RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ntp: allow ntpd to set rlimit_memlock 

Fixes:
ntpd[249]: Cannot set RLIMIT_MEMLOCK: Operation not permitted

avc:  denied  { sys_resource } for  pid=247 comm="ntpd" capability=24
scontext=system_u:system_r:ntpd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:ntpd_t:s0-s15:c0.c1023 tclass=capability
permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
This commit is contained in:
Yi Zhao 2020-07-08 15:02:32 +08:00
parent 5e7b58612e
commit f24f38f0f2
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
policy/modules/services/ntp.te
View File

@ -53,8 +53,8 @@ init_system_domain(ntpd_t, ntpdate_exec_t)
# Local policy
#
allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice };
dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_resource };
allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource };
dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid };
allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };
allow ntpd_t self:fifo_file rw_fifo_file_perms;
allow ntpd_t self:shm create_shm_perms;