]>
Commit | Line | Data |
---|---|---|
a513794b CP |
1 | ## <summary>Chrony NTP background daemon</summary> |
2 | ||
3 | ##################################### | |
4 | ## <summary> | |
5 | ## Execute chronyd in the chronyd domain. | |
6 | ## </summary> | |
7 | ## <param name="domain"> | |
8 | ## <summary> | |
288845a6 | 9 | ## Domain allowed to transition. |
a513794b CP |
10 | ## </summary> |
11 | ## </param> | |
12 | # | |
13 | interface(`chronyd_domtrans',` | |
14 | gen_require(` | |
15 | type chronyd_t, chronyd_exec_t; | |
16 | ') | |
17 | ||
18 | corecmd_search_bin($1) | |
19 | domtrans_pattern($1, chronyd_exec_t, chronyd_t) | |
20 | ') | |
21 | ||
3eaa9939 DW |
22 | ######################################## |
23 | ## <summary> | |
24 | ## Execute chronyd server in the chronyd domain. | |
25 | ## </summary> | |
26 | ## <param name="domain"> | |
27 | ## <summary> | |
3c484f5b | 28 | ## Domain allowed to transition. |
3eaa9939 DW |
29 | ## </summary> |
30 | ## </param> | |
31 | # | |
32 | interface(`chronyd_initrc_domtrans',` | |
33 | gen_require(` | |
34 | type chronyd_initrc_exec_t; | |
35 | ') | |
36 | ||
37 | init_labeled_script_domtrans($1, chronyd_initrc_exec_t) | |
38 | ') | |
39 | ||
a513794b CP |
40 | #################################### |
41 | ## <summary> | |
42 | ## Execute chronyd | |
43 | ## </summary> | |
44 | ## <param name="domain"> | |
45 | ## <summary> | |
dcbb3329 | 46 | ## Domain allowed access. |
a513794b CP |
47 | ## </summary> |
48 | ## </param> | |
49 | # | |
50 | interface(`chronyd_exec',` | |
51 | gen_require(` | |
52 | type chronyd_exec_t; | |
53 | ') | |
54 | ||
55 | can_exec($1, chronyd_exec_t) | |
56 | ') | |
57 | ||
58 | ##################################### | |
59 | ## <summary> | |
60 | ## Read chronyd logs. | |
61 | ## </summary> | |
62 | ## <param name="domain"> | |
63 | ## <summary> | |
64 | ## Domain allowed access. | |
65 | ## </summary> | |
66 | ## </param> | |
67 | # | |
68 | interface(`chronyd_read_log',` | |
69 | gen_require(` | |
70 | type chronyd_var_log_t; | |
71 | ') | |
72 | ||
73 | logging_search_logs($1) | |
74 | read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t) | |
75 | ') | |
76 | ||
3eaa9939 DW |
77 | ######################################## |
78 | ## <summary> | |
79 | ## Read and write chronyd shared memory. | |
80 | ## </summary> | |
81 | ## <param name="domain"> | |
82 | ## <summary> | |
83 | ## Domain allowed access. | |
84 | ## </summary> | |
85 | ## </param> | |
86 | # | |
87 | interface(`chronyd_rw_shm',` | |
88 | gen_require(` | |
89 | type chronyd_t, chronyd_tmpfs_t; | |
90 | ') | |
91 | ||
92 | allow $1 chronyd_t:shm rw_shm_perms; | |
93 | allow $1 chronyd_tmpfs_t:dir list_dir_perms; | |
94 | rw_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t) | |
95 | read_lnk_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t) | |
96 | fs_search_tmpfs($1) | |
97 | ') | |
98 | ||
99 | ######################################## | |
100 | ## <summary> | |
101 | ## Read chronyd keys files. | |
102 | ## </summary> | |
103 | ## <param name="domain"> | |
104 | ## <summary> | |
105 | ## Domain allowed access. | |
106 | ## </summary> | |
107 | ## </param> | |
108 | # | |
109 | interface(`chronyd_read_keys',` | |
110 | gen_require(` | |
111 | type chronyd_keys_t; | |
112 | ') | |
113 | ||
114 | read_files_pattern($1, chronyd_keys_t, chronyd_keys_t) | |
115 | ') | |
116 | ||
117 | ######################################## | |
118 | ## <summary> | |
119 | ## Append chronyd keys files. | |
120 | ## </summary> | |
121 | ## <param name="domain"> | |
122 | ## <summary> | |
123 | ## Domain allowed access. | |
124 | ## </summary> | |
125 | ## </param> | |
126 | # | |
127 | interface(`chronyd_append_keys',` | |
128 | gen_require(` | |
129 | type chronyd_keys_t; | |
130 | ') | |
131 | ||
132 | append_files_pattern($1, chronyd_keys_t, chronyd_keys_t) | |
133 | ') | |
134 | ||
6b417086 DW |
135 | ######################################## |
136 | ## <summary> | |
137 | ## Execute chronyd server in the chronyd domain. | |
138 | ## </summary> | |
139 | ## <param name="domain"> | |
140 | ## <summary> | |
141 | ## Domain allowed to transition. | |
142 | ## </summary> | |
143 | ## </param> | |
144 | # | |
d18a5c8c | 145 | interface(`chronyd_systemctl',` |
6b417086 | 146 | gen_require(` |
22d55406 | 147 | type chronyd_t; |
8149320e | 148 | type chronyd_unit_file_t; |
6b417086 DW |
149 | ') |
150 | ||
151 | systemd_exec_systemctl($1) | |
8149320e DW |
152 | allow $1 chronyd_unit_file_t:file read_file_perms; |
153 | allow $1 chronyd_unit_file_t:service all_service_perms; | |
bf0dadf9 DW |
154 | |
155 | ps_process_pattern($1, chronyd_t) | |
6b417086 DW |
156 | ') |
157 | ||
4efd70c9 DW |
158 | ######################################## |
159 | ## <summary> | |
160 | ## Connect to chronyd over an unix stream socket. | |
161 | ## </summary> | |
162 | ## <param name="domain"> | |
163 | ## <summary> | |
164 | ## Domain allowed access. | |
165 | ## </summary> | |
166 | ## </param> | |
167 | # | |
168 | interface(`chronyd_stream_connect',` | |
169 | gen_require(` | |
170 | type chronyd_t, chronyd_var_run_t; | |
171 | ') | |
172 | ||
173 | files_search_pids($1) | |
174 | stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t) | |
175 | ') | |
176 | ||
20e45a99 DW |
177 | ######################################## |
178 | ## <summary> | |
179 | ## Send to chronyd over a unix domain | |
180 | ## datagram socket. | |
181 | ## </summary> | |
182 | ## <param name="domain"> | |
183 | ## <summary> | |
184 | ## Domain allowed access. | |
185 | ## </summary> | |
186 | ## </param> | |
187 | # | |
188 | interface(`chronyd_dgram_send',` | |
189 | gen_require(` | |
190 | type chronyd_t; | |
191 | ') | |
192 | ||
193 | allow $1 chronyd_t:unix_dgram_socket sendto; | |
194 | ') | |
195 | ||
a513794b CP |
196 | #################################### |
197 | ## <summary> | |
198 | ## All of the rules required to administrate | |
199 | ## an chronyd environment | |
200 | ## </summary> | |
201 | ## <param name="domain"> | |
202 | ## <summary> | |
203 | ## Domain allowed access. | |
204 | ## </summary> | |
205 | ## </param> | |
206 | ## <param name="role"> | |
207 | ## <summary> | |
208 | ## The role to be allowed to manage the chronyd domain. | |
209 | ## </summary> | |
210 | ## </param> | |
211 | ## <rolecap/> | |
212 | # | |
213 | interface(`chronyd_admin',` | |
214 | gen_require(` | |
6bb4d401 DG |
215 | type chronyd_t, chronyd_var_log_t, chronyd_var_run_t; |
216 | type chronyd_var_lib_t, chronyd_tmpfs_t, chronyd_initrc_exec_t; | |
217 | type chronyd_keys_t; | |
a513794b CP |
218 | ') |
219 | ||
995bdbb1 | 220 | allow $1 chronyd_t:process signal_perms; |
a513794b CP |
221 | ps_process_pattern($1, chronyd_t) |
222 | ||
995bdbb1 | 223 | tunable_policy(`deny_ptrace',`',` |
224 | allow $1 chronyd_t:process ptrace; | |
225 | ') | |
226 | ||
a513794b CP |
227 | init_labeled_script_domtrans($1, chronyd_initrc_exec_t) |
228 | domain_system_change_exemption($1) | |
229 | role_transition $2 chronyd_initrc_exec_t system_r; | |
230 | allow $2 system_r; | |
231 | ||
61f40642 | 232 | files_list_etc($1) |
dcbb3329 JS |
233 | admin_pattern($1, chronyd_keys_t) |
234 | ||
61f40642 | 235 | logging_list_logs($1) |
a513794b CP |
236 | admin_pattern($1, chronyd_var_log_t) |
237 | ||
61f40642 | 238 | files_list_var_lib($1) |
a513794b CP |
239 | admin_pattern($1, chronyd_var_lib_t) |
240 | ||
61f40642 | 241 | files_list_pids($1) |
a513794b CP |
242 | admin_pattern($1, chronyd_var_run_t) |
243 | ||
3eaa9939 | 244 | admin_pattern($1, chronyd_tmpfs_t) |
6b417086 | 245 | |
7a6b3619 | 246 | chronyd_systemctl($1) |
a513794b | 247 | ') |