]>
Commit | Line | Data |
---|---|---|
29af4c13 | 1 | policy_module(ntp, 1.10.0) |
b11a75a5 CP |
2 | |
3 | ######################################## | |
4 | # | |
5 | # Declarations | |
6 | # | |
7 | ||
8 | type ntp_drift_t; | |
9 | files_type(ntp_drift_t) | |
10 | ||
11 | type ntpd_t; | |
12 | type ntpd_exec_t; | |
0bfccda4 | 13 | init_daemon_domain(ntpd_t, ntpd_exec_t) |
b11a75a5 | 14 | |
48f64563 CP |
15 | type ntpd_initrc_exec_t; |
16 | init_script_file(ntpd_initrc_exec_t) | |
17 | ||
2e04b5c6 MG |
18 | type ntpd_unit_file_t; |
19 | systemd_unit_file(ntpd_unit_file_t) | |
20 | ||
8786916e CP |
21 | type ntpd_key_t; |
22 | files_type(ntpd_key_t) | |
23 | ||
b11a75a5 CP |
24 | type ntpd_log_t; |
25 | logging_log_file(ntpd_log_t) | |
26 | ||
27 | type ntpd_tmp_t; | |
28 | files_tmp_file(ntpd_tmp_t) | |
29 | ||
cca4a215 CP |
30 | type ntpd_tmpfs_t; |
31 | files_tmpfs_file(ntpd_tmpfs_t) | |
32 | ||
b11a75a5 CP |
33 | type ntpd_var_run_t; |
34 | files_pid_file(ntpd_var_run_t) | |
35 | ||
36 | type ntpdate_exec_t; | |
0bfccda4 | 37 | init_system_domain(ntpd_t, ntpdate_exec_t) |
b11a75a5 CP |
38 | |
39 | ######################################## | |
40 | # | |
41 | # Local policy | |
42 | # | |
43 | ||
77f6e2cd | 44 | # sys_resource and setrlimit is for locking memory |
b11a75a5 | 45 | # ntpdate wants sys_nice |
82cdffce | 46 | allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource }; |
b11a75a5 | 47 | dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice }; |
8786916e | 48 | allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit }; |
0b36a214 | 49 | allow ntpd_t self:fifo_file rw_fifo_file_perms; |
82cdffce | 50 | allow ntpd_t self:shm create_shm_perms; |
b11a75a5 CP |
51 | allow ntpd_t self:unix_dgram_socket create_socket_perms; |
52 | allow ntpd_t self:unix_stream_socket create_socket_perms; | |
b11a75a5 | 53 | allow ntpd_t self:tcp_socket create_stream_socket_perms; |
33c7e6b4 | 54 | allow ntpd_t self:udp_socket create_socket_perms; |
b11a75a5 | 55 | |
0bfccda4 | 56 | manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t) |
b11a75a5 | 57 | |
3f67f722 | 58 | can_exec(ntpd_t, ntpd_exec_t) |
b11a75a5 | 59 | |
8786916e | 60 | read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) |
82cdffce | 61 | read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) |
8786916e | 62 | |
c0868a7a | 63 | allow ntpd_t ntpd_log_t:dir setattr; |
3f67f722 CP |
64 | manage_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t) |
65 | logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir }) | |
b11a75a5 CP |
66 | |
67 | # for some reason it creates a file in /tmp | |
0bfccda4 CP |
68 | manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t) |
69 | manage_files_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t) | |
103fe280 | 70 | files_tmp_filetrans(ntpd_t, ntpd_tmp_t, { file dir }) |
b11a75a5 | 71 | |
cca4a215 CP |
72 | manage_dirs_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t) |
73 | manage_files_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t) | |
74 | fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file }) | |
75 | ||
0bfccda4 CP |
76 | manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t) |
77 | files_pid_filetrans(ntpd_t, ntpd_var_run_t, file) | |
b11a75a5 | 78 | |
445522dc | 79 | kernel_read_kernel_sysctls(ntpd_t) |
b11a75a5 | 80 | kernel_read_system_state(ntpd_t) |
123a990b | 81 | kernel_read_network_state(ntpd_t) |
82cdffce | 82 | kernel_request_load_module(ntpd_t) |
b11a75a5 | 83 | |
19006686 CP |
84 | corenet_all_recvfrom_unlabeled(ntpd_t) |
85 | corenet_all_recvfrom_netlabel(ntpd_t) | |
668b3093 CP |
86 | corenet_tcp_sendrecv_generic_if(ntpd_t) |
87 | corenet_udp_sendrecv_generic_if(ntpd_t) | |
c1262146 CP |
88 | corenet_tcp_sendrecv_generic_node(ntpd_t) |
89 | corenet_udp_sendrecv_generic_node(ntpd_t) | |
b11a75a5 CP |
90 | corenet_tcp_sendrecv_all_ports(ntpd_t) |
91 | corenet_udp_sendrecv_all_ports(ntpd_t) | |
c1262146 CP |
92 | corenet_tcp_bind_generic_node(ntpd_t) |
93 | corenet_udp_bind_generic_node(ntpd_t) | |
b11a75a5 | 94 | corenet_udp_bind_ntp_port(ntpd_t) |
0907bda1 | 95 | corenet_tcp_connect_ntp_port(ntpd_t) |
006e9982 CP |
96 | corenet_sendrecv_ntp_server_packets(ntpd_t) |
97 | corenet_sendrecv_ntp_client_packets(ntpd_t) | |
b11a75a5 CP |
98 | |
99 | dev_read_sysfs(ntpd_t) | |
100 | # for SSP | |
101 | dev_read_urand(ntpd_t) | |
3eaa9939 | 102 | dev_rw_realtime_clock(ntpd_t) |
b11a75a5 CP |
103 | |
104 | fs_getattr_all_fs(ntpd_t) | |
105 | fs_search_auto_mountpoints(ntpd_t) | |
3eaa9939 DW |
106 | # Necessary to communicate with gpsd devices |
107 | fs_rw_tmpfs_files(ntpd_t) | |
b11a75a5 | 108 | |
8786916e | 109 | term_use_ptmx(ntpd_t) |
ef088c6f | 110 | term_use_unallocated_ttys(ntpd_t) |
8786916e | 111 | |
2dbd3824 CP |
112 | auth_use_nsswitch(ntpd_t) |
113 | ||
b11a75a5 | 114 | corecmd_exec_bin(ntpd_t) |
b11a75a5 CP |
115 | corecmd_exec_shell(ntpd_t) |
116 | ||
15722ec9 | 117 | domain_use_interactive_fds(ntpd_t) |
1815bad1 | 118 | domain_dontaudit_list_all_domains_state(ntpd_t) |
b11a75a5 CP |
119 | |
120 | files_read_etc_files(ntpd_t) | |
121 | files_read_etc_runtime_files(ntpd_t) | |
122 | files_read_usr_files(ntpd_t) | |
123 | files_list_var_lib(ntpd_t) | |
124 | ||
f7547934 | 125 | init_exec_script_files(ntpd_t) |
b11a75a5 | 126 | |
b11a75a5 CP |
127 | logging_send_syslog_msg(ntpd_t) |
128 | ||
129 | miscfiles_read_localization(ntpd_t) | |
130 | ||
15722ec9 | 131 | userdom_dontaudit_use_unpriv_user_fds(ntpd_t) |
296273a7 | 132 | userdom_list_user_home_dirs(ntpd_t) |
b11a75a5 | 133 | |
bb7170f6 | 134 | optional_policy(` |
b11a75a5 | 135 | # for cron jobs |
0bfccda4 | 136 | cron_system_entry(ntpd_t, ntpdate_exec_t) |
b11a75a5 CP |
137 | ') |
138 | ||
cca4a215 CP |
139 | optional_policy(` |
140 | gpsd_rw_shm(ntpd_t) | |
141 | ') | |
142 | ||
bb7170f6 | 143 | optional_policy(` |
1c1ac67f | 144 | firstboot_dontaudit_use_fds(ntpd_t) |
9af48eef | 145 | firstboot_dontaudit_rw_pipes(ntpd_t) |
93f445b8 | 146 | firstboot_dontaudit_rw_stream_sockets(ntpd_t) |
b11a75a5 CP |
147 | ') |
148 | ||
8786916e CP |
149 | optional_policy(` |
150 | hal_dontaudit_write_log(ntpd_t) | |
151 | ') | |
152 | ||
bb7170f6 | 153 | optional_policy(` |
b11a75a5 CP |
154 | logrotate_exec(ntpd_t) |
155 | ') | |
156 | ||
bb7170f6 | 157 | optional_policy(` |
b11a75a5 CP |
158 | seutil_sigchld_newrole(ntpd_t) |
159 | ') | |
160 | ||
bb7170f6 | 161 | optional_policy(` |
b11a75a5 CP |
162 | udev_read_db(ntpd_t) |
163 | ') |