1 |
commit: fc20bbb5187bd1cb4527ebf38390d1a31b8593c4 |
2 |
Author: David Sugar <dsugar <AT> tresys <DOT> com> |
3 |
AuthorDate: Sat Nov 17 04:23:43 2018 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Nov 18 10:56:47 2018 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fc20bbb5 |
7 |
|
8 |
Add interfaces to control ntpd_unit_t systemd services |
9 |
|
10 |
Signed-off-by: Dave Sugar <dsugar <AT> tresys.com> |
11 |
Signed-off-by: Jason Zaman <jason <AT> perfinion.com> |
12 |
|
13 |
policy/modules/services/ntp.if | 63 ++++++++++++++++++++++++++++++++++++++++++ |
14 |
1 file changed, 63 insertions(+) |
15 |
|
16 |
diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if |
17 |
index 31f71108..ff85b74b 100644 |
18 |
--- a/policy/modules/services/ntp.if |
19 |
+++ b/policy/modules/services/ntp.if |
20 |
@@ -177,6 +177,69 @@ interface(`ntp_rw_shm',` |
21 |
fs_search_tmpfs($1) |
22 |
') |
23 |
|
24 |
+######################################## |
25 |
+## <summary> |
26 |
+## Allow specified domain to enable/disable ntpd unit |
27 |
+## </summary> |
28 |
+## <param name="domain"> |
29 |
+## <summary> |
30 |
+## Domain allowed access. |
31 |
+## </summary> |
32 |
+## </param> |
33 |
+# |
34 |
+interface(`ntp_enabledisable',` |
35 |
+ ifdef(`init_systemd',` |
36 |
+ gen_require(` |
37 |
+ type ntpd_unit_t; |
38 |
+ class service { enable disable }; |
39 |
+ ') |
40 |
+ |
41 |
+ allow $1 ntpd_unit_t:service { enable disable }; |
42 |
+ ') |
43 |
+') |
44 |
+ |
45 |
+######################################## |
46 |
+## <summary> |
47 |
+## Allow specified domain to start/stop ntpd unit |
48 |
+## </summary> |
49 |
+## <param name="domain"> |
50 |
+## <summary> |
51 |
+## Domain allowed access. |
52 |
+## </summary> |
53 |
+## </param> |
54 |
+# |
55 |
+interface(`ntp_startstop',` |
56 |
+ ifdef(`init_systemd',` |
57 |
+ gen_require(` |
58 |
+ type ntpd_unit_t; |
59 |
+ class service { start stop }; |
60 |
+ ') |
61 |
+ |
62 |
+ allow $1 ntpd_unit_t:service { start stop }; |
63 |
+ ') |
64 |
+') |
65 |
+ |
66 |
+######################################## |
67 |
+## <summary> |
68 |
+## Allow specified domain to get status of ntpd unit |
69 |
+## </summary> |
70 |
+## <param name="domain"> |
71 |
+## <summary> |
72 |
+## Domain allowed access. |
73 |
+## </summary> |
74 |
+## </param> |
75 |
+# |
76 |
+interface(`ntp_status',` |
77 |
+ ifdef(`init_systemd',` |
78 |
+ gen_require(` |
79 |
+ type ntpd_unit_t; |
80 |
+ class service status; |
81 |
+ ') |
82 |
+ |
83 |
+ allow $1 ntpd_unit_t:service status; |
84 |
+ ') |
85 |
+') |
86 |
+ |
87 |
######################################## |
88 |
## <summary> |
89 |
## All of the rules required to |