From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id D6D341382C5 for ; Sun, 25 Mar 2018 10:29:28 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 18AA2E0841; Sun, 25 Mar 2018 10:29:25 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id D3067E0841 for ; Sun, 25 Mar 2018 10:29:24 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 4790D335C73 for ; Sun, 25 Mar 2018 10:29:23 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 1A5A926F for ; Sun, 25 Mar 2018 10:29:20 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1521970272.1100fd2c68b60b6ab5eb34baedb20a63a191f057.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/chronyd.if policy/modules/contrib/chronyd.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 1100fd2c68b60b6ab5eb34baedb20a63a191f057 X-VCS-Branch: master Date: Sun, 25 Mar 2018 10:29:20 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 49e64e84-dc6e-4348-b2a8-19316cd0809d X-Archives-Hash: 0f970217f98df7a5041337924337ca89 commit: 1100fd2c68b60b6ab5eb34baedb20a63a191f057 Author: Dave Sugar tresys com> AuthorDate: Mon Mar 5 14:03:02 2018 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Sun Mar 25 09:31:12 2018 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1100fd2c Allow execution of chronyc from commandline With the previous patch moving chronyc into a separate domain this adds interfaces to execute chronyc from the command line and have it run in the chronyc_t domain. Updated interface names based on suggestion, added missing permission to allow chronyc_t domain access to tty. Signed-off-by: Dave Sugar tresys.com> policy/modules/contrib/chronyd.if | 46 +++++++++++++++++++++++++++++++++++++++ policy/modules/contrib/chronyd.te | 8 +++++++ 2 files changed, 54 insertions(+) diff --git a/policy/modules/contrib/chronyd.if b/policy/modules/contrib/chronyd.if index 32988914..bc4ba691 100644 --- a/policy/modules/contrib/chronyd.if +++ b/policy/modules/contrib/chronyd.if @@ -19,6 +19,25 @@ interface(`chronyd_domtrans',` domtrans_pattern($1, chronyd_exec_t, chronyd_t) ') +##################################### +## +## Execute chronyc in the chronyc domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`chronyd_domtrans_cli',` + gen_require(` + type chronyc_t, chronyc_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, chronyc_exec_t, chronyc_t) +') + ######################################## ## ## Execute chronyd server in the @@ -57,6 +76,33 @@ interface(`chronyd_exec',` can_exec($1, chronyd_exec_t) ') +######################################## +## +## Execute chronyc in the chronyc domain, +## and allow the specified roles the +## chronyc domain. +## +## +## +## Domain allowed to transition. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`chronyd_run_cli',` + gen_require(` + attribute_role chronyc_roles; + ') + + chronyd_domtrans_cli($1) + roleattribute $2 chronyc_roles; +') + ##################################### ## ## Read chronyd log files. diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te index 0634548d..8277ef81 100644 --- a/policy/modules/contrib/chronyd.te +++ b/policy/modules/contrib/chronyd.te @@ -5,6 +5,8 @@ policy_module(chronyd, 1.5.0) # Declarations # +attribute_role chronyc_roles; + type chronyd_t; type chronyd_exec_t; init_daemon_domain(chronyd_t, chronyd_exec_t) @@ -12,6 +14,8 @@ init_daemon_domain(chronyd_t, chronyd_exec_t) type chronyc_t; type chronyc_exec_t; init_daemon_domain(chronyc_t, chronyc_exec_t) +application_domain(chronyc_t, chronyc_exec_t) +role chronyc_roles types chronyc_t; type chronyd_conf_t; files_config_file(chronyd_conf_t) @@ -132,6 +136,8 @@ corenet_udp_sendrecv_chronyd_port(chronyc_t) files_read_etc_files(chronyc_t) files_read_usr_files(chronyc_t) +locallogin_use_fds(chronyc_t) + logging_send_syslog_msg(chronyc_t) sysnet_read_config(chronyc_t) @@ -139,6 +145,8 @@ sysnet_dns_name_resolve(chronyc_t) miscfiles_read_localization(chronyc_t) +userdom_use_user_ttys(chronyc_t) + chronyd_dgram_send(chronyc_t) chronyd_read_config(chronyc_t)