packages/selinux-policy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
selinux-policy/backport-Allow-chronyd-send-and-receive-chronyd-ntp-client-packets.patch

36 lines
1.5 KiB
Diff
Raw Blame History

From b876228279a2e75b59a180ee876956aebb167376 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 22 Aug 2022 10:41:49 +0200
Subject: [PATCH] Allow chronyd send and receive chronyd/ntp client packets
These permissions are required when packets tagging following
/usr/share/doc/nftables/examples/secmark.nft is enabled.
Addresses the following AVC denial:
type=AVC msg=audit(1661030515.019:1079): avc: denied { send } for pid=973 comm="chronyd" saddr=10.224.122.55 src=51686 daddr=10.25.28.124 dest=123 netif=eth0 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:ntp_client_packet_t:s0 tclass=packet permissive=0
and a similar one for chronyd_client_packet_t.
Resolves: rhbz#2120016
---
policy/modules/contrib/chronyd.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
index 165e311002..16ce14d97b 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -106,10 +106,12 @@ corenet_udp_sendrecv_generic_node(chronyd_t)
corenet_udp_bind_generic_node(chronyd_t)
corenet_sendrecv_ntp_server_packets(chronyd_t)
+corenet_sendrecv_ntp_client_packets(chronyd_t)
corenet_udp_bind_ntp_port(chronyd_t)
corenet_udp_sendrecv_ntp_port(chronyd_t)
corenet_sendrecv_chronyd_server_packets(chronyd_t)
+corenet_sendrecv_chronyd_client_packets(chronyd_t)
corenet_udp_bind_chronyd_port(chronyd_t)
corenet_udp_sendrecv_chronyd_port(chronyd_t)
Reference in New Issue View Git Blame Copy Permalink