commit: 86b5f035516e0a10b3af98732667d2c4cb08b79c Author: Dave Sugar <dsugar100 <AT> gmail <DOT> com> AuthorDate: Wed Aug 24 14:37:54 2022 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Sat Sep 3 19:07:49 2022 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=86b5f035
chronyd: allow chronyd to read /usr/share/crypto-policies With RHEL9 /etc/crypto-policies/back-ends are symlinks to /usr/share/crypto-policies/*/* node=localhost type=AVC msg=audit(1661344395.351:395): avc: denied { getattr } for pid=1014 comm="chronyd" path="/usr/share/crypto-policies/FIPS/gnutls.txt" dev="dm-0" ino=402142 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1661344395.351:396): avc: denied { read } for pid=1014 comm="chronyd" name="gnutls.txt" dev="dm-0" ino=402142 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1661344395.351:396): avc: denied { open } for pid=1014 comm="chronyd" path="/usr/share/crypto-policies/FIPS/gnutls.txt" dev="dm-0" ino=402142 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com> Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> policy/modules/services/chronyd.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te index 0cf41d3d..aca9a63f 100644 --- a/policy/modules/services/chronyd.te +++ b/policy/modules/services/chronyd.te @@ -104,6 +104,8 @@ corenet_udp_bind_chronyd_port(chronyd_t) dev_rw_realtime_clock(chronyd_t) +files_read_usr_files(chronyd_t) + auth_use_nsswitch(chronyd_t) logging_send_syslog_msg(chronyd_t)