[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/

[Jason Zaman]

commit:     86b5f035516e0a10b3af98732667d2c4cb08b79c
Author:     Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Wed Aug 24 14:37:54 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 19:07:49 2022 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=86b5f035

chronyd: allow chronyd to read /usr/share/crypto-policies

With RHEL9 /etc/crypto-policies/back-ends are symlinks to 
/usr/share/crypto-policies/*/*

node=localhost type=AVC msg=audit(1661344395.351:395): avc:  denied  { getattr 
} for  pid=1014 comm="chronyd" 
path="/usr/share/crypto-policies/FIPS/gnutls.txt" dev="dm-0" ino=402142 
scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:usr_t:s0 
tclass=file permissive=1
node=localhost type=AVC msg=audit(1661344395.351:396): avc:  denied  { read } 
for  pid=1014 comm="chronyd" name="gnutls.txt" dev="dm-0" ino=402142 
scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:usr_t:s0 
tclass=file permissive=1
node=localhost type=AVC msg=audit(1661344395.351:396): avc:  denied  { open } 
for  pid=1014 comm="chronyd" path="/usr/share/crypto-policies/FIPS/gnutls.txt" 
dev="dm-0" ino=402142 scontext=system_u:system_r:chronyd_t:s0 
tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/chronyd.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/chronyd.te 
b/policy/modules/services/chronyd.te
index 0cf41d3d..aca9a63f 100644
--- a/policy/modules/services/chronyd.te
+++ b/policy/modules/services/chronyd.te
@@ -104,6 +104,8 @@ corenet_udp_bind_chronyd_port(chronyd_t)
 
 dev_rw_realtime_clock(chronyd_t)
 
+files_read_usr_files(chronyd_t)
+
 auth_use_nsswitch(chronyd_t)
 
 logging_send_syslog_msg(chronyd_t)