chronyd.te: Added chronyd_hwtimestamp boolean for chronyd_t to access net_admin

capability, this is required for its `hwtimestamp` option, which otherwise returns: ioctl(SIOCSHWTSTAMP) failed : Operation not permitted Signed-off-by: Jonathan Davies <jpds@protonmail.com>
2021-08-31 17:58:51 +01:00 · 2021-08-31 17:58:51 +01:00 · f3ff01e332
parent e45d2fd1ef
commit f3ff01e332
1 changed files with 13 additions and 0 deletions
--- a/policy/modules/services/chronyd.te
+++ b/policy/modules/services/chronyd.te
@ -5,6 +5,14 @@ policy_module(chronyd, 1.8.0)
 # Declarations
 #

+## <desc>
+##      <p>
+##      Determine whether chronyd can access NIC hardware
+##      timestamping features
+##      </p>
+## </desc>
+gen_tunable(chronyd_hwtimestamp, false)
+
 attribute_role chronyc_roles;

 type chronyd_t;
@ -99,6 +107,11 @@ miscfiles_read_localization(chronyd_t)
 chronyd_dgram_send_cli(chronyd_t)
 chronyd_read_config(chronyd_t)

+tunable_policy(`chronyd_hwtimestamp',`
+	# net_admin required for SIOCSHWTSTAMP.
+	allow chronyd_t self:capability net_admin;
+')
+
 optional_policy(`
 	gpsd_rw_shm(chronyd_t)
 ')