projects / people / stevee / selinux-policy.git / blame
| Commit | Line | Data |
|---|---|---|
| b11a75a5 CP |
1 | ## <summary>Network time protocol daemon</summary> |
| 2 | ||
| 98a8ead4 CP |
3 | ######################################## |
| 4 | ## <summary> | |
| 5 | ## NTP stub interface. No access allowed. | |
| 6 | ## </summary> | |
| f7eaeebb | 7 | ## <param name="domain" unused="true"> |
| 885b83ec | 8 | ## <summary> |
| f7eaeebb | 9 | ## Domain allowed access. |
| 885b83ec | 10 | ## </summary> |
| 98a8ead4 CP |
11 | ## </param> |
| 12 | # | |
| 13 | interface(`ntp_stub',` | |
| 9210553e | 14 | gen_require(` |
| 98a8ead4 CP |
15 | type ntpd_t; |
| 16 | ') | |
| 17 | ') | |
| 18 | ||
| b11a75a5 CP |
19 | ######################################## |
| 20 | ## <summary> | |
| 21 | ## Execute ntp server in the ntpd domain. | |
| 22 | ## </summary> | |
| 23 | ## <param name="domain"> | |
| 885b83ec | 24 | ## <summary> |
| 288845a6 | 25 | ## Domain allowed to transition. |
| 885b83ec | 26 | ## </summary> |
| b11a75a5 CP |
27 | ## </param> |
| 28 | # | |
| 29 | interface(`ntp_domtrans',` | |
| 30 | gen_require(` | |
| 31 | type ntpd_t, ntpd_exec_t; | |
| b11a75a5 CP |
32 | ') |
| 33 | ||
| 8021cb4f | 34 | corecmd_search_bin($1) |
| 0bfccda4 | 35 | domtrans_pattern($1, ntpd_exec_t, ntpd_t) |
| b11a75a5 CP |
36 | ') |
| 37 | ||
| 82cdffce CP |
38 | ######################################## |
| 39 | ## <summary> | |
| 40 | ## Execute ntp in the ntp domain, and | |
| 41 | ## allow the specified role the ntp domain. | |
| 42 | ## </summary> | |
| 43 | ## <param name="domain"> | |
| 44 | ## <summary> | |
| 288845a6 | 45 | ## Domain allowed to transition. |
| 82cdffce CP |
46 | ## </summary> |
| 47 | ## </param> | |
| 48 | ## <param name="role"> | |
| 49 | ## <summary> | |
| 50 | ## Role allowed access. | |
| 51 | ## </summary> | |
| 52 | ## </param> | |
| 53 | ## <rolecap/> | |
| 54 | # | |
| 55 | interface(`ntp_run',` | |
| 56 | gen_require(` | |
| 57 | type ntpd_t; | |
| 58 | ') | |
| 59 | ||
| 60 | ntp_domtrans($1) | |
| 61 | role $2 types ntpd_t; | |
| 62 | ') | |
| 63 | ||
| b11a75a5 CP |
64 | ######################################## |
| 65 | ## <summary> | |
| 66 | ## Execute ntp server in the ntpd domain. | |
| 67 | ## </summary> | |
| 68 | ## <param name="domain"> | |
| 885b83ec | 69 | ## <summary> |
| 288845a6 | 70 | ## Domain allowed to transition. |
| 885b83ec | 71 | ## </summary> |
| b11a75a5 CP |
72 | ## </param> |
| 73 | # | |
| 74 | interface(`ntp_domtrans_ntpdate',` | |
| 75 | gen_require(` | |
| 76 | type ntpd_t, ntpdate_exec_t; | |
| b11a75a5 CP |
77 | ') |
| 78 | ||
| 8021cb4f | 79 | corecmd_search_bin($1) |
| 0bfccda4 | 80 | domtrans_pattern($1, ntpdate_exec_t, ntpd_t) |
| b11a75a5 | 81 | ') |
| e87221ce | 82 | |
| cca4a215 | 83 | ######################################## |
| 82cdffce CP |
84 | ## <summary> |
| 85 | ## Execute ntp server in the ntpd domain. | |
| 86 | ## </summary> | |
| 87 | ## <param name="domain"> | |
| 88 | ## <summary> | |
| 288845a6 | 89 | ## Domain allowed to transition. |
| 82cdffce CP |
90 | ## </summary> |
| 91 | ## </param> | |
| 92 | # | |
| 93 | interface(`ntp_initrc_domtrans',` | |
| 94 | gen_require(` | |
| 95 | type ntpd_initrc_exec_t; | |
| 96 | ') | |
| 97 | ||
| 98 | init_labeled_script_domtrans($1, ntpd_initrc_exec_t) | |
| 99 | ') | |
| 100 | ||
| 2e04b5c6 MG |
101 | ##################################### |
| 102 | ## <summary> | |
| 103 | ## Allow domain to read ntpd systemd unit files. | |
| 104 | ## </summary> | |
| 105 | ## <param name="domain"> | |
| 106 | ## <summary> | |
| 107 | ## Domain allowed access. | |
| 108 | ## </summary> | |
| 109 | ## </param> | |
| 110 | # | |
| 2c6bb800 | 111 | interface(`ntp_read_unit_file',` |
| 2e04b5c6 MG |
112 | gen_require(` |
| 113 | type ntpd_unit_file_t; | |
| 114 | ') | |
| 115 | ||
| 116 | files_search_var_lib($1) | |
| 117 | allow $1 ntpd_unit_file_t:file read_file_perms; | |
| 118 | ') | |
| 119 | ||
| 038932c6 DW |
120 | ######################################## |
| 121 | ## <summary> | |
| 122 | ## Execute ntpd server in the ntpd domain. | |
| 123 | ## </summary> | |
| 124 | ## <param name="domain"> | |
| 125 | ## <summary> | |
| 126 | ## Domain allowed to transition. | |
| 127 | ## </summary> | |
| 128 | ## </param> | |
| 129 | # | |
| d4cb15ac | 130 | interface(`ntp_systemctl',` |
| 038932c6 | 131 | gen_require(` |
| 8149320e | 132 | type ntpd_unit_file_t; |
| bf0dadf9 | 133 | type ntpd_t; |
| 038932c6 DW |
134 | ') |
| 135 | ||
| 136 | systemd_exec_systemctl($1) | |
| 8149320e DW |
137 | allow $1 ntpd_unit_file_t:file read_file_perms; |
| 138 | allow $1 ntpd_unit_file_t:service all_service_perms; | |
| bf0dadf9 DW |
139 | |
| 140 | ps_process_pattern($1, ntpd_t) | |
| 038932c6 DW |
141 | ') |
| 142 | ||
| 82cdffce CP |
143 | ######################################## |
| 144 | ## <summary> | |
| 3f67f722 | 145 | ## Read and write ntpd shared memory. |
| cca4a215 CP |
146 | ## </summary> |
| 147 | ## <param name="domain"> | |
| 3f67f722 | 148 | ## <summary> |
| a72e42f4 | 149 | ## Domain allowed access. |
| 3f67f722 | 150 | ## </summary> |
| cca4a215 CP |
151 | ## </param> |
| 152 | # | |
| 82cdffce | 153 | interface(`ntp_rw_shm',` |
| 3f67f722 CP |
154 | gen_require(` |
| 155 | type ntpd_t, ntpd_tmpfs_t; | |
| 156 | ') | |
| cca4a215 | 157 | |
| 3f67f722 CP |
158 | allow $1 ntpd_t:shm rw_shm_perms; |
| 159 | list_dirs_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) | |
| 160 | rw_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) | |
| 161 | read_lnk_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) | |
| 162 | fs_search_tmpfs($1) | |
| cca4a215 CP |
163 | ') |
| 164 | ||
| e824ff6d DW |
165 | ######################################## |
| 166 | ## <summary> | |
| 167 | ## Allow the domain to read ntpd state files in /proc. | |
| 168 | ## </summary> | |
| 169 | ## <param name="domain"> | |
| 170 | ## <summary> | |
| 171 | ## Domain allowed access. | |
| 172 | ## </summary> | |
| 173 | ## </param> | |
| 174 | # | |
| 175 | interface(`ntp_read_state',` | |
| 176 | gen_require(` | |
| 177 | type ntpd_t; | |
| 178 | ') | |
| 179 | ||
| 180 | kernel_search_proc($1) | |
| 181 | ps_process_pattern($1, ntpd_t) | |
| 182 | ') | |
| 183 | ||
| e87221ce CP |
184 | ######################################## |
| 185 | ## <summary> | |
| 82cdffce | 186 | ## All of the rules required to administrate |
| e87221ce CP |
187 | ## an ntp environment |
| 188 | ## </summary> | |
| 189 | ## <param name="domain"> | |
| 190 | ## <summary> | |
| 191 | ## Domain allowed access. | |
| 192 | ## </summary> | |
| 193 | ## </param> | |
| 194 | ## <param name="role"> | |
| 195 | ## <summary> | |
| 196 | ## The role to be allowed to manage the ntp domain. | |
| 197 | ## </summary> | |
| 198 | ## </param> | |
| 199 | ## <rolecap/> | |
| 200 | # | |
| 201 | interface(`ntp_admin',` | |
| 202 | gen_require(` | |
| 203 | type ntpd_t, ntpd_tmp_t, ntpd_log_t; | |
| 8f0b7460 | 204 | type ntpd_key_t, ntpd_var_run_t, ntpd_initrc_exec_t; |
| e87221ce CP |
205 | ') |
| 206 | ||
| 995bdbb1 | 207 | allow $1 ntpd_t:process signal_perms; |
| e87221ce | 208 | ps_process_pattern($1, ntpd_t) |
| 995bdbb1 | 209 | tunable_policy(`deny_ptrace',`',` |
| 210 | allow $1 ntpd_t:process ptrace; | |
| 211 | ') | |
| e87221ce CP |
212 | |
| 213 | init_labeled_script_domtrans($1, ntpd_initrc_exec_t) | |
| 214 | domain_system_change_exemption($1) | |
| 215 | role_transition $2 ntpd_initrc_exec_t system_r; | |
| 216 | allow $2 system_r; | |
| 217 | ||
| 218 | admin_pattern($1, ntpd_key_t) | |
| 219 | ||
| 220 | logging_list_logs($1) | |
| 221 | admin_pattern($1, ntpd_log_t) | |
| 222 | ||
| 223 | files_list_tmp($1) | |
| 224 | admin_pattern($1, ntpd_tmp_t) | |
| 225 | ||
| 226 | files_list_pids($1) | |
| 227 | admin_pattern($1, ntpd_var_run_t) | |
| 038932c6 | 228 | |
| d4cb15ac | 229 | ntp_systemctl($1) |
| e87221ce | 230 | ') |