New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow chronyd_t to accept and make NTS-KE connections #335
Conversation
|
@mlichvar, this permissions set seems to be broader than the one reported in the bz - do you have any scenario to trigger them or a test suite to cover the new functionality? On the other hand, the reference the /run/chrony-dhcp directory has not been addressed yet. Which process creates the directory? |
|
I think the AVCs in the RH bug didn't cover a client connecting to the server. There is an NTS test in the upstream test suite, but it doesn't use the system service and selinux labels, so that won't help much. Here is a trimmed down version doing that: As for the /run/chrony-dhcp directory, it's created by the same process that created /run/chrony-helper, that is the NetworkManager dispatcher or dhclient. |
|
BTW, I'm not sure if all those rules are really needed. I just used the same rules as some other services that implement a TCP server and client on a labelled port. |
Interesting. The script in selinux permissive triggers just the permissions as in the bz: For the other permissions, it usually is the maintainer who is able to assess which permissions are actually needed. This is how one of the additional interfaces calls expands: If you are unable to answer it right away, can we proceed and allow only those permission which popped up in some use case? I also haven't noticed any /run files interactions, even after having it running for some time or restarted. Does it need more time?
Supposing you mean /usr/lib/NetworkManager/dispatcher.d/11-dhclient. Note in another bz#1880948 we can see initrc_var_run_t for the same file. |
Do you have the latest chrony package (chrony-4.0-0.9.pre4.fc33) installed? It should be using the ntske port. I'm getting also an AVC for the accept syscall, not just listen.
I'm not sure what exactly is tcp_send or tcp_recv. If it's supposed to be the send/recv syscall on a TCP socket, then yes, chronyd does that. Maybe they would show only on the labelled port?
No, it just needs your DHCP server to provide clients with an NTP server. If you run dnsmasq as the DHCP server, you can specify the NTP server with
Yes, it is a directory created by
Maybe that's when using networking scripts (dhclient) instead of NetworkManager? |
5db3a13
to
214b711
Compare
|
I've removed some of the rules as suggested. |
|
Hm, that's odd.
Ok. Thank you. |
|
Miroslav, thank you for your effort, merging and backporting to f33. |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1872624