v2 update - rework, creating interface 'init_systemd_conditional'
as suggested. This grants getattr access to the type provided.
Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx>
---
policy/modules/services/chronyd.te | 2 ++
policy/modules/system/init.if | 26 ++++++++++++++++++++++++++
2 files changed, 28 insertions(+)
diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
index 5e680d39..7ae8bb5a 100644
--- a/policy/modules/services/chronyd.te
+++ b/policy/modules/services/chronyd.te
@@ -102,6 +102,8 @@ miscfiles_read_localization(chronyd_t)
chronyd_dgram_send_cli(chronyd_t)
chronyd_read_config(chronyd_t)
+init_systemd_conditional(chronyd_conf_t)
+
optional_policy(`
gpsd_rw_shm(chronyd_t)
')
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 62ab4da8..5a0a78bf 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -3232,6 +3232,32 @@ interface(`init_reload_all_units',`
allow $1 { init_script_file_type systemdunit }:service reload;
')
+
+########################################
+## <summary>
+## Allow init_t getattr permissions. Generally
+## needed for types that are used in a Condition
+## predicate.
+## </summary>
+## <param name="domain">
+## <summary>
+## type accessible by init_t
+## </summary>
+## </param>
+#
+interface(`init_systemd_conditional',`
+ gen_require(`
+ type init_t;
+ ')
+ allow init_t $1:dir search_dir_perms;
+ allow init_t $1:lnk_file read_lnk_file_perms;
+ allow init_t $1:fifo_file getattr_fifo_file_perms;
+ allow init_t $1:sock_file getattr_sock_file_perms;
+ allow init_t $1:file getattr_file_perms;
+ allow init_t $1:blk_file getattr_blk_file_perms;
+ allow init_t $1:chr_file getattr_chr_file_perms;
+')
+
########################################
## <summary>
## Allow unconfined access to send instructions to init
--
2.24.1
