From d80c8f421faca35e80e665e8d3936d891463894a Mon Sep 17 00:00:00 2001
From: Dave Sugar <dsugar100@gmail.com>
Date: Sun, 10 Dec 2023 21:00:34 -0500
Subject: [PATCH] Denial during cockpit use

node=localhost type=USER_AVC msg=audit(1702256090.674:226515): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" function="mac_selinux_filter" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service permissive=0 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=?  terminal=?' UID="root" AUID="unset" AUID="root" UID="root" GID="root" SAUID="root"

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
---
 policy/modules/services/chronyd.if | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if
index 05689b81e..2e5130b1a 100644
--- a/policy/modules/services/chronyd.if
+++ b/policy/modules/services/chronyd.if
@@ -257,6 +257,7 @@ interface(`chronyd_enabledisable',`
 		class service { enable disable };
 	')
 
+	chronyd_status($1)
 	allow $1 chronyd_unit_t:service { enable disable };
 ')
 
@@ -276,6 +277,7 @@ interface(`chronyd_startstop',`
 		class service { start stop };
 	')
 
+	chronyd_status($1)
 	allow $1 chronyd_unit_t:service { start stop };
 ')