1 files changed, 40 insertions, 0 deletions

diff --git a/recipes-security/refpolicy/refpolicy/0079-policy-modules-services-ntp-make-nptd_t-MLS-trusted-.patch b/recipes-security/refpolicy/refpolicy/0079-policy-modules-services-ntp-make-nptd_t-MLS-trusted-.patch
new file mode 100644
index 0000000..b939c37
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0079-policy-modules-services-ntp-make-nptd_t-MLS-trusted-.patch
@@ -0,0 +1,40 @@
+From cb455496193d01761175f35297038f7cf468ebed Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Thu, 18 Jun 2020 10:21:04 +0800
+Subject: [PATCH] policy/modules/services/ntp: make nptd_t MLS trusted for
+ reading from files at all levels
+
+Fixes:
+avc:  denied  { search } for  pid=193 comm="systemd-timesyn"
+name="journal" dev="tmpfs" ino=10956
+scontext=system_u:system_r:ntpd_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
+permissive=0
+avc:  denied  { read } for  pid=193 comm="systemd-timesyn" name="dbus"
+dev="tmpfs" ino=13971 scontext=system_u:system_r:ntpd_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:system_dbusd_runtime_t:s0 tclass=dir
+permissive=0
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/services/ntp.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
+index 75603e16b..8886cb3bf 100644
+--- a/policy/modules/services/ntp.te
++++ b/policy/modules/services/ntp.te
+@@ -138,6 +138,8 @@ miscfiles_read_localization(ntpd_t)
+ userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
+ userdom_list_user_home_dirs(ntpd_t)
+ 
++mls_file_read_all_levels(ntpd_t)
++
+ ifdef(`init_systemd',`
+        allow ntpd_t ntpd_unit_t:file read_file_perms;
+ 
+-- 
+2.17.1
+