aa7e8d4091
systemd-timesyncd uses network_is_online() [1], which calls
sd_network_get_operational_state() [2], which reads
/run/systemd/netif/state [3]:
r = parse_env_file(NULL, "/run/systemd/netif/state", "OPER_STATE", &s);
On a Debian virtual machine created with Vagrant,
/run/systemd/netif/state contains:
# This is private data. Do not parse.
OPER_STATE=routable
DNS=192.168.121.1 172.28.128.1
systemd-timesyncd's access produces the following logs:
type=AVC msg=audit(1567359197.660:323): avc: denied { read } for
pid=230 comm="systemd-timesyn" name="state" dev="tmpfs" ino=24564
scontext=system_u:system_r:ntpd_t
tcontext=system_u:object_r:systemd_networkd_var_run_t tclass=file
permissive=1
type=AVC msg=audit(1567359197.660:324): avc: denied { open } for
pid=230 comm="systemd-timesyn" path="/run/systemd/netif/state"
dev="tmpfs" ino=24564 scontext=system_u:system_r:ntpd_t
tcontext=system_u:object_r:systemd_networkd_var_run_t tclass=file
permissive=1
type=AVC msg=audit(1567359197.660:325): avc: denied { getattr }
for pid=230 comm="systemd-timesyn" path="/run/systemd/netif/state"
dev="tmpfs" ino=24564 scontext=system_u:system_r:ntpd_t
tcontext=system_u:object_r:systemd_networkd_var_run_t tclass=file
permissive=1
Allow these accesses.
[1] https://github.com/systemd/systemd/blob/v242/src/timesync/timesyncd.c#L158
[2] https://github.com/systemd/systemd/blob/v242/src/libsystemd/sd-network/network-util.c#L13
[3] https://github.com/systemd/systemd/blob/v242/src/libsystemd/sd-network/sd-network.c#L27
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
|
||
|---|---|---|
| .. | ||
| flask | ||
| modules | ||
| support | ||
| constraints | ||
| context_defaults | ||
| global_booleans | ||
| global_tunables | ||
| mcs | ||
| mls | ||
| policy_capabilities | ||
| users | ||