From 96ea14ed594239951f0b9a0523797c2ccab63865 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Wed, 1 Sep 2021 19:37:19 +0000 Subject: [PATCH] systemd, ssh, ntp: Read fips_enabled crypto sysctl. Signed-off-by: Chris PeBenito --- policy/modules/services/ntp.te | 1 + policy/modules/services/ssh.if | 1 + policy/modules/system/systemd.te | 1 + 3 files changed, 3 insertions(+) diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te index 1626ae87a..4d7e00243 100644 --- a/policy/modules/services/ntp.te +++ b/policy/modules/services/ntp.te @@ -94,6 +94,7 @@ can_exec(ntpd_t, ntpd_exec_t) kernel_read_kernel_sysctls(ntpd_t) kernel_read_system_state(ntpd_t) kernel_read_network_state(ntpd_t) +kernel_read_crypto_sysctls(ntpd_t) kernel_request_load_module(ntpd_t) corenet_all_recvfrom_netlabel(ntpd_t) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index 10b8d12e5..ae23e1995 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -214,6 +214,7 @@ template(`ssh_server_template', ` kernel_read_kernel_sysctls($1_t) kernel_read_network_state($1_t) + kernel_read_crypto_sysctls($1_t) corenet_all_recvfrom_netlabel($1_t) corenet_tcp_sendrecv_generic_if($1_t) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 4bc6b04cd..0d55588ed 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -577,6 +577,7 @@ optional_policy(` dontaudit systemd_log_parse_env_type self:capability net_admin; kernel_read_system_state(systemd_log_parse_env_type) +kernel_read_crypto_sysctls(systemd_log_parse_env_type) dev_write_kmsg(systemd_log_parse_env_type)