(chronyc_t)
+locallogin_use_fds(chronyc_t)
+
logging_send_syslog_msg(chronyc_t)
sysnet_read_config(chronyc_t)
@@ -139,6 +145,8 @@ sysnet_dns_name_resolve(chronyc_t)
miscfiles_read_localization(chronyc_t)
+userdom_use_user_ttys(chronyc_t)
+
chronyd_dgram_send(chronyc_t)
chronyd_read_config(chronyc_t)
--
2.14.3
On 03/05/2018 09:02 AM, Dave Sugar via refpolicy wrote:
> This patch set is several changes to the chronyd module to achieve the following things:
>
> 1) Separate type for /etc/chrony.conf along with interfaces.
> v2 - fix a comment in the patch
> 2) Interfaces to start/stop/status/etc.. the chronyd service
> v2 - fix a comment in the patch
> 3) Allow chronyd to send/recv ntp client packets
> 4) New type for chronyc - it is run from chrony-wait.service but it was running in init_t domain
> v2 - incorporate feedback on interface names & fix denial related to chowning /var/run/chrony
> 5) Add interface to domtrans into chronyc domain
> v2 - incorporate feedback on interface names & allow cli access to tty
>
> v4 - Try one last time to submit via email. If this still fails I will try a pull request on GitHub.
>
> chronyd.fc | 2 +
> chronyd.if | 161 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> chronyd.te | 60 ++++++++++++++++++++++-
> 3 files changed, 221 insertions(+), 2 deletions(-)
Merged.
--
Chris PeBenito