From b876228279a2e75b59a180ee876956aebb167376 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Mon, 22 Aug 2022 10:41:49 +0200 Subject: [PATCH] Allow chronyd send and receive chronyd/ntp client packets These permissions are required when packets tagging following /usr/share/doc/nftables/examples/secmark.nft is enabled. Addresses the following AVC denial: type=AVC msg=audit(1661030515.019:1079): avc: denied { send } for pid=973 comm="chronyd" saddr=10.224.122.55 src=51686 daddr=10.25.28.124 dest=123 netif=eth0 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:ntp_client_packet_t:s0 tclass=packet permissive=0 and a similar one for chronyd_client_packet_t. Resolves: rhbz#2120016 --- policy/modules/contrib/chronyd.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te index 165e311002..16ce14d97b 100644 --- a/policy/modules/contrib/chronyd.te +++ b/policy/modules/contrib/chronyd.te @@ -106,10 +106,12 @@ corenet_udp_sendrecv_generic_node(chronyd_t) corenet_udp_bind_generic_node(chronyd_t) corenet_sendrecv_ntp_server_packets(chronyd_t) +corenet_sendrecv_ntp_client_packets(chronyd_t) corenet_udp_bind_ntp_port(chronyd_t) corenet_udp_sendrecv_ntp_port(chronyd_t) corenet_sendrecv_chronyd_server_packets(chronyd_t) +corenet_sendrecv_chronyd_client_packets(chronyd_t) corenet_udp_bind_chronyd_port(chronyd_t) corenet_udp_sendrecv_chronyd_port(chronyd_t)