From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1012182-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 901621382C5
	for <garchives@archives.gentoo.org>; Sun, 25 Mar 2018 10:29:26 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 4FF40E0819;
	Sun, 25 Mar 2018 10:29:24 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 14720E0817
	for <gentoo-commits@lists.gentoo.org>; Sun, 25 Mar 2018 10:29:24 +0000 (UTC)
Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 11A01335C5C
	for <gentoo-commits@lists.gentoo.org>; Sun, 25 Mar 2018 10:29:23 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 07EC926E
	for <gentoo-commits@lists.gentoo.org>; Sun, 25 Mar 2018 10:29:20 +0000 (UTC)
From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <swift@gentoo.org>
Message-ID: <1521970267.d124bc67058d9f7913289dec07b0b4cb27e25acf.swift@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/chronyd.fc policy/modules/contrib/chronyd.if policy/modules/contrib/chronyd.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: swift
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: d124bc67058d9f7913289dec07b0b4cb27e25acf
X-VCS-Branch: master
Date: Sun, 25 Mar 2018 10:29:20 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 6a8c4300-2988-40ff-a003-93bb819026a9
X-Archives-Hash: c3a110db01a8c05735be5fe3542f1708

commit:     d124bc67058d9f7913289dec07b0b4cb27e25acf
Author:     Dave Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Mon Mar  5 14:03:01 2018 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Mar 25 09:31:07 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d124bc67

Policy for chronyc - it was running in init_t domain

This patch is creating a new domain for /usr/bin/chronyc.  This is a cli program that talks to a running chronyd process.  chronyc is used by chrony-wait.service and I was seeing chronyc running in the init_t domain when started this way.

Interface name updated based on suggestions.

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>

 policy/modules/contrib/chronyd.fc |  1 +
 policy/modules/contrib/chronyd.if | 20 +++++++++++++++++
 policy/modules/contrib/chronyd.te | 46 +++++++++++++++++++++++++++++++++++++--
 3 files changed, 65 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/chronyd.fc b/policy/modules/contrib/chronyd.fc
index 445f3749..7153deee 100644
--- a/policy/modules/contrib/chronyd.fc
+++ b/policy/modules/contrib/chronyd.fc
@@ -9,6 +9,7 @@
 /usr/lib/systemd/system/[^/]*chrony-wait.* --	gen_context(system_u:object_r:chronyd_unit_t,s0)
 /usr/lib/systemd/system/[^/]*chronyd.*	--	gen_context(system_u:object_r:chronyd_unit_t,s0)
 
+/usr/bin/chronyc			--	gen_context(system_u:object_r:chronyc_exec_t,s0)
 /usr/sbin/chronyd			--	gen_context(system_u:object_r:chronyd_exec_t,s0)
 
 /var/lib/chrony(/.*)?				gen_context(system_u:object_r:chronyd_var_lib_t,s0)

diff --git a/policy/modules/contrib/chronyd.if b/policy/modules/contrib/chronyd.if
index a42bc4f4..32988914 100644
--- a/policy/modules/contrib/chronyd.if
+++ b/policy/modules/contrib/chronyd.if
@@ -252,6 +252,26 @@ interface(`chronyd_status',`
 	allow $1 chronyd_unit_t:service status;
 ')
 
+########################################
+## <summary>
+##	Send to chronyd command line interface using a unix domain
+##	datagram socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`chronyd_dgram_send_cli',`
+	gen_require(`
+		type chronyc_t, chronyd_var_run_t;
+	')
+
+	files_search_pids($1)
+	dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyc_t)
+')
+
 ####################################
 ## <summary>
 ##	All of the rules required to

diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
index f28dd5e6..0634548d 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -9,6 +9,10 @@ type chronyd_t;
 type chronyd_exec_t;
 init_daemon_domain(chronyd_t, chronyd_exec_t)
 
+type chronyc_t;
+type chronyc_exec_t;
+init_daemon_domain(chronyc_t, chronyc_exec_t)
+
 type chronyd_conf_t;
 files_config_file(chronyd_conf_t)
 
@@ -35,10 +39,10 @@ init_daemon_pid_file(chronyd_var_run_t, dir, "chrony")
 
 ########################################
 #
-# Local policy
+# chronyd local policy
 #
 
-allow chronyd_t self:capability { dac_override ipc_lock setgid setuid sys_resource sys_time };
+allow chronyd_t self:capability { chown dac_override ipc_lock setgid setuid sys_resource sys_time };
 allow chronyd_t self:process { getcap setcap setrlimit signal };
 allow chronyd_t self:shm create_shm_perms;
 allow chronyd_t self:fifo_file rw_fifo_file_perms;
@@ -91,6 +95,7 @@ logging_send_syslog_msg(chronyd_t)
 
 miscfiles_read_localization(chronyd_t)
 
+chronyd_dgram_send_cli(chronyd_t)
 chronyd_read_config(chronyd_t)
 
 optional_policy(`
@@ -100,3 +105,40 @@ optional_policy(`
 optional_policy(`
 	mta_send_mail(chronyd_t)
 ')
+
+########################################
+#
+# chronyc local policy
+#
+
+allow chronyc_t self:capability { dac_override };
+allow chronyc_t self:process { signal };
+allow chronyc_t self:udp_socket create_socket_perms;
+allow chronyc_t self:netlink_route_socket create_netlink_socket_perms;
+
+manage_dirs_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t)
+manage_files_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t)
+manage_sock_files_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t)
+files_pid_filetrans(chronyc_t, chronyd_var_run_t, { dir file sock_file })
+
+corenet_all_recvfrom_unlabeled(chronyc_t)
+corenet_all_recvfrom_netlabel(chronyc_t)
+corenet_udp_sendrecv_generic_if(chronyc_t)
+corenet_udp_sendrecv_generic_node(chronyc_t)
+
+corenet_sendrecv_chronyd_client_packets(chronyc_t)
+corenet_udp_sendrecv_chronyd_port(chronyc_t)
+
+files_read_etc_files(chronyc_t)
+files_read_usr_files(chronyc_t)
+
+logging_send_syslog_msg(chronyc_t)
+
+sysnet_read_config(chronyc_t)
+sysnet_dns_name_resolve(chronyc_t)
+
+miscfiles_read_localization(chronyc_t)
+
+chronyd_dgram_send(chronyc_t)
+chronyd_read_config(chronyc_t)
+