[people/stevee/selinux-policy.git] / policy / modules / services / ntp.te

policy_module(ntp, 1.10.0)

########################################
#
# Declarations
#

type ntp_drift_t;
files_type(ntp_drift_t)

type ntpd_t;
type ntpd_exec_t;
init_daemon_domain(ntpd_t, ntpd_exec_t)

type ntpd_initrc_exec_t;
init_script_file(ntpd_initrc_exec_t)

type ntpd_unit_file_t;
systemd_unit_file(ntpd_unit_file_t)

type ntpd_key_t;
files_type(ntpd_key_t)

type ntpd_log_t;
logging_log_file(ntpd_log_t)

type ntpd_tmp_t;
files_tmp_file(ntpd_tmp_t)

type ntpd_tmpfs_t;
files_tmpfs_file(ntpd_tmpfs_t)

type ntpd_var_run_t;
files_pid_file(ntpd_var_run_t)

type ntpdate_exec_t;
init_system_domain(ntpd_t, ntpdate_exec_t)

########################################
#
# Local policy
#

# sys_resource and setrlimit is for locking memory
# ntpdate wants sys_nice
allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource };
dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };
allow ntpd_t self:fifo_file rw_fifo_file_perms;
allow ntpd_t self:shm create_shm_perms;
allow ntpd_t self:unix_dgram_socket create_socket_perms;
allow ntpd_t self:unix_stream_socket create_socket_perms;
allow ntpd_t self:tcp_socket create_stream_socket_perms;
allow ntpd_t self:udp_socket create_socket_perms;

manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)

can_exec(ntpd_t, ntpd_exec_t)

read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)

allow ntpd_t ntpd_log_t:dir setattr;
manage_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir })

# for some reason it creates a file in /tmp
manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
manage_files_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
files_tmp_filetrans(ntpd_t, ntpd_tmp_t, { file dir })

manage_dirs_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t)
manage_files_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t)
fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file })

manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
files_pid_filetrans(ntpd_t, ntpd_var_run_t, file)

kernel_read_kernel_sysctls(ntpd_t)
kernel_read_system_state(ntpd_t)
kernel_read_network_state(ntpd_t)
kernel_request_load_module(ntpd_t)

corenet_all_recvfrom_unlabeled(ntpd_t)
corenet_all_recvfrom_netlabel(ntpd_t)
corenet_tcp_sendrecv_generic_if(ntpd_t)
corenet_udp_sendrecv_generic_if(ntpd_t)
corenet_tcp_sendrecv_generic_node(ntpd_t)
corenet_udp_sendrecv_generic_node(ntpd_t)
corenet_tcp_sendrecv_all_ports(ntpd_t)
corenet_udp_sendrecv_all_ports(ntpd_t)
corenet_tcp_bind_generic_node(ntpd_t)
corenet_udp_bind_generic_node(ntpd_t)
corenet_udp_bind_ntp_port(ntpd_t)
corenet_tcp_connect_ntp_port(ntpd_t)
corenet_sendrecv_ntp_server_packets(ntpd_t)
corenet_sendrecv_ntp_client_packets(ntpd_t)

dev_read_sysfs(ntpd_t)
# for SSP
dev_read_urand(ntpd_t)
dev_rw_realtime_clock(ntpd_t)

fs_getattr_all_fs(ntpd_t)
fs_search_auto_mountpoints(ntpd_t)
# Necessary to communicate with gpsd devices
fs_rw_tmpfs_files(ntpd_t)

term_use_ptmx(ntpd_t)
term_use_unallocated_ttys(ntpd_t)

auth_use_nsswitch(ntpd_t)

corecmd_exec_bin(ntpd_t)
corecmd_exec_shell(ntpd_t)

domain_use_interactive_fds(ntpd_t)
domain_dontaudit_list_all_domains_state(ntpd_t)

files_read_etc_files(ntpd_t)
files_read_etc_runtime_files(ntpd_t)
files_read_usr_files(ntpd_t)
files_list_var_lib(ntpd_t)

init_exec_script_files(ntpd_t)

logging_send_syslog_msg(ntpd_t)

miscfiles_read_localization(ntpd_t)

userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
userdom_list_user_home_dirs(ntpd_t)

optional_policy(`
	# for cron jobs
	cron_system_entry(ntpd_t, ntpdate_exec_t)
')

optional_policy(`
	gpsd_rw_shm(ntpd_t)
')

optional_policy(`
	firstboot_dontaudit_use_fds(ntpd_t)
	firstboot_dontaudit_rw_pipes(ntpd_t)
	firstboot_dontaudit_rw_stream_sockets(ntpd_t)
')

optional_policy(`
	hal_dontaudit_write_log(ntpd_t)
')

optional_policy(`
	logrotate_exec(ntpd_t)
')

optional_policy(`
	seutil_sigchld_newrole(ntpd_t)
')

optional_policy(`
	udev_read_db(ntpd_t)
')
Commit	Line	Data
29af4c13	1	policy_module(ntp, 1.10.0)
b11a75a5 CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
	8	type ntp_drift_t;
	9	files_type(ntp_drift_t)
	10
	11	type ntpd_t;
	12	type ntpd_exec_t;
0bfccda4	13	init_daemon_domain(ntpd_t, ntpd_exec_t)
b11a75a5	14
48f64563 CP	15	type ntpd_initrc_exec_t;
	16	init_script_file(ntpd_initrc_exec_t)
	17
2e04b5c6 MG	18	type ntpd_unit_file_t;
	19	systemd_unit_file(ntpd_unit_file_t)
	20
8786916e CP	21	type ntpd_key_t;
	22	files_type(ntpd_key_t)
	23
b11a75a5 CP	24	type ntpd_log_t;
	25	logging_log_file(ntpd_log_t)
	26
	27	type ntpd_tmp_t;
	28	files_tmp_file(ntpd_tmp_t)
	29
cca4a215 CP	30	type ntpd_tmpfs_t;
	31	files_tmpfs_file(ntpd_tmpfs_t)
	32
b11a75a5 CP	33	type ntpd_var_run_t;
	34	files_pid_file(ntpd_var_run_t)
	35
	36	type ntpdate_exec_t;
0bfccda4	37	init_system_domain(ntpd_t, ntpdate_exec_t)
b11a75a5 CP	38
	39	########################################
	40	#
	41	# Local policy
	42	#
	43
77f6e2cd	44	# sys_resource and setrlimit is for locking memory
b11a75a5	45	# ntpdate wants sys_nice
82cdffce	46	allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource };
b11a75a5	47	dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
8786916e	48	allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };
0b36a214	49	allow ntpd_t self:fifo_file rw_fifo_file_perms;
82cdffce	50	allow ntpd_t self:shm create_shm_perms;
b11a75a5 CP	51	allow ntpd_t self:unix_dgram_socket create_socket_perms;
b11a75a5 CP	52	allow ntpd_t self:unix_stream_socket create_socket_perms;
b11a75a5	53	allow ntpd_t self:tcp_socket create_stream_socket_perms;
33c7e6b4	54	allow ntpd_t self:udp_socket create_socket_perms;
b11a75a5	55
0bfccda4	56	manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
b11a75a5	57
3f67f722	58	can_exec(ntpd_t, ntpd_exec_t)
b11a75a5	59
8786916e	60	read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
82cdffce	61	read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
8786916e	62
c0868a7a	63	allow ntpd_t ntpd_log_t:dir setattr;
3f67f722 CP	64	manage_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
3f67f722 CP	65	logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir })
b11a75a5 CP	66
b11a75a5 CP	67	# for some reason it creates a file in /tmp
0bfccda4 CP	68	manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
0bfccda4 CP	69	manage_files_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
103fe280	70	files_tmp_filetrans(ntpd_t, ntpd_tmp_t, { file dir })
b11a75a5	71
cca4a215 CP	72	manage_dirs_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t)
	73	manage_files_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t)
	74	fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file })
	75
0bfccda4 CP	76	manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
0bfccda4 CP	77	files_pid_filetrans(ntpd_t, ntpd_var_run_t, file)
b11a75a5	78
445522dc	79	kernel_read_kernel_sysctls(ntpd_t)
b11a75a5	80	kernel_read_system_state(ntpd_t)
123a990b	81	kernel_read_network_state(ntpd_t)
82cdffce	82	kernel_request_load_module(ntpd_t)
b11a75a5	83
19006686 CP	84	corenet_all_recvfrom_unlabeled(ntpd_t)
19006686 CP	85	corenet_all_recvfrom_netlabel(ntpd_t)
668b3093 CP	86	corenet_tcp_sendrecv_generic_if(ntpd_t)
668b3093 CP	87	corenet_udp_sendrecv_generic_if(ntpd_t)
c1262146 CP	88	corenet_tcp_sendrecv_generic_node(ntpd_t)
c1262146 CP	89	corenet_udp_sendrecv_generic_node(ntpd_t)
b11a75a5 CP	90	corenet_tcp_sendrecv_all_ports(ntpd_t)
b11a75a5 CP	91	corenet_udp_sendrecv_all_ports(ntpd_t)
c1262146 CP	92	corenet_tcp_bind_generic_node(ntpd_t)
c1262146 CP	93	corenet_udp_bind_generic_node(ntpd_t)
b11a75a5	94	corenet_udp_bind_ntp_port(ntpd_t)
0907bda1	95	corenet_tcp_connect_ntp_port(ntpd_t)
006e9982 CP	96	corenet_sendrecv_ntp_server_packets(ntpd_t)
006e9982 CP	97	corenet_sendrecv_ntp_client_packets(ntpd_t)
b11a75a5 CP	98
	99	dev_read_sysfs(ntpd_t)
	100	# for SSP
	101	dev_read_urand(ntpd_t)
3eaa9939	102	dev_rw_realtime_clock(ntpd_t)
b11a75a5 CP	103
	104	fs_getattr_all_fs(ntpd_t)
	105	fs_search_auto_mountpoints(ntpd_t)
3eaa9939 DW	106	# Necessary to communicate with gpsd devices
3eaa9939 DW	107	fs_rw_tmpfs_files(ntpd_t)
b11a75a5	108
8786916e	109	term_use_ptmx(ntpd_t)
ef088c6f	110	term_use_unallocated_ttys(ntpd_t)
8786916e	111
2dbd3824 CP	112	auth_use_nsswitch(ntpd_t)
2dbd3824 CP	113
b11a75a5	114	corecmd_exec_bin(ntpd_t)
b11a75a5 CP	115	corecmd_exec_shell(ntpd_t)
b11a75a5 CP	116
15722ec9	117	domain_use_interactive_fds(ntpd_t)
1815bad1	118	domain_dontaudit_list_all_domains_state(ntpd_t)
b11a75a5 CP	119
	120	files_read_etc_files(ntpd_t)
	121	files_read_etc_runtime_files(ntpd_t)
	122	files_read_usr_files(ntpd_t)
	123	files_list_var_lib(ntpd_t)
	124
f7547934	125	init_exec_script_files(ntpd_t)
b11a75a5	126
b11a75a5 CP	127	logging_send_syslog_msg(ntpd_t)
	128
	129	miscfiles_read_localization(ntpd_t)
	130
15722ec9	131	userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
296273a7	132	userdom_list_user_home_dirs(ntpd_t)
b11a75a5	133
bb7170f6	134	optional_policy(`
b11a75a5	135	# for cron jobs
0bfccda4	136	cron_system_entry(ntpd_t, ntpdate_exec_t)
b11a75a5 CP	137	')
b11a75a5 CP	138
cca4a215 CP	139	optional_policy(`
	140	gpsd_rw_shm(ntpd_t)
	141	')
	142
bb7170f6	143	optional_policy(`
1c1ac67f	144	firstboot_dontaudit_use_fds(ntpd_t)
9af48eef	145	firstboot_dontaudit_rw_pipes(ntpd_t)
93f445b8	146	firstboot_dontaudit_rw_stream_sockets(ntpd_t)
b11a75a5 CP	147	')
b11a75a5 CP	148
8786916e CP	149	optional_policy(`
	150	hal_dontaudit_write_log(ntpd_t)
	151	')
	152
bb7170f6	153	optional_policy(`
b11a75a5 CP	154	logrotate_exec(ntpd_t)
	155	')
	156
bb7170f6	157	optional_policy(`
b11a75a5 CP	158	seutil_sigchld_newrole(ntpd_t)
	159	')
	160
bb7170f6	161	optional_policy(`
b11a75a5 CP	162	udev_read_db(ntpd_t)
b11a75a5 CP	163	')