[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
Date:	Sat, 25 Feb 2017 14:59:48
Message-Id:	`1488034252.35bc01e881f75e092a6cf668400407d73081f8fc.perfinion@gentoo`

1

commit:     35bc01e881f75e092a6cf668400407d73081f8fc

2

Author:     cgzones <cgzones <AT> googlemail <DOT> com>

3

AuthorDate: Thu Jan  5 18:59:45 2017 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Sat Feb 25 14:50:52 2017 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=35bc01e8

7

8

update ntp module

9

10

* add private lock type

11

* dontaudit sys_resource

12

13

 policy/modules/contrib/ntp.fc | 47 ++++++++++++++++++++++---------------------

14

 policy/modules/contrib/ntp.if |  7 ++++---

15

 policy/modules/contrib/ntp.te | 37 +++++++++++++++++++++-------------

16

 3 files changed, 51 insertions(+), 40 deletions(-)

17

18

diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc

19

index 16428bc2..756241da 100644

20

--- a/policy/modules/contrib/ntp.fc

21

+++ b/policy/modules/contrib/ntp.fc

22

@@ -1,33 +1,34 @@

23

-/etc/cron\.daily/ntp	--	gen_context(system_u:object_r:ntpd_exec_t,s0)

24

-/etc/cron\.(daily|weekly)/ntp-simple -- gen_context(system_u:object_r:ntpd_exec_t,s0)

25

-/etc/cron\.(daily|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0)

26

+/etc/cron\.daily/ntp			--	gen_context(system_u:object_r:ntpd_exec_t,s0)

27

+/etc/cron\.(daily|weekly)/ntp-simple	--	gen_context(system_u:object_r:ntpd_exec_t,s0)

28

+/etc/cron\.(daily|weekly)/ntp-server	--	gen_context(system_u:object_r:ntpd_exec_t,s0)

29

30

-/etc/ntp\.conf		--	gen_context(system_u:object_r:ntp_conf_t,s0)

31

-/etc/ntpd.*\.conf.*	--	gen_context(system_u:object_r:ntp_conf_t,s0)

32

-/etc/ntp/crypto(/.*)?		gen_context(system_u:object_r:ntpd_key_t,s0)

33

-/etc/ntp/data(/.*)?		gen_context(system_u:object_r:ntp_drift_t,s0)

34

-/etc/ntp/keys		--	gen_context(system_u:object_r:ntpd_key_t,s0)

35

-/etc/ntp/step-tickers.*	--	gen_context(system_u:object_r:ntp_conf_t,s0)

36

+/etc/ntp\.conf				--	gen_context(system_u:object_r:ntp_conf_t,s0)

37

+/etc/ntpd.*\.conf.*			--	gen_context(system_u:object_r:ntp_conf_t,s0)

38

+/etc/ntp/crypto(/.*)?				gen_context(system_u:object_r:ntpd_key_t,s0)

39

+/etc/ntp/data(/.*)?				gen_context(system_u:object_r:ntp_drift_t,s0)

40

+/etc/ntp/keys				--	gen_context(system_u:object_r:ntpd_key_t,s0)

41

+/etc/ntp/step-tickers.*			--	gen_context(system_u:object_r:ntp_conf_t,s0)

42

43

-/etc/rc\.d/init\.d/ntpd? --	gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)

44

+/etc/rc\.d/init\.d/ntpd? 		--	gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)

45

46

-# Systemd unit file

47

-/usr/lib/systemd/ntp-units\.d/.*  --   gen_context(system_u:object_r:ntpd_unit_t,s0)

48

-/usr/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_t,s0)

49

+/run/ntpd\.pid				--	gen_context(system_u:object_r:ntpd_pid_t,s0)

50

51

-/usr/sbin/ntpd		--	gen_context(system_u:object_r:ntpd_exec_t,s0)

52

-/usr/sbin/ntpdate	--	gen_context(system_u:object_r:ntpdate_exec_t,s0)

53

-/usr/sbin/sntp		--	gen_context(system_u:object_r:ntpdate_exec_t,s0)

54

+/usr/lib/systemd/ntp-units\.d/.*  	--	gen_context(system_u:object_r:ntpd_unit_t,s0)

55

+/usr/lib/systemd/system/ntpd.*\.service	--	gen_context(system_u:object_r:ntpd_unit_t,s0)

56

57

-/var/lib/ntp(/.*)?		gen_context(system_u:object_r:ntp_drift_t,s0)

58

-/var/lib/sntp-kod(/.*)?		gen_context(system_u:object_r:ntp_drift_t,s0)

59

-/var/db/ntp-kod		--	gen_context(system_u:object_r:ntp_drift_t,s0)

60

+/usr/sbin/ntpd				--	gen_context(system_u:object_r:ntpd_exec_t,s0)

61

+/usr/sbin/ntpdate			--	gen_context(system_u:object_r:ntpdate_exec_t,s0)

62

+/usr/sbin/sntp				--	gen_context(system_u:object_r:ntpdate_exec_t,s0)

63

64

-/var/log/ntp.*		--	gen_context(system_u:object_r:ntpd_log_t,s0)

65

-/var/log/ntpstats(/.*)?		gen_context(system_u:object_r:ntpd_log_t,s0)

66

-/var/log/xntpd.*	--	gen_context(system_u:object_r:ntpd_log_t,s0)

67

+/var/db/ntp-kod				--	gen_context(system_u:object_r:ntp_drift_t,s0)

68

+/var/lib/ntp(/.*)?				gen_context(system_u:object_r:ntp_drift_t,s0)

69

+/var/lib/sntp-kod(/.*)?				gen_context(system_u:object_r:ntp_drift_t,s0)

70

71

-/run/ntpd\.pid	--	gen_context(system_u:object_r:ntpd_var_run_t,s0)

72

+/var/lock/ntpdate                       --      gen_context(system_u:object_r:ntpd_lock_t,s0)

73

+

74

+/var/log/ntp.*				--	gen_context(system_u:object_r:ntpd_log_t,s0)

75

+/var/log/ntpstats(/.*)?				gen_context(system_u:object_r:ntpd_log_t,s0)

76

+/var/log/xntpd.*			--	gen_context(system_u:object_r:ntpd_log_t,s0)

77

 /run/ntpd\.sock	-s	gen_context(system_u:object_r:ntpd_var_run_t,s0)

78

79

 ifdef(`distro_gentoo',`

80

81

diff --git a/policy/modules/contrib/ntp.if b/policy/modules/contrib/ntp.if

82

index f8534c6b..fa0a1839 100644

83

--- a/policy/modules/contrib/ntp.if

84

+++ b/policy/modules/contrib/ntp.if

85

@@ -179,14 +179,15 @@ interface(`ntp_rw_shm',`

86

 interface(`ntp_admin',`

87

 	gen_require(`

88

 		type ntpd_t, ntpd_tmp_t, ntpd_log_t;

89

-		type ntpd_key_t, ntpd_var_run_t, ntp_conf_t;

90

+		type ntpd_key_t, ntpd_pid_t, ntp_conf_t;

91

 		type ntpd_initrc_exec_t, ntp_drift_t;

92

+		type ntpd_unit_t;

93

')

94

95

 	allow $1 ntpd_t:process { ptrace signal_perms };

96

 	ps_process_pattern($1, ntpd_t)

97

98

-	init_startstop_service($1, $2, ntpd_t, ntpd_initrc_exec_t)

99

+	init_startstop_service($1, $2, ntpd_t, ntpd_initrc_exec_t, ntpd_unit_t)

100

101

 	files_list_etc($1)

102

 	admin_pattern($1, { ntpd_key_t ntp_conf_t })

103

@@ -201,7 +202,7 @@ interface(`ntp_admin',`

104

 	admin_pattern($1, ntp_drift_t)

105

106

 	files_list_pids($1)

107

-	admin_pattern($1, ntpd_var_run_t)

108

+	admin_pattern($1, ntpd_pid_t)

109

110

 	ntp_run($1, $2)

111

')

112

113

diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te

114

index 2fcf0a40..208bd66e 100644

115

--- a/policy/modules/contrib/ntp.te

116

+++ b/policy/modules/contrib/ntp.te

117

@@ -7,6 +7,9 @@ policy_module(ntp, 1.16.0)

118

119

 attribute_role ntpd_roles;

120

121

+type ntp_conf_t;

122

+files_config_file(ntp_conf_t)

123

+

124

 type ntp_drift_t;

125

 files_type(ntp_drift_t)

126

127

@@ -18,15 +21,20 @@ role ntpd_roles types ntpd_t;

128

 type ntpd_initrc_exec_t;

129

 init_script_file(ntpd_initrc_exec_t)

130

131

-type ntp_conf_t;

132

-files_config_file(ntp_conf_t)

133

-

134

 type ntpd_key_t;

135

 files_type(ntpd_key_t)

136

137

+type ntpd_lock_t;

138

+files_lock_file(ntpd_lock_t)

139

+init_daemon_lock_file(ntpd_lock_t, file, "ntpdate")

140

+

141

 type ntpd_log_t;

142

 logging_log_file(ntpd_log_t)

143

144

+type ntpd_pid_t;

145

+typealias ntpd_pid_t alias ntpd_var_run_t;

146

+files_pid_file(ntpd_pid_t)

147

+

148

 type ntpd_tmp_t;

149

 files_tmp_file(ntpd_tmp_t)

150

151

@@ -36,9 +44,6 @@ files_tmpfs_file(ntpd_tmpfs_t)

152

 type ntpd_unit_t;

153

 init_unit_file(ntpd_unit_t)

154

155

-type ntpd_var_run_t;

156

-files_pid_file(ntpd_var_run_t)

157

-

158

 type ntpdate_exec_t;

159

 init_system_domain(ntpd_t, ntpdate_exec_t)

160

161

@@ -47,28 +52,36 @@ init_system_domain(ntpd_t, ntpdate_exec_t)

162

 # Local policy

163

#

164

165

-allow ntpd_t self:capability { chown dac_override ipc_lock ipc_owner kill setgid setuid sys_chroot sys_nice sys_resource sys_time };

166

-dontaudit ntpd_t self:capability { fsetid net_admin sys_nice sys_tty_config };

167

+# sys_time : modify system time

168

+allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice };

169

+dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice sys_resource };

170

 allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };

171

 allow ntpd_t self:fifo_file rw_fifo_file_perms;

172

 allow ntpd_t self:shm create_shm_perms;

173

+allow ntpd_t self:socket create;

174

 allow ntpd_t self:tcp_socket { accept listen };

175

176

+allow ntpd_t ntp_conf_t:file read_file_perms;

177

+

178

 manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)

179

 manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)

180

 files_var_filetrans(ntpd_t, ntp_drift_t, file)

181

182

-allow ntpd_t ntp_conf_t:file read_file_perms;

183

-

184

 read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)

185

 read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)

186

187

+allow ntpd_t ntpd_lock_t:file write_file_perms;

188

+

189

 allow ntpd_t ntpd_log_t:dir setattr_dir_perms;

190

 append_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)

191

 create_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)

192

 setattr_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)

193

 logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir })

194

195

+manage_files_pattern(ntpd_t, ntpd_pid_t, ntpd_pid_t)

196

+manage_sock_files_pattern(ntpd_t, ntpd_pid_t, ntpd_pid_t)

197

+files_pid_filetrans(ntpd_t, ntpd_pid_t, { file sock_file })

198

+

199

 manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)

200

 manage_files_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)

201

 files_tmp_filetrans(ntpd_t, ntpd_tmp_t, { file dir })

202

@@ -77,10 +90,6 @@ manage_dirs_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t)

203

 manage_files_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t)

204

 fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file })

205

206

-manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)

207

-manage_sock_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)

208

-files_pid_filetrans(ntpd_t, ntpd_var_run_t, { file sock_file })

209

-

210

 can_exec(ntpd_t, ntpd_exec_t)

211

212

 kernel_read_kernel_sysctls(ntpd_t)

1	commit: 35bc01e881f75e092a6cf668400407d73081f8fc
2	Author: cgzones <cgzones <AT> googlemail <DOT> com>
3	AuthorDate: Thu Jan 5 18:59:45 2017 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Sat Feb 25 14:50:52 2017 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=35bc01e8
7
8	update ntp module
9
10	* add private lock type
11	* dontaudit sys_resource
12
13	policy/modules/contrib/ntp.fc \| 47 ++++++++++++++++++++++---------------------
14	policy/modules/contrib/ntp.if \| 7 ++++---
15	policy/modules/contrib/ntp.te \| 37 +++++++++++++++++++++-------------
16	3 files changed, 51 insertions(+), 40 deletions(-)
17
18	diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
19	index 16428bc2..756241da 100644
20	--- a/policy/modules/contrib/ntp.fc
21	+++ b/policy/modules/contrib/ntp.fc
22	@@ -1,33 +1,34 @@
23	-/etc/cron\.daily/ntp -- gen_context(system_u:object_r:ntpd_exec_t,s0)
24	-/etc/cron\.(daily\|weekly)/ntp-simple -- gen_context(system_u:object_r:ntpd_exec_t,s0)
25	-/etc/cron\.(daily\|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0)
26	+/etc/cron\.daily/ntp -- gen_context(system_u:object_r:ntpd_exec_t,s0)
27	+/etc/cron\.(daily\|weekly)/ntp-simple -- gen_context(system_u:object_r:ntpd_exec_t,s0)
28	+/etc/cron\.(daily\|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0)
29
30	-/etc/ntp\.conf -- gen_context(system_u:object_r:ntp_conf_t,s0)
31	-/etc/ntpd.\.conf. -- gen_context(system_u:object_r:ntp_conf_t,s0)
32	-/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0)
33	-/etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
34	-/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0)
35	-/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
36	+/etc/ntp\.conf -- gen_context(system_u:object_r:ntp_conf_t,s0)
37	+/etc/ntpd.\.conf. -- gen_context(system_u:object_r:ntp_conf_t,s0)
38	+/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0)
39	+/etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
40	+/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0)
41	+/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
42
43	-/etc/rc\.d/init\.d/ntpd? -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
44	+/etc/rc\.d/init\.d/ntpd? -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
45
46	-# Systemd unit file
47	-/usr/lib/systemd/ntp-units\.d/.* -- gen_context(system_u:object_r:ntpd_unit_t,s0)
48	-/usr/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_t,s0)
49	+/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_pid_t,s0)
50
51	-/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
52	-/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
53	-/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
54	+/usr/lib/systemd/ntp-units\.d/.* -- gen_context(system_u:object_r:ntpd_unit_t,s0)
55	+/usr/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_t,s0)
56
57	-/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
58	-/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
59	-/var/db/ntp-kod -- gen_context(system_u:object_r:ntp_drift_t,s0)
60	+/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
61	+/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
62	+/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
63
64	-/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
65	-/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0)
66	-/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
67	+/var/db/ntp-kod -- gen_context(system_u:object_r:ntp_drift_t,s0)
68	+/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
69	+/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
70
71	-/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
72	+/var/lock/ntpdate -- gen_context(system_u:object_r:ntpd_lock_t,s0)
73	+
74	+/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
75	+/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0)
76	+/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
77	/run/ntpd\.sock -s gen_context(system_u:object_r:ntpd_var_run_t,s0)
78
79	ifdef(`distro_gentoo',`
80
81	diff --git a/policy/modules/contrib/ntp.if b/policy/modules/contrib/ntp.if
82	index f8534c6b..fa0a1839 100644
83	--- a/policy/modules/contrib/ntp.if
84	+++ b/policy/modules/contrib/ntp.if
85	@@ -179,14 +179,15 @@ interface(`ntp_rw_shm',`
86	interface(`ntp_admin',`
87	gen_require(`
88	type ntpd_t, ntpd_tmp_t, ntpd_log_t;
89	- type ntpd_key_t, ntpd_var_run_t, ntp_conf_t;
90	+ type ntpd_key_t, ntpd_pid_t, ntp_conf_t;
91	type ntpd_initrc_exec_t, ntp_drift_t;
92	+ type ntpd_unit_t;
93	')
94
95	allow $1 ntpd_t:process { ptrace signal_perms };
96	ps_process_pattern($1, ntpd_t)
97
98	- init_startstop_service($1, $2, ntpd_t, ntpd_initrc_exec_t)
99	+ init_startstop_service($1, $2, ntpd_t, ntpd_initrc_exec_t, ntpd_unit_t)
100
101	files_list_etc($1)
102	admin_pattern($1, { ntpd_key_t ntp_conf_t })
103	@@ -201,7 +202,7 @@ interface(`ntp_admin',`
104	admin_pattern($1, ntp_drift_t)
105
106	files_list_pids($1)
107	- admin_pattern($1, ntpd_var_run_t)
108	+ admin_pattern($1, ntpd_pid_t)
109
110	ntp_run($1, $2)
111	')
112
113	diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
114	index 2fcf0a40..208bd66e 100644
115	--- a/policy/modules/contrib/ntp.te
116	+++ b/policy/modules/contrib/ntp.te
117	@@ -7,6 +7,9 @@ policy_module(ntp, 1.16.0)
118
119	attribute_role ntpd_roles;
120
121	+type ntp_conf_t;
122	+files_config_file(ntp_conf_t)
123	+
124	type ntp_drift_t;
125	files_type(ntp_drift_t)
126
127	@@ -18,15 +21,20 @@ role ntpd_roles types ntpd_t;
128	type ntpd_initrc_exec_t;
129	init_script_file(ntpd_initrc_exec_t)
130
131	-type ntp_conf_t;
132	-files_config_file(ntp_conf_t)
133	-
134	type ntpd_key_t;
135	files_type(ntpd_key_t)
136
137	+type ntpd_lock_t;
138	+files_lock_file(ntpd_lock_t)
139	+init_daemon_lock_file(ntpd_lock_t, file, "ntpdate")
140	+
141	type ntpd_log_t;
142	logging_log_file(ntpd_log_t)
143
144	+type ntpd_pid_t;
145	+typealias ntpd_pid_t alias ntpd_var_run_t;
146	+files_pid_file(ntpd_pid_t)
147	+
148	type ntpd_tmp_t;
149	files_tmp_file(ntpd_tmp_t)
150
151	@@ -36,9 +44,6 @@ files_tmpfs_file(ntpd_tmpfs_t)
152	type ntpd_unit_t;
153	init_unit_file(ntpd_unit_t)
154
155	-type ntpd_var_run_t;
156	-files_pid_file(ntpd_var_run_t)
157	-
158	type ntpdate_exec_t;
159	init_system_domain(ntpd_t, ntpdate_exec_t)
160
161	@@ -47,28 +52,36 @@ init_system_domain(ntpd_t, ntpdate_exec_t)
162	# Local policy
163	#
164
165	-allow ntpd_t self:capability { chown dac_override ipc_lock ipc_owner kill setgid setuid sys_chroot sys_nice sys_resource sys_time };
166	-dontaudit ntpd_t self:capability { fsetid net_admin sys_nice sys_tty_config };
167	+# sys_time : modify system time
168	+allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice };
169	+dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice sys_resource };
170	allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };
171	allow ntpd_t self:fifo_file rw_fifo_file_perms;
172	allow ntpd_t self:shm create_shm_perms;
173	+allow ntpd_t self:socket create;
174	allow ntpd_t self:tcp_socket { accept listen };
175
176	+allow ntpd_t ntp_conf_t:file read_file_perms;
177	+
178	manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
179	manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
180	files_var_filetrans(ntpd_t, ntp_drift_t, file)
181
182	-allow ntpd_t ntp_conf_t:file read_file_perms;
183	-
184	read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
185	read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
186
187	+allow ntpd_t ntpd_lock_t:file write_file_perms;
188	+
189	allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
190	append_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
191	create_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
192	setattr_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
193	logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir })
194
195	+manage_files_pattern(ntpd_t, ntpd_pid_t, ntpd_pid_t)
196	+manage_sock_files_pattern(ntpd_t, ntpd_pid_t, ntpd_pid_t)
197	+files_pid_filetrans(ntpd_t, ntpd_pid_t, { file sock_file })
198	+
199	manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
200	manage_files_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
201	files_tmp_filetrans(ntpd_t, ntpd_tmp_t, { file dir })
202	@@ -77,10 +90,6 @@ manage_dirs_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t)
203	manage_files_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t)
204	fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file })
205
206	-manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
207	-manage_sock_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
208	-files_pid_filetrans(ntpd_t, ntpd_var_run_t, { file sock_file })
209	-
210	can_exec(ntpd_t, ntpd_exec_t)
211
212	kernel_read_kernel_sysctls(ntpd_t)

Gentoo Archives: gentoo-commits