diff options
| author |   Chris PeBenito <pebenito@ieee.org> | 2018-06-23 10:38:58 -0400 |
|---|---|---|
| committer |   Jason Zaman <jason@perfinion.com> | 2018-06-24 16:33:24 +0800 |
| commit | 751926c0fbba4bf7105622ee65888b66740847a0 (patch) | |
| tree | 6bbdd39cd5becdddc8e4cbc41332c383874c7972 /policy/modules/services/ntp.if | |
| parent | xdg: move compat interfaces to upstream xdg module (diff) | |
| download | hardened-refpolicy-751926c0fbba4bf7105622ee65888b66740847a0.tar.gz hardened-refpolicy-751926c0fbba4bf7105622ee65888b66740847a0.tar.bz2 hardened-refpolicy-751926c0fbba4bf7105622ee65888b66740847a0.zip | |
Move all files out of the old contrib directory.
Diffstat (limited to 'policy/modules/services/ntp.if')
| -rw-r--r-- | policy/modules/services/ntp.if | 255 |
1 files changed, 255 insertions, 0 deletions
diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if new file mode 100644 index 000000000..31f711083 --- /dev/null +++ b/policy/modules/services/ntp.if @@ -0,0 +1,255 @@ +## <summary>Network time protocol daemon.</summary> + +######################################## +## <summary> +## NTP stub interface. No access allowed. +## </summary> +## <param name="domain" unused="true"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ntp_stub',` + gen_require(` + type ntpd_t; + ') +') + +######################################## +## <summary> +## Read ntp.conf +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ntp_read_config',` + gen_require(` + type ntp_conf_t; + ') + + allow $1 ntp_conf_t:file read_file_perms; +') + +######################################## +## <summary> +## Execute ntp server in the ntpd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ntp_domtrans',` + gen_require(` + type ntpd_t, ntpd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, ntpd_exec_t, ntpd_t) +') + +######################################## +## <summary> +## Execute ntp in the ntp domain, and +## allow the specified role the ntp domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`ntp_run',` + gen_require(` + attribute_role ntpd_roles; + ') + + ntp_domtrans($1) + roleattribute $2 ntpd_roles; +') + +######################################## +## <summary> +## Execute ntpdate server in the ntpd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ntp_domtrans_ntpdate',` + gen_require(` + type ntpd_t, ntpdate_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, ntpdate_exec_t, ntpd_t) +') + +######################################## +## <summary> +## Execute ntpd init scripts in +## the init script domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ntp_initrc_domtrans',` + gen_require(` + type ntpd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, ntpd_initrc_exec_t) +') + +######################################## +## <summary> +## Read ntp conf files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ntp_read_conf_files',` + gen_require(` + type ntp_conf_t; + ') + + files_search_etc($1) + read_files_pattern($1, ntp_conf_t, ntp_conf_t) +') + +######################################## +## <summary> +## Read ntp drift files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ntp_read_drift_files',` + gen_require(` + type ntp_drift_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, ntp_drift_t, ntp_drift_t) +') + +######################################## +## <summary> +## Read and write ntpd shared memory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ntp_rw_shm',` + gen_require(` + type ntpd_t, ntpd_tmpfs_t; + ') + + allow $1 ntpd_t:shm rw_shm_perms; + list_dirs_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) + rw_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) + read_lnk_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) + fs_search_tmpfs($1) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an ntp environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`ntp_admin',` + gen_require(` + type ntpd_t, ntpd_tmp_t, ntpd_log_t; + type ntpd_key_t, ntpd_pid_t, ntp_conf_t; + type ntpd_initrc_exec_t, ntp_drift_t; + type ntpd_unit_t; + ') + + allow $1 ntpd_t:process { ptrace signal_perms }; + ps_process_pattern($1, ntpd_t) + + init_startstop_service($1, $2, ntpd_t, ntpd_initrc_exec_t, ntpd_unit_t) + + files_list_etc($1) + admin_pattern($1, { ntpd_key_t ntp_conf_t }) + + logging_list_logs($1) + admin_pattern($1, ntpd_log_t) + + files_list_tmp($1) + admin_pattern($1, ntpd_tmp_t) + + files_list_var_lib($1) + admin_pattern($1, ntp_drift_t) + + files_list_pids($1) + admin_pattern($1, ntpd_pid_t) + + ntp_run($1, $2) + + ifdef(`init_systemd',` + gen_require(` + class dbus send_msg; + ') + + allow $1 ntpd_t:dbus send_msg; + allow ntpd_t $1:dbus send_msg; + ') +') + +# This should be in an ifdef distro_gentoo but that is not allowed in if files + +######################################## +## <summary> +## Manage ntp(d) configuration. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ntp_manage_config',` + gen_require(` + type ntp_conf_t; + ') + + manage_files_pattern($1, ntp_conf_t, ntp_conf_t) +') |