[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/

Sat, 03 Sep 2022 12:54:14 -0700 

commit:     087ca14923766efc87202a6b8a98f701105ff7a1
Author:     Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Wed Aug 24 14:32:45 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 19:07:49 2022 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=087ca149

chronyd: Allow to read fips_enabled sysctl

node=localhost type=AVC msg=audit(1661344394.902:355): avc:  denied  { search } 
for  pid=1014 comm="chronyd" name="crypto" dev="proc" ino=10742 
scontext=system_u:system_r:chronyd_t:s0 
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1661344394.902:355): avc:  denied  { read } 
for  pid=1014 comm="chronyd" name="fips_enabled" dev="proc" ino=10743 
scontext=system_u:system_r:chronyd_t:s0 
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661344394.902:355): avc:  denied  { open } 
for  pid=1014 comm="chronyd" path="/proc/sys/crypto/fips_enabled" dev="proc" 
ino=10743 scontext=system_u:system_r:chronyd_t:s0 
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661344394.902:356): avc:  denied  { getattr 
} for  pid=1014 comm="chronyd" path="/proc/sys/crypto/fips_enabled" dev="proc" 
ino=10743 scontext=system_u:system_r:chronyd_t:s0 
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/chronyd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/chronyd.te 
b/policy/modules/services/chronyd.te
index 3354485c..0cf41d3d 100644
--- a/policy/modules/services/chronyd.te
+++ b/policy/modules/services/chronyd.te
@@ -81,6 +81,7 @@ manage_files_pattern(chronyd_t, chronyd_runtime_t, 
chronyd_runtime_t)
 manage_sock_files_pattern(chronyd_t, chronyd_runtime_t, chronyd_runtime_t)
 files_runtime_filetrans(chronyd_t, chronyd_runtime_t, { dir file sock_file })
 
+kernel_read_crypto_sysctls(chronyd_t)
 kernel_read_system_state(chronyd_t)
 kernel_read_network_state(chronyd_t)

Reply via email to