commit: 9e1c1bd7bea5914d53bd47f5a6255d539b2996db Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au> AuthorDate: Tue Jun 17 12:44:34 2025 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Tue Jul 15 07:52:23 2025 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9e1c1bd7
Updates for recent versions of ntpd interacting with systemd Signed-off-by: Russell Coker <russell <AT> coker.com.au> Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> policy/modules/services/ntp.fc | 1 + policy/modules/services/ntp.te | 2 ++ 2 files changed, 3 insertions(+) diff --git a/policy/modules/services/ntp.fc b/policy/modules/services/ntp.fc index 4f19959e7..4acb28754 100644 --- a/policy/modules/services/ntp.fc +++ b/policy/modules/services/ntp.fc @@ -13,6 +13,7 @@ /etc/rc\.d/init\.d/ntpd? -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0) /run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_pid_t,s0) +/run/lock/ntpsec-ntpdate -- gen_context(system_u:object_r:ntpd_lock_t,s0) /run/systemd/timesync(/.*)? gen_context(system_u:object_r:ntpd_pid_t,s0) /usr/bin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te index 65d2fc396..af4ac48ab 100644 --- a/policy/modules/services/ntp.te +++ b/policy/modules/services/ntp.te @@ -97,6 +97,7 @@ can_exec(ntpd_t, ntpd_exec_t) kernel_read_kernel_sysctls(ntpd_t) kernel_read_system_state(ntpd_t) kernel_read_network_state(ntpd_t) +kernel_read_vm_overcommit_sysctl(ntpd_t) kernel_request_load_module(ntpd_t) corenet_all_recvfrom_netlabel(ntpd_t) @@ -133,6 +134,7 @@ term_use_ptmx(ntpd_t) auth_use_nsswitch(ntpd_t) +init_daemon_lock_file(ntpd_lock_t, file, "ntpsec-ntpdate") init_exec_script_files(ntpd_t) logging_send_syslog_msg(ntpd_t)
