CaROS/meta-selinux
3
0
Fork 0
mirror of git://git.yoctoproject.org/meta-selinux synced 2026-01-01 13:58:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

refpolicy: chronyd - allow chronyd_t kernel_t:system module_request

Browse Source 
Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
This commit is contained in:
Clayton Casciato 2025-10-16 10:37:37 -06:00 committed by Yi Zhao
parent c2410e4255
commit 78f6c42fd3
2 changed files with 54 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
recipes-security/refpolicy/refpolicy/0061-policy-modules-services-chronyd-allow-chronyd_t-kern.patch Normal file
View File

@ -0,0 +1,53 @@
From a0493c5d152bb03a9b8bb15823fbc3116f856e1a Mon Sep 17 00:00:00 2001
From: Clayton Casciato <ccasciato@21sw.us>
Date: Tue, 10 Jun 2025 21:30:13 -0600
Subject: [PATCH] chronyd: allow chronyd_t kernel_t:system module_request
type=PROCTITLE proctitle=/usr/sbin/chronyd
type=SYSCALL arch=armeb syscall=socket per=PER_LINUX success=no
exit=EAFNOSUPPORT(Address family not supported by protocol) a0=inet6
a1=SOCK_DGRAM a2=ip a3=0x80800 items=0 ppid=1 pid=1308 auid=unset
uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root tty=(none) ses=unset comm=chronyd exe=/usr/sbin/chronyd
subj=system_u:system_r:chronyd_t:s0 key=(null)
type=AVC avc: denied { module_request } for pid=1308 comm=chronyd
kmod="net-pf-10" scontext=system_u:system_r:chronyd_t:s0
tcontext=system_u:system_r:kernel_t:s0 tclass=system
--
Issue background: https://access.redhat.com/solutions/6768131
--
Fedora:
https://github.com/fedora-selinux/selinux-policy/commit/d5acb7734d02012c54bee0064155c477b96f0bdd
$ sesearch -A --source chronyd_t --target kernel_t --class system --perm module_request
allow chronyd_t kernel_t:system module_request;
allow domain kernel_t:system module_request; [ domain_kernel_load_modules ]:True
Signed-off-by: Clayton Casciato <ccasciato@21sw.us>
Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/commit/2836207462b68c54cf21ad21f7f6befffbb1aef0]
Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
---
policy/modules/services/chronyd.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
index 3d4007a57..0cac72e13 100644
--- a/policy/modules/services/chronyd.te
+++ b/policy/modules/services/chronyd.te
@@ -83,6 +83,7 @@ files_runtime_filetrans(chronyd_t, chronyd_runtime_t, { dir file sock_file })
kernel_read_system_state(chronyd_t)
kernel_read_network_state(chronyd_t)
+kernel_request_load_module(chronyd_t)
corenet_all_recvfrom_netlabel(chronyd_t)
corenet_udp_sendrecv_generic_if(chronyd_t)

1
recipes-security/refpolicy/refpolicy_common.inc
View File

@ -76,6 +76,7 @@ SRC_URI += " \
file://0058-policy-modules-services-oddjob-allow-oddjob_mkhomedi.patch \
file://0059-policy-modules-system-systemd-allow-systemd_generato.patch \
file://0060-policy-modules-system-unconfined-allow-firewalld_t-u.patch \
file://0061-policy-modules-services-chronyd-allow-chronyd_t-kern.patch \
"
S = "${WORKDIR}/refpolicy"