v2 update - rework, creating interface 'init_systemd_conditional' as suggested. This grants getattr access to the type provided. Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx> --- policy/modules/services/chronyd.te | 2 ++ policy/modules/system/init.if | 26 ++++++++++++++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te index 5e680d39..7ae8bb5a 100644 --- a/policy/modules/services/chronyd.te +++ b/policy/modules/services/chronyd.te @@ -102,6 +102,8 @@ miscfiles_read_localization(chronyd_t) chronyd_dgram_send_cli(chronyd_t) chronyd_read_config(chronyd_t) +init_systemd_conditional(chronyd_conf_t) + optional_policy(` gpsd_rw_shm(chronyd_t) ') diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 62ab4da8..5a0a78bf 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -3232,6 +3232,32 @@ interface(`init_reload_all_units',` allow $1 { init_script_file_type systemdunit }:service reload; ') + +######################################## +## <summary> +## Allow init_t getattr permissions. Generally +## needed for types that are used in a Condition +## predicate. +## </summary> +## <param name="domain"> +## <summary> +## type accessible by init_t +## </summary> +## </param> +# +interface(`init_systemd_conditional',` + gen_require(` + type init_t; + ') + allow init_t $1:dir search_dir_perms; + allow init_t $1:lnk_file read_lnk_file_perms; + allow init_t $1:fifo_file getattr_fifo_file_perms; + allow init_t $1:sock_file getattr_sock_file_perms; + allow init_t $1:file getattr_file_perms; + allow init_t $1:blk_file getattr_blk_file_perms; + allow init_t $1:chr_file getattr_chr_file_perms; +') + ######################################## ## <summary> ## Allow unconfined access to send instructions to init -- 2.24.1