diff mbox series

[meta-selinux] refpolicy: fix chronyd dac_read_search denials

Message ID 4a60bdcb-450c-460e-828d-ade3b6790921@gmail.com
State New
Headers show
Series [meta-selinux] refpolicy: fix chronyd dac_read_search denials | expand

Commit Message

Clayton Casciato March 13, 2025, 4:10 a.m. UTC 
Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
---
 ...ervices-chronyd-fix-dac_read_search-.patch | 58 +++++++++++++++++++
 .../refpolicy/refpolicy_common.inc            |  1 +
 2 files changed, 59 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy/0058-policy-modules-services-chronyd-fix-dac_read_search-.patch
diff mbox series

Patch

diff --git a/recipes-security/refpolicy/refpolicy/0058-policy-modules-services-chronyd-fix-dac_read_search-.patch b/recipes-security/refpolicy/refpolicy/0058-policy-modules-services-chronyd-fix-dac_read_search-.patch
new file mode 100644
index 0000000..7d1743c
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0058-policy-modules-services-chronyd-fix-dac_read_search-.patch
@@ -0,0 +1,58 @@ 
+From f892f5e254e26418213556f00badaf69d14ec16f Mon Sep 17 00:00:00 2001
+From: Clayton Casciato <ccasciato@21sw.us>
+Date: Thu, 27 Feb 2025 15:53:30 -0700
+Subject: [PATCH] chronyd: fix dac_read_search denials
+
+avc:  denied  { dac_read_search }
+comm=chronyd
+capability=dac_read_search
+scontext=system_u:system_r:chronyd_t:s0
+tcontext=system_u:system_r:chronyd_t:s0
+tclass=capability
+
+--
+
+Fedora
+
+chronyd_t
+https://github.com/fedora-selinux/selinux-policy/blob/281599ec3a5f0cc0d423b98bb76c71c1a5d76870/policy/modules/contrib/chronyd.te#L55
+
+chronyc_t
+https://github.com/fedora-selinux/selinux-policy/blob/281599ec3a5f0cc0d423b98bb76c71c1a5d76870/policy/modules/contrib/chronyd.te#L257
+
+--
+
+Reference:
+https://danwalsh.livejournal.com/77140.html
+
+Signed-off-by: Clayton Casciato <ccasciato@21sw.us>
+
+Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/commit/231960371da6ed49fdde1891dee3cf607791c76f]
+
+Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
+---
+ policy/modules/services/chronyd.te | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
+index 9e6ba5bf1..3d4007a57 100644
+--- a/policy/modules/services/chronyd.te
++++ b/policy/modules/services/chronyd.te
+@@ -54,7 +54,7 @@ logging_log_file(chronyd_var_log_t)
+ # chronyd local policy
+ #
+ 
+-allow chronyd_t self:capability { chown dac_override ipc_lock setgid setuid sys_resource sys_time };
++allow chronyd_t self:capability { chown dac_override dac_read_search ipc_lock setgid setuid sys_resource sys_time };
+ allow chronyd_t self:process { getcap setcap setrlimit signal };
+ allow chronyd_t self:shm create_shm_perms;
+ allow chronyd_t self:fifo_file rw_fifo_file_perms;
+@@ -134,7 +134,7 @@ optional_policy(`
+ # chronyc local policy
+ #
+ 
+-allow chronyc_t self:capability { dac_override };
++allow chronyc_t self:capability { dac_override dac_read_search };
+ allow chronyc_t self:process { signal };
+ allow chronyc_t self:udp_socket create_socket_perms;
+ allow chronyc_t self:netlink_route_socket create_netlink_socket_perms;
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
index 0661e6c..fca7034 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -73,6 +73,7 @@  SRC_URI += " \
         file://0055-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \
         file://0056-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \
         file://0057-policy-modules-system-logging-make-syslogd_runtime_t.patch \
+        file://0058-policy-modules-services-chronyd-fix-dac_read_search-.patch \
         "
 
 S = "${WORKDIR}/refpolicy"