[people/stevee/selinux-policy.git] / policy / modules / services / chronyd.if

## <summary>Chrony NTP background daemon</summary>

#####################################
## <summary>
##	Execute chronyd in the chronyd domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`chronyd_domtrans',`
	gen_require(`
		type chronyd_t, chronyd_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, chronyd_exec_t, chronyd_t)
')

########################################
## <summary>
##	Execute chronyd server in the chronyd  domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`chronyd_initrc_domtrans',`
	gen_require(`
		type chronyd_initrc_exec_t;
	')

	init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
')

####################################
## <summary>
##	Execute chronyd
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`chronyd_exec',`
	gen_require(`
		type chronyd_exec_t;
	')

	can_exec($1, chronyd_exec_t)
')

#####################################
## <summary>
##	Read chronyd logs.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`chronyd_read_log',`
	gen_require(`
		type chronyd_var_log_t;
	')

	logging_search_logs($1)
	read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t)
')

########################################
## <summary>
##	Read and write chronyd shared memory.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`chronyd_rw_shm',`
	gen_require(`
		type chronyd_t, chronyd_tmpfs_t;
	')

	allow $1 chronyd_t:shm rw_shm_perms;
	allow $1 chronyd_tmpfs_t:dir list_dir_perms;
	rw_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t)
	read_lnk_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t)
	fs_search_tmpfs($1)
')

########################################
## <summary>
##	Read chronyd keys files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`chronyd_read_keys',`
	gen_require(`
		type chronyd_keys_t;
	')

	read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
')

########################################
## <summary>
##	Append chronyd keys files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`chronyd_append_keys',`
	gen_require(`
		type chronyd_keys_t;
	')

	append_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
')

########################################
## <summary>
##	Execute chronyd server in the chronyd domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`chronyd_systemctl',`
	gen_require(`
		type chronyd_t;
		type chronyd_unit_file_t;
	')

	systemd_exec_systemctl($1)
	allow $1 chronyd_unit_file_t:file read_file_perms;
	allow $1 chronyd_unit_file_t:service all_service_perms;

	ps_process_pattern($1, chronyd_t)
')

########################################
## <summary>
##	Connect to chronyd over an unix stream socket.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`chronyd_stream_connect',`
	gen_require(`
		type chronyd_t, chronyd_var_run_t;
	')

	files_search_pids($1)
	stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
')

########################################
## <summary>
##	Send to chronyd over a unix domain
##	datagram socket.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`chronyd_dgram_send',`
	gen_require(`
		type chronyd_t;
	')

	allow $1 chronyd_t:unix_dgram_socket sendto;
')

####################################
## <summary>
##	All of the rules required to administrate
##	an chronyd environment
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to be allowed to manage the chronyd domain.
##	</summary>
## </param>
## <rolecap/>
#
interface(`chronyd_admin',`
	gen_require(`
		type chronyd_t, chronyd_var_log_t, chronyd_var_run_t;
		type chronyd_var_lib_t, chronyd_tmpfs_t, chronyd_initrc_exec_t;
		type chronyd_keys_t;
	')

	allow $1 chronyd_t:process signal_perms;
	ps_process_pattern($1, chronyd_t)

	tunable_policy(`deny_ptrace',`',`
		allow $1 chronyd_t:process ptrace;
	')

	init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
	domain_system_change_exemption($1)
	role_transition $2 chronyd_initrc_exec_t system_r;
	allow $2 system_r;

	files_list_etc($1)
	admin_pattern($1, chronyd_keys_t)

	logging_list_logs($1)
	admin_pattern($1, chronyd_var_log_t)

	files_list_var_lib($1)
	admin_pattern($1, chronyd_var_lib_t)

	files_list_pids($1)
	admin_pattern($1, chronyd_var_run_t)

	admin_pattern($1, chronyd_tmpfs_t)

	chronyd_systemctl($1)
')
Commit	Line	Data
a513794b CP	1	## <summary>Chrony NTP background daemon</summary>
	2
	3	#####################################
	4	## <summary>
	5	## Execute chronyd in the chronyd domain.
	6	## </summary>
	7	## <param name="domain">
	8	## <summary>
288845a6	9	## Domain allowed to transition.
a513794b CP	10	## </summary>
	11	## </param>
	12	#
	13	interface(`chronyd_domtrans',`
	14	gen_require(`
	15	type chronyd_t, chronyd_exec_t;
	16	')
	17
	18	corecmd_search_bin($1)
	19	domtrans_pattern($1, chronyd_exec_t, chronyd_t)
	20	')
	21
3eaa9939 DW	22	########################################
	23	## <summary>
	24	## Execute chronyd server in the chronyd domain.
	25	## </summary>
	26	## <param name="domain">
	27	## <summary>
3c484f5b	28	## Domain allowed to transition.
3eaa9939 DW	29	## </summary>
	30	## </param>
	31	#
	32	interface(`chronyd_initrc_domtrans',`
	33	gen_require(`
	34	type chronyd_initrc_exec_t;
	35	')
	36
	37	init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
	38	')
	39
a513794b CP	40	####################################
	41	## <summary>
	42	## Execute chronyd
	43	## </summary>
	44	## <param name="domain">
	45	## <summary>
dcbb3329	46	## Domain allowed access.
a513794b CP	47	## </summary>
	48	## </param>
	49	#
	50	interface(`chronyd_exec',`
	51	gen_require(`
	52	type chronyd_exec_t;
	53	')
	54
	55	can_exec($1, chronyd_exec_t)
	56	')
	57
	58	#####################################
	59	## <summary>
	60	## Read chronyd logs.
	61	## </summary>
	62	## <param name="domain">
	63	## <summary>
	64	## Domain allowed access.
	65	## </summary>
	66	## </param>
	67	#
	68	interface(`chronyd_read_log',`
	69	gen_require(`
	70	type chronyd_var_log_t;
	71	')
	72
	73	logging_search_logs($1)
	74	read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t)
	75	')
	76
3eaa9939 DW	77	########################################
	78	## <summary>
	79	## Read and write chronyd shared memory.
	80	## </summary>
	81	## <param name="domain">
	82	## <summary>
	83	## Domain allowed access.
	84	## </summary>
	85	## </param>
	86	#
	87	interface(`chronyd_rw_shm',`
	88	gen_require(`
	89	type chronyd_t, chronyd_tmpfs_t;
	90	')
	91
	92	allow $1 chronyd_t:shm rw_shm_perms;
	93	allow $1 chronyd_tmpfs_t:dir list_dir_perms;
	94	rw_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t)
	95	read_lnk_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t)
	96	fs_search_tmpfs($1)
	97	')
	98
	99	########################################
	100	## <summary>
	101	## Read chronyd keys files.
	102	## </summary>
	103	## <param name="domain">
	104	## <summary>
	105	## Domain allowed access.
	106	## </summary>
	107	## </param>
	108	#
	109	interface(`chronyd_read_keys',`
	110	gen_require(`
	111	type chronyd_keys_t;
	112	')
	113
	114	read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
	115	')
	116
	117	########################################
	118	## <summary>
	119	## Append chronyd keys files.
	120	## </summary>
	121	## <param name="domain">
	122	## <summary>
	123	## Domain allowed access.
	124	## </summary>
	125	## </param>
	126	#
	127	interface(`chronyd_append_keys',`
	128	gen_require(`
	129	type chronyd_keys_t;
	130	')
	131
	132	append_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
	133	')
	134
6b417086 DW	135	########################################
	136	## <summary>
	137	## Execute chronyd server in the chronyd domain.
	138	## </summary>
	139	## <param name="domain">
	140	## <summary>
	141	## Domain allowed to transition.
	142	## </summary>
	143	## </param>
	144	#
d18a5c8c	145	interface(`chronyd_systemctl',`
6b417086	146	gen_require(`
22d55406	147	type chronyd_t;
8149320e	148	type chronyd_unit_file_t;
6b417086 DW	149	')
	150
	151	systemd_exec_systemctl($1)
8149320e DW	152	allow $1 chronyd_unit_file_t:file read_file_perms;
8149320e DW	153	allow $1 chronyd_unit_file_t:service all_service_perms;
bf0dadf9 DW	154
bf0dadf9 DW	155	ps_process_pattern($1, chronyd_t)
6b417086 DW	156	')
6b417086 DW	157
4efd70c9 DW	158	########################################
	159	## <summary>
	160	## Connect to chronyd over an unix stream socket.
	161	## </summary>
	162	## <param name="domain">
	163	## <summary>
	164	## Domain allowed access.
	165	## </summary>
	166	## </param>
	167	#
	168	interface(`chronyd_stream_connect',`
	169	gen_require(`
	170	type chronyd_t, chronyd_var_run_t;
	171	')
	172
	173	files_search_pids($1)
	174	stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
	175	')
	176
20e45a99 DW	177	########################################
	178	## <summary>
	179	## Send to chronyd over a unix domain
	180	## datagram socket.
	181	## </summary>
	182	## <param name="domain">
	183	## <summary>
	184	## Domain allowed access.
	185	## </summary>
	186	## </param>
	187	#
	188	interface(`chronyd_dgram_send',`
	189	gen_require(`
	190	type chronyd_t;
	191	')
	192
	193	allow $1 chronyd_t:unix_dgram_socket sendto;
	194	')
	195
a513794b CP	196	####################################
	197	## <summary>
	198	## All of the rules required to administrate
	199	## an chronyd environment
	200	## </summary>
	201	## <param name="domain">
	202	## <summary>
	203	## Domain allowed access.
	204	## </summary>
	205	## </param>
	206	## <param name="role">
	207	## <summary>
	208	## The role to be allowed to manage the chronyd domain.
	209	## </summary>
	210	## </param>
	211	## <rolecap/>
	212	#
	213	interface(`chronyd_admin',`
	214	gen_require(`
6bb4d401 DG	215	type chronyd_t, chronyd_var_log_t, chronyd_var_run_t;
	216	type chronyd_var_lib_t, chronyd_tmpfs_t, chronyd_initrc_exec_t;
	217	type chronyd_keys_t;
a513794b CP	218	')
a513794b CP	219
995bdbb1	220	allow $1 chronyd_t:process signal_perms;
a513794b CP	221	ps_process_pattern($1, chronyd_t)
a513794b CP	222
995bdbb1	223	tunable_policy(`deny_ptrace',`',`
	224	allow $1 chronyd_t:process ptrace;
	225	')
	226
a513794b CP	227	init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
	228	domain_system_change_exemption($1)
	229	role_transition $2 chronyd_initrc_exec_t system_r;
	230	allow $2 system_r;
	231
61f40642	232	files_list_etc($1)
dcbb3329 JS	233	admin_pattern($1, chronyd_keys_t)
dcbb3329 JS	234
61f40642	235	logging_list_logs($1)
a513794b CP	236	admin_pattern($1, chronyd_var_log_t)
a513794b CP	237
61f40642	238	files_list_var_lib($1)
a513794b CP	239	admin_pattern($1, chronyd_var_lib_t)
a513794b CP	240
61f40642	241	files_list_pids($1)
a513794b CP	242	admin_pattern($1, chronyd_var_run_t)
a513794b CP	243
3eaa9939	244	admin_pattern($1, chronyd_tmpfs_t)
6b417086	245
7a6b3619	246	chronyd_systemctl($1)
a513794b	247	')