diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy/0053-policy-modules-services-ntp-allow-ntpd_t-to-watch-sy.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy/0053-policy-modules-services-ntp-allow-ntpd_t-to-watch-sy.patch | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0053-policy-modules-services-ntp-allow-ntpd_t-to-watch-sy.patch b/recipes-security/refpolicy/refpolicy/0053-policy-modules-services-ntp-allow-ntpd_t-to-watch-sy.patch new file mode 100644 index 0000000..85a6d63 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0053-policy-modules-services-ntp-allow-ntpd_t-to-watch-sy.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | From f23bb02c92bcbf7afa0c6b445719df6b06df15ea Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Mon, 6 Jul 2020 09:06:08 +0800 | ||
4 | Subject: [PATCH] policy/modules/services/ntp: allow ntpd_t to watch system bus | ||
5 | runtime directories and named sockets | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { read } for pid=197 comm="systemd-timesyn" name="dbus" | ||
9 | dev="tmpfs" ino=14064 scontext=system_u:system_r:ntpd_t:s0-s15:c0.c1023 | ||
10 | tcontext=system_u:object_r:system_dbusd_runtime_t:s0 tclass=dir | ||
11 | permissive=0 | ||
12 | |||
13 | avc: denied { watch } for pid=197 comm="systemd-timesyn" | ||
14 | path="/run/dbus" dev="tmpfs" ino=14064 | ||
15 | scontext=system_u:system_r:ntpd_t:s0-s15:c0.c1023 | ||
16 | tcontext=system_u:object_r:system_dbusd_runtime_t:s0 tclass=dir | ||
17 | permissive=0 | ||
18 | |||
19 | avc: denied { read } for pid=197 comm="systemd-timesyn" | ||
20 | name="system_bus_socket" dev="tmpfs" ino=14067 | ||
21 | scontext=system_u:system_r:ntpd_t:s0-s15:c0.c1023 | ||
22 | tcontext=system_u:object_r:system_dbusd_runtime_t:s0 tclass=sock_file | ||
23 | permissive=0 | ||
24 | |||
25 | avc: denied { watch } for pid=197 comm="systemd-timesyn" | ||
26 | path="/run/dbus/system_bus_socket" dev="tmpfs" ino=14067 | ||
27 | scontext=system_u:system_r:ntpd_t:s0-s15:c0.c1023 | ||
28 | tcontext=system_u:object_r:system_dbusd_runtime_t:s0 tclass=sock_file | ||
29 | permissive=0 | ||
30 | |||
31 | Upstream-Status: Inappropriate [embedded specific] | ||
32 | |||
33 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
34 | --- | ||
35 | policy/modules/services/ntp.te | 4 ++++ | ||
36 | 1 file changed, 4 insertions(+) | ||
37 | |||
38 | diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te | ||
39 | index 81f8c76bb..75603e16b 100644 | ||
40 | --- a/policy/modules/services/ntp.te | ||
41 | +++ b/policy/modules/services/ntp.te | ||
42 | @@ -141,6 +141,10 @@ userdom_list_user_home_dirs(ntpd_t) | ||
43 | ifdef(`init_systemd',` | ||
44 | allow ntpd_t ntpd_unit_t:file read_file_perms; | ||
45 | |||
46 | + dbus_watch_system_bus_runtime_dirs(ntpd_t) | ||
47 | + allow ntpd_t system_dbusd_runtime_t:dir read; | ||
48 | + dbus_watch_system_bus_runtime_named_sockets(ntpd_t) | ||
49 | + allow ntpd_t system_dbusd_runtime_t:sock_file read; | ||
50 | dbus_system_bus_client(ntpd_t) | ||
51 | dbus_connect_system_bus(ntpd_t) | ||
52 | init_dbus_chat(ntpd_t) | ||
53 | -- | ||
54 | 2.17.1 | ||
55 | |||