Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:jsegitz:branches:security:SELinux_od
selinux-policy
fix_ntp.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File fix_ntp.patch of Package selinux-policy
Index: fedora-policy-20230125/policy/modules/contrib/ntp.fc =================================================================== --- fedora-policy-20230125.orig/policy/modules/contrib/ntp.fc +++ fedora-policy-20230125/policy/modules/contrib/ntp.fc @@ -9,6 +9,7 @@ /etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0) +/usr/sbin/start-ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) /usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) /usr/libexec/ntpdate-wrapper -- gen_context(system_u:object_r:ntpdate_exec_t,s0) @@ -16,7 +17,6 @@ /usr/lib/systemd/system/ntpd.* -- gen_context(system_u:object_r:ntpd_unit_file_t,s0) -/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) /var/lib/sntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) /var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) @@ -25,3 +25,26 @@ /var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0) /var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0) + +/var/lib/ntp gen_context(system_u:object_r:root_t,s0) +/var/lib/ntp/kod gen_context(system_u:object_r:etc_runtime_t,s0) +/var/lib/ntp/dev gen_context(system_u:object_r:device_t,s0) +/var/lib/ntp/etc gen_context(system_u:object_r:etc_t,s0) +/var/lib/ntp/etc/ntpd.*\.conf.* -- gen_context(system_u:object_r:ntp_conf_t,s0) +/var/lib/ntp/etc/ntp/crypto(/.*)? -- gen_context(system_u:object_r:ntpd_key_t,s0) +/var/lib/ntp/etc/ntp/data(/.*)? -- gen_context(system_u:object_r:ntp_drift_t,s0) +/var/lib/ntp/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0) +/var/lib/ntp/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:ntp_conf_t,s0) +/var/lib/ntp/etc/ntp.conf.iburst -- gen_context(system_u:object_r:ntp_conf_t,s0) +/var/lib/ntp/var(/.*)? gen_context(system_u:object_r:var_t,s0) +/var/lib/ntp/var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) +/var/lib/ntp/var/run(/.*)? gen_context(system_u:object_r:var_run_t,s0) +/var/lib/ntp/var/run/ntp(/.*)? gen_context(system_u:object_r:ntpd_var_run_t,s0) +/var/lib/ntp/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) +/var/lib/ntp/var/lib/sntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) +/var/lib/ntp/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) +/var/lib/ntp/drift gen_context(system_u:object_r:ntp_drift_t,s0) +/var/lib/ntp/drift/ntp.drift -- gen_context(system_u:object_r:ntp_drift_t,s0) +/var/lib/ntp/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0) +/var/lib/ntp/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0) +/var/lib/ntp/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0) Index: fedora-policy-20230125/policy/modules/contrib/ntp.te =================================================================== --- fedora-policy-20230125.orig/policy/modules/contrib/ntp.te +++ fedora-policy-20230125/policy/modules/contrib/ntp.te @@ -49,6 +49,9 @@ init_system_domain(ntpd_t, ntpdate_exec_ allow ntpd_t self:capability { chown dac_read_search kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource }; dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice }; +# remove once 1207577 is done +allow ntpd_t self:capability dac_override; + allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit }; allow ntpd_t self:fifo_file rw_fifo_file_perms; allow ntpd_t self:shm create_shm_perms; @@ -78,7 +81,8 @@ manage_files_pattern(ntpd_t, ntpd_tmpfs_ fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file }) manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t) -files_pid_filetrans(ntpd_t, ntpd_var_run_t, file) +manage_lnk_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t) +files_pid_filetrans(ntpd_t, ntpd_var_run_t, { file dir lnk_file }) can_exec(ntpd_t, ntpd_exec_t) can_exec(ntpd_t, ntpdate_exec_t) Index: fedora-policy-20230125/policy/modules/contrib/ntp.if =================================================================== --- fedora-policy-20230125.orig/policy/modules/contrib/ntp.if +++ fedora-policy-20230125/policy/modules/contrib/ntp.if @@ -339,3 +339,23 @@ interface(`ntp_manage_log',` manage_lnk_files_pattern($1, ntpd_log_t, ntpd_log_t) ') +######################################## +## <summary> +## Create, read, write, and delete +## ntp pid (lnk) files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ntp_manage_pid_files',` + gen_require(` + type ntpd_var_run_t; + ') + + files_search_pids($1) + manage_files_pattern($1, ntpd_var_run_t, ntpd_var_run_t) + manage_lnk_files_pattern($1, ntpd_var_run_t, ntpd_var_run_t) +')
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor