Added selinux policy

scientist-st · scientist-st · commit 177b5ab67c64 · 2026-03-26T17:09:07.000+01:00
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -139,7 +139,7 @@ build (s)rpm:
     - .skip_manual_for_pr_template
   stage: "🚧 Build Stage 2"
   script:
-    - sudo dnf install -y rpmdevtools systemd-rpm-macros
+    - sudo dnf install -y rpmdevtools systemd-rpm-macros selinux-policy-devel
     - sed -i "s/set(CPACK_RPM_PACKAGE_RELEASE \"[0-9]\+\")/set(CPACK_RPM_PACKAGE_RELEASE \"${CI_PIPELINE_IID}\")/" packaging/rpm/cpack_config.cmake
     - cmake . -B $BUILD_WORKSPACE -DAPS_CHRONY_DBUS_SERVICE_FETCH_CONTENT_USE_GITLAB_CI_TOKEN=ON -DCMAKE_BUILD_TYPE=Release -DAPS_CHRONY_DBUS_SERVICE_BUILD_TESTS=OFF -DAPS_CHRONY_DBUS_SERVICE_CPACK_RPM_TYPE=RPM
     - cmake --build $BUILD_WORKSPACE --parallel $PARALLEL
@@ -151,6 +151,11 @@ build (s)rpm:
     - pushd $BUILD_WORKSPACE
     - ../scripts/build_rpm.sh
     - popd
+    - cp -r ./packaging/selinux/ $BUILD_WORKSPACE/
+    - pushd $BUILD_WORKSPACE/selinux/
+    - ../scripts/build_selinux_policy.sh
+    - mv *.rpm $BUILD_WORKSPACE
+    - popd
     - mkdir -p $BUILD_WORKSPACE/RPM
     - rm -rf $BUILD_WORKSPACE/RPM/*
     - mv $BUILD_WORKSPACE/*.rpm $BUILD_WORKSPACE/RPM
diff --git a/packaging/selinux/chrony_dbus_service.fc b/packaging/selinux/chrony_dbus_service.fc
@@ -0,0 +1 @@
+/usr/bin/chrony-dbus-service		--	gen_context(system_u:object_r:chrony_dbus_service_exec_t,s0)
diff --git a/packaging/selinux/chrony_dbus_service.if b/packaging/selinux/chrony_dbus_service.if
@@ -0,0 +1,61 @@
+
+## <summary>policy for chrony_dbus_service</summary>
+
+########################################
+## <summary>
+##	Execute chrony_dbus_service_exec_t in the chrony_dbus_service domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`chrony_dbus_service_domtrans',`
+	gen_require(`
+		type chrony_dbus_service_t, chrony_dbus_service_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, chrony_dbus_service_exec_t, chrony_dbus_service_t)
+')
+
+######################################
+## <summary>
+##	Execute chrony_dbus_service in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`chrony_dbus_service_exec',`
+	gen_require(`
+		type chrony_dbus_service_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, chrony_dbus_service_exec_t)
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	chrony_dbus_service over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`chrony_dbus_service_dbus_chat',`
+	gen_require(`
+		type chrony_dbus_service_t;
+		class dbus send_msg;
+	')
+
+	allow $1 chrony_dbus_service_t:dbus send_msg;
+	allow chrony_dbus_service_t $1:dbus send_msg;
+')
diff --git a/packaging/selinux/chrony_dbus_service.te b/packaging/selinux/chrony_dbus_service.te
@@ -0,0 +1,47 @@
+policy_module(chrony_dbus_service, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type chrony_dbus_service_t;
+type chrony_dbus_service_exec_t;
+init_daemon_domain(chrony_dbus_service_t, chrony_dbus_service_exec_t)
+
+permissive chrony_dbus_service_t;
+
+########################################
+#
+# chrony_dbus_service local policy
+#
+allow chrony_dbus_service_t self:fifo_file rw_fifo_file_perms;
+allow chrony_dbus_service_t self:unix_stream_socket create_stream_socket_perms;
+
+domain_use_interactive_fds(chrony_dbus_service_t)
+
+files_read_etc_files(chrony_dbus_service_t)
+
+miscfiles_read_localization(chrony_dbus_service_t)
+
+sysnet_dns_name_resolve(chrony_dbus_service_t)
+
+optional_policy(`
+	dbus_system_bus_client(chrony_dbus_service_t)
+	dbus_connect_system_bus(chrony_dbus_service_t)
+')
+
+require {
+	type chronyd_t;
+	type chronyd_var_run_t;
+}
+
+#============= chrony_dbus_service_t ==============
+allow chrony_dbus_service_t chronyd_t:unix_dgram_socket sendto;
+allow chrony_dbus_service_t chronyd_var_run_t:dir { add_name remove_name write };
+allow chrony_dbus_service_t chronyd_var_run_t:sock_file { create getattr setattr unlink write };
+allow chrony_dbus_service_t self:capability { dac_override dac_read_search };
+allow chrony_dbus_service_t self:unix_dgram_socket { bind connect create setopt };
+
+#============= chronyd_t ==============
+allow chronyd_t chrony_dbus_service_t:unix_dgram_socket sendto;
diff --git a/packaging/selinux/chrony_dbus_service_selinux.spec b/packaging/selinux/chrony_dbus_service_selinux.spec
@@ -0,0 +1,68 @@
+# vim: sw=4:ts=4:et
+
+
+%define relabel_files() \
+restorecon -R /usr/bin/chrony-dbus-service; \
+
+%define selinux_policyver 40.30-1
+
+Name:   chrony-dbus-service-selinux
+Version:	1.0
+Release:	1%{?dist}
+Summary:	SELinux policy module for chrony_dbus_service
+
+Group:	System Environment/Base
+License:	GPLv2+
+
+URL:		https://github.com/AP-Sensing/chrony-dbus-service
+Source0:	chrony_dbus_service.pp
+Source1:	chrony_dbus_service.if
+
+
+Requires: policycoreutils-python-utils, libselinux-utils
+Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils-python-utils
+Requires(postun): policycoreutils-python-utils
+Requires(post): chrony-dbus-service, chrony-dbus-service, chrony-dbus-service
+BuildArch: noarch
+
+%description
+This package installs and sets up the  SELinux policy security module for chrony_dbus_service.
+
+%install
+install -d %{buildroot}%{_datadir}/selinux/packages
+install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages
+install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib
+install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/
+
+%post
+semodule -n -i %{_datadir}/selinux/packages/chrony_dbus_service.pp
+
+if [ $1 -eq 1 ]; then
+
+fi
+if /usr/sbin/selinuxenabled ; then
+    /usr/sbin/load_policy
+    %relabel_files
+fi;
+exit 0
+
+%postun
+if [ $1 -eq 0 ]; then
+
+    semodule -n -r chrony_dbus_service
+    if /usr/sbin/selinuxenabled ; then
+       /usr/sbin/load_policy
+       %relabel_files
+    fi;
+fi;
+exit 0
+
+%files
+%attr(0600,root,root) %{_datadir}/selinux/packages/chrony_dbus_service.pp
+%{_datadir}/selinux/devel/include/contrib/chrony_dbus_service.if
+
+
+%changelog
+* Thu Mar 26 2026 Samuel Stirtzel <s.stirtzel@googlemail.com> 1.0-1
+- Initial version
+
diff --git a/scripts/build_selinux_policy.sh b/scripts/build_selinux_policy.sh
@@ -0,0 +1,30 @@
+#!/bin/sh -e
+
+printf "🗂️  Building Policy...\n"
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+NC='\033[0m'
+
+
+make -f /usr/share/selinux/devel/Makefile chrony_dbus_service.pp
+
+ret=$?
+if [ $ret -ne 0 ]; then
+    printf "❌ ${RED}Building Policy failed.?${NC}\n"
+else
+    printf "✅ ${GREEN}Policy build successfully. Output: $(pwd)${NC}\n"
+fi
+
+printf "🗂️  Building Policy RPM...\n"
+
+pwd=$(pwd)
+rpmbuild --define "_sourcedir ${pwd}" --define "_specdir ${pwd}" --define "_builddir ${pwd}" --define "_srcrpmdir ${pwd}" --define "_rpmdir ${pwd}" --define "_buildrootdir ${pwd}/.build"  -ba chrony_dbus_service_selinux.spec
+
+if [ $ret -ne 0 ]; then
+    printf "❌ ${RED}Building Policy RPM failed. Did you build successfully before (pressed F7)?${NC}\n"
+else
+    printf "✅ ${GREEN}Policy RPM build successfully. Output: $(pwd)${NC}\n"
+fi
+
+exit $ret

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+/usr/bin/chrony-dbus-service -- gen_context(system_u:object_r:chrony_dbus_service_exec_t,s0)`