]>
Commit | Line | Data |
---|---|---|
b11a75a5 CP |
1 | ## <summary>Network time protocol daemon</summary> |
2 | ||
98a8ead4 CP |
3 | ######################################## |
4 | ## <summary> | |
5 | ## NTP stub interface. No access allowed. | |
6 | ## </summary> | |
f7eaeebb | 7 | ## <param name="domain" unused="true"> |
885b83ec | 8 | ## <summary> |
f7eaeebb | 9 | ## Domain allowed access. |
885b83ec | 10 | ## </summary> |
98a8ead4 CP |
11 | ## </param> |
12 | # | |
13 | interface(`ntp_stub',` | |
9210553e | 14 | gen_require(` |
98a8ead4 CP |
15 | type ntpd_t; |
16 | ') | |
17 | ') | |
18 | ||
b11a75a5 CP |
19 | ######################################## |
20 | ## <summary> | |
21 | ## Execute ntp server in the ntpd domain. | |
22 | ## </summary> | |
23 | ## <param name="domain"> | |
885b83ec | 24 | ## <summary> |
288845a6 | 25 | ## Domain allowed to transition. |
885b83ec | 26 | ## </summary> |
b11a75a5 CP |
27 | ## </param> |
28 | # | |
29 | interface(`ntp_domtrans',` | |
30 | gen_require(` | |
31 | type ntpd_t, ntpd_exec_t; | |
b11a75a5 CP |
32 | ') |
33 | ||
8021cb4f | 34 | corecmd_search_bin($1) |
0bfccda4 | 35 | domtrans_pattern($1, ntpd_exec_t, ntpd_t) |
b11a75a5 CP |
36 | ') |
37 | ||
82cdffce CP |
38 | ######################################## |
39 | ## <summary> | |
40 | ## Execute ntp in the ntp domain, and | |
41 | ## allow the specified role the ntp domain. | |
42 | ## </summary> | |
43 | ## <param name="domain"> | |
44 | ## <summary> | |
288845a6 | 45 | ## Domain allowed to transition. |
82cdffce CP |
46 | ## </summary> |
47 | ## </param> | |
48 | ## <param name="role"> | |
49 | ## <summary> | |
50 | ## Role allowed access. | |
51 | ## </summary> | |
52 | ## </param> | |
53 | ## <rolecap/> | |
54 | # | |
55 | interface(`ntp_run',` | |
56 | gen_require(` | |
57 | type ntpd_t; | |
58 | ') | |
59 | ||
60 | ntp_domtrans($1) | |
61 | role $2 types ntpd_t; | |
62 | ') | |
63 | ||
b11a75a5 CP |
64 | ######################################## |
65 | ## <summary> | |
66 | ## Execute ntp server in the ntpd domain. | |
67 | ## </summary> | |
68 | ## <param name="domain"> | |
885b83ec | 69 | ## <summary> |
288845a6 | 70 | ## Domain allowed to transition. |
885b83ec | 71 | ## </summary> |
b11a75a5 CP |
72 | ## </param> |
73 | # | |
74 | interface(`ntp_domtrans_ntpdate',` | |
75 | gen_require(` | |
76 | type ntpd_t, ntpdate_exec_t; | |
b11a75a5 CP |
77 | ') |
78 | ||
8021cb4f | 79 | corecmd_search_bin($1) |
0bfccda4 | 80 | domtrans_pattern($1, ntpdate_exec_t, ntpd_t) |
b11a75a5 | 81 | ') |
e87221ce | 82 | |
cca4a215 | 83 | ######################################## |
82cdffce CP |
84 | ## <summary> |
85 | ## Execute ntp server in the ntpd domain. | |
86 | ## </summary> | |
87 | ## <param name="domain"> | |
88 | ## <summary> | |
288845a6 | 89 | ## Domain allowed to transition. |
82cdffce CP |
90 | ## </summary> |
91 | ## </param> | |
92 | # | |
93 | interface(`ntp_initrc_domtrans',` | |
94 | gen_require(` | |
95 | type ntpd_initrc_exec_t; | |
96 | ') | |
97 | ||
98 | init_labeled_script_domtrans($1, ntpd_initrc_exec_t) | |
99 | ') | |
100 | ||
2e04b5c6 MG |
101 | ##################################### |
102 | ## <summary> | |
103 | ## Allow domain to read ntpd systemd unit files. | |
104 | ## </summary> | |
105 | ## <param name="domain"> | |
106 | ## <summary> | |
107 | ## Domain allowed access. | |
108 | ## </summary> | |
109 | ## </param> | |
110 | # | |
2c6bb800 | 111 | interface(`ntp_read_unit_file',` |
2e04b5c6 MG |
112 | gen_require(` |
113 | type ntpd_unit_file_t; | |
114 | ') | |
115 | ||
116 | files_search_var_lib($1) | |
117 | allow $1 ntpd_unit_file_t:file read_file_perms; | |
118 | ') | |
119 | ||
038932c6 DW |
120 | ######################################## |
121 | ## <summary> | |
122 | ## Execute ntpd server in the ntpd domain. | |
123 | ## </summary> | |
124 | ## <param name="domain"> | |
125 | ## <summary> | |
126 | ## Domain allowed to transition. | |
127 | ## </summary> | |
128 | ## </param> | |
129 | # | |
d4cb15ac | 130 | interface(`ntp_systemctl',` |
038932c6 | 131 | gen_require(` |
8149320e | 132 | type ntpd_unit_file_t; |
bf0dadf9 | 133 | type ntpd_t; |
038932c6 DW |
134 | ') |
135 | ||
136 | systemd_exec_systemctl($1) | |
8149320e DW |
137 | allow $1 ntpd_unit_file_t:file read_file_perms; |
138 | allow $1 ntpd_unit_file_t:service all_service_perms; | |
bf0dadf9 DW |
139 | |
140 | ps_process_pattern($1, ntpd_t) | |
038932c6 DW |
141 | ') |
142 | ||
82cdffce CP |
143 | ######################################## |
144 | ## <summary> | |
3f67f722 | 145 | ## Read and write ntpd shared memory. |
cca4a215 CP |
146 | ## </summary> |
147 | ## <param name="domain"> | |
3f67f722 | 148 | ## <summary> |
a72e42f4 | 149 | ## Domain allowed access. |
3f67f722 | 150 | ## </summary> |
cca4a215 CP |
151 | ## </param> |
152 | # | |
82cdffce | 153 | interface(`ntp_rw_shm',` |
3f67f722 CP |
154 | gen_require(` |
155 | type ntpd_t, ntpd_tmpfs_t; | |
156 | ') | |
cca4a215 | 157 | |
3f67f722 CP |
158 | allow $1 ntpd_t:shm rw_shm_perms; |
159 | list_dirs_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) | |
160 | rw_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) | |
161 | read_lnk_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) | |
162 | fs_search_tmpfs($1) | |
cca4a215 CP |
163 | ') |
164 | ||
e824ff6d DW |
165 | ######################################## |
166 | ## <summary> | |
167 | ## Allow the domain to read ntpd state files in /proc. | |
168 | ## </summary> | |
169 | ## <param name="domain"> | |
170 | ## <summary> | |
171 | ## Domain allowed access. | |
172 | ## </summary> | |
173 | ## </param> | |
174 | # | |
175 | interface(`ntp_read_state',` | |
176 | gen_require(` | |
177 | type ntpd_t; | |
178 | ') | |
179 | ||
180 | kernel_search_proc($1) | |
181 | ps_process_pattern($1, ntpd_t) | |
182 | ') | |
183 | ||
e87221ce CP |
184 | ######################################## |
185 | ## <summary> | |
82cdffce | 186 | ## All of the rules required to administrate |
e87221ce CP |
187 | ## an ntp environment |
188 | ## </summary> | |
189 | ## <param name="domain"> | |
190 | ## <summary> | |
191 | ## Domain allowed access. | |
192 | ## </summary> | |
193 | ## </param> | |
194 | ## <param name="role"> | |
195 | ## <summary> | |
196 | ## The role to be allowed to manage the ntp domain. | |
197 | ## </summary> | |
198 | ## </param> | |
199 | ## <rolecap/> | |
200 | # | |
201 | interface(`ntp_admin',` | |
202 | gen_require(` | |
203 | type ntpd_t, ntpd_tmp_t, ntpd_log_t; | |
8f0b7460 | 204 | type ntpd_key_t, ntpd_var_run_t, ntpd_initrc_exec_t; |
e87221ce CP |
205 | ') |
206 | ||
995bdbb1 | 207 | allow $1 ntpd_t:process signal_perms; |
e87221ce | 208 | ps_process_pattern($1, ntpd_t) |
995bdbb1 | 209 | tunable_policy(`deny_ptrace',`',` |
210 | allow $1 ntpd_t:process ptrace; | |
211 | ') | |
e87221ce CP |
212 | |
213 | init_labeled_script_domtrans($1, ntpd_initrc_exec_t) | |
214 | domain_system_change_exemption($1) | |
215 | role_transition $2 ntpd_initrc_exec_t system_r; | |
216 | allow $2 system_r; | |
217 | ||
218 | admin_pattern($1, ntpd_key_t) | |
219 | ||
220 | logging_list_logs($1) | |
221 | admin_pattern($1, ntpd_log_t) | |
222 | ||
223 | files_list_tmp($1) | |
224 | admin_pattern($1, ntpd_tmp_t) | |
225 | ||
226 | files_list_pids($1) | |
227 | admin_pattern($1, ntpd_var_run_t) | |
038932c6 | 228 | |
d4cb15ac | 229 | ntp_systemctl($1) |
e87221ce | 230 | ') |