Add interfaces to control ntpd_unit_t systemd services

Signed-off-by: Dave Sugar <dsugar@tresys.com>
Signed-off-by: Jason Zaman <jason@perfinion.com>

1 files changed, 63 insertions, 0 deletions

diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
index 31f71108..ff85b74b 100644
--- a/policy/modules/services/ntp.if
+++ b/policy/modules/services/ntp.if
@@ -179,6 +179,69 @@ interface(`ntp_rw_shm',`
 
 ########################################
 ## <summary>
+##	Allow specified domain to enable/disable ntpd unit
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ntp_enabledisable',`
+	ifdef(`init_systemd',`
+		gen_require(`
+			type ntpd_unit_t;
+			class service { enable disable };
+		')
+
+		allow $1 ntpd_unit_t:service { enable disable };
+	')
+')
+
+########################################
+## <summary>
+##	Allow specified domain to start/stop ntpd unit
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ntp_startstop',`
+	ifdef(`init_systemd',`
+		gen_require(`
+			type ntpd_unit_t;
+			class service { start stop };
+		')
+
+		allow $1 ntpd_unit_t:service { start stop };
+	')
+')
+
+########################################
+## <summary>
+##	Allow specified domain to get status of ntpd unit
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ntp_status',`
+	ifdef(`init_systemd',`
+		gen_require(`
+			type ntpd_unit_t;
+			class service status;
+		')
+
+		allow $1 ntpd_unit_t:service status;
+	')
+')
+
+########################################
+## <summary>
 ##	All of the rules required to
 ##	administrate an ntp environment.
 ## </summary>