1 |
commit: 35bc01e881f75e092a6cf668400407d73081f8fc |
2 |
Author: cgzones <cgzones <AT> googlemail <DOT> com> |
3 |
AuthorDate: Thu Jan 5 18:59:45 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Feb 25 14:50:52 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=35bc01e8 |
7 |
|
8 |
update ntp module |
9 |
|
10 |
* add private lock type |
11 |
* dontaudit sys_resource |
12 |
|
13 |
policy/modules/contrib/ntp.fc | 47 ++++++++++++++++++++++--------------------- |
14 |
policy/modules/contrib/ntp.if | 7 ++++--- |
15 |
policy/modules/contrib/ntp.te | 37 +++++++++++++++++++++------------- |
16 |
3 files changed, 51 insertions(+), 40 deletions(-) |
17 |
|
18 |
diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc |
19 |
index 16428bc2..756241da 100644 |
20 |
--- a/policy/modules/contrib/ntp.fc |
21 |
+++ b/policy/modules/contrib/ntp.fc |
22 |
@@ -1,33 +1,34 @@ |
23 |
-/etc/cron\.daily/ntp -- gen_context(system_u:object_r:ntpd_exec_t,s0) |
24 |
-/etc/cron\.(daily|weekly)/ntp-simple -- gen_context(system_u:object_r:ntpd_exec_t,s0) |
25 |
-/etc/cron\.(daily|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0) |
26 |
+/etc/cron\.daily/ntp -- gen_context(system_u:object_r:ntpd_exec_t,s0) |
27 |
+/etc/cron\.(daily|weekly)/ntp-simple -- gen_context(system_u:object_r:ntpd_exec_t,s0) |
28 |
+/etc/cron\.(daily|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0) |
29 |
|
30 |
-/etc/ntp\.conf -- gen_context(system_u:object_r:ntp_conf_t,s0) |
31 |
-/etc/ntpd.*\.conf.* -- gen_context(system_u:object_r:ntp_conf_t,s0) |
32 |
-/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0) |
33 |
-/etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) |
34 |
-/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0) |
35 |
-/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:ntp_conf_t,s0) |
36 |
+/etc/ntp\.conf -- gen_context(system_u:object_r:ntp_conf_t,s0) |
37 |
+/etc/ntpd.*\.conf.* -- gen_context(system_u:object_r:ntp_conf_t,s0) |
38 |
+/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0) |
39 |
+/etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) |
40 |
+/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0) |
41 |
+/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:ntp_conf_t,s0) |
42 |
|
43 |
-/etc/rc\.d/init\.d/ntpd? -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0) |
44 |
+/etc/rc\.d/init\.d/ntpd? -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0) |
45 |
|
46 |
-# Systemd unit file |
47 |
-/usr/lib/systemd/ntp-units\.d/.* -- gen_context(system_u:object_r:ntpd_unit_t,s0) |
48 |
-/usr/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_t,s0) |
49 |
+/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_pid_t,s0) |
50 |
|
51 |
-/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) |
52 |
-/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) |
53 |
-/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0) |
54 |
+/usr/lib/systemd/ntp-units\.d/.* -- gen_context(system_u:object_r:ntpd_unit_t,s0) |
55 |
+/usr/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_t,s0) |
56 |
|
57 |
-/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) |
58 |
-/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) |
59 |
-/var/db/ntp-kod -- gen_context(system_u:object_r:ntp_drift_t,s0) |
60 |
+/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) |
61 |
+/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) |
62 |
+/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0) |
63 |
|
64 |
-/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0) |
65 |
-/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0) |
66 |
-/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0) |
67 |
+/var/db/ntp-kod -- gen_context(system_u:object_r:ntp_drift_t,s0) |
68 |
+/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) |
69 |
+/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) |
70 |
|
71 |
-/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0) |
72 |
+/var/lock/ntpdate -- gen_context(system_u:object_r:ntpd_lock_t,s0) |
73 |
+ |
74 |
+/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0) |
75 |
+/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0) |
76 |
+/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0) |
77 |
/run/ntpd\.sock -s gen_context(system_u:object_r:ntpd_var_run_t,s0) |
78 |
|
79 |
ifdef(`distro_gentoo',` |
80 |
|
81 |
diff --git a/policy/modules/contrib/ntp.if b/policy/modules/contrib/ntp.if |
82 |
index f8534c6b..fa0a1839 100644 |
83 |
--- a/policy/modules/contrib/ntp.if |
84 |
+++ b/policy/modules/contrib/ntp.if |
85 |
@@ -179,14 +179,15 @@ interface(`ntp_rw_shm',` |
86 |
interface(`ntp_admin',` |
87 |
gen_require(` |
88 |
type ntpd_t, ntpd_tmp_t, ntpd_log_t; |
89 |
- type ntpd_key_t, ntpd_var_run_t, ntp_conf_t; |
90 |
+ type ntpd_key_t, ntpd_pid_t, ntp_conf_t; |
91 |
type ntpd_initrc_exec_t, ntp_drift_t; |
92 |
+ type ntpd_unit_t; |
93 |
') |
94 |
|
95 |
allow $1 ntpd_t:process { ptrace signal_perms }; |
96 |
ps_process_pattern($1, ntpd_t) |
97 |
|
98 |
- init_startstop_service($1, $2, ntpd_t, ntpd_initrc_exec_t) |
99 |
+ init_startstop_service($1, $2, ntpd_t, ntpd_initrc_exec_t, ntpd_unit_t) |
100 |
|
101 |
files_list_etc($1) |
102 |
admin_pattern($1, { ntpd_key_t ntp_conf_t }) |
103 |
@@ -201,7 +202,7 @@ interface(`ntp_admin',` |
104 |
admin_pattern($1, ntp_drift_t) |
105 |
|
106 |
files_list_pids($1) |
107 |
- admin_pattern($1, ntpd_var_run_t) |
108 |
+ admin_pattern($1, ntpd_pid_t) |
109 |
|
110 |
ntp_run($1, $2) |
111 |
') |
112 |
|
113 |
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te |
114 |
index 2fcf0a40..208bd66e 100644 |
115 |
--- a/policy/modules/contrib/ntp.te |
116 |
+++ b/policy/modules/contrib/ntp.te |
117 |
@@ -7,6 +7,9 @@ policy_module(ntp, 1.16.0) |
118 |
|
119 |
attribute_role ntpd_roles; |
120 |
|
121 |
+type ntp_conf_t; |
122 |
+files_config_file(ntp_conf_t) |
123 |
+ |
124 |
type ntp_drift_t; |
125 |
files_type(ntp_drift_t) |
126 |
|
127 |
@@ -18,15 +21,20 @@ role ntpd_roles types ntpd_t; |
128 |
type ntpd_initrc_exec_t; |
129 |
init_script_file(ntpd_initrc_exec_t) |
130 |
|
131 |
-type ntp_conf_t; |
132 |
-files_config_file(ntp_conf_t) |
133 |
- |
134 |
type ntpd_key_t; |
135 |
files_type(ntpd_key_t) |
136 |
|
137 |
+type ntpd_lock_t; |
138 |
+files_lock_file(ntpd_lock_t) |
139 |
+init_daemon_lock_file(ntpd_lock_t, file, "ntpdate") |
140 |
+ |
141 |
type ntpd_log_t; |
142 |
logging_log_file(ntpd_log_t) |
143 |
|
144 |
+type ntpd_pid_t; |
145 |
+typealias ntpd_pid_t alias ntpd_var_run_t; |
146 |
+files_pid_file(ntpd_pid_t) |
147 |
+ |
148 |
type ntpd_tmp_t; |
149 |
files_tmp_file(ntpd_tmp_t) |
150 |
|
151 |
@@ -36,9 +44,6 @@ files_tmpfs_file(ntpd_tmpfs_t) |
152 |
type ntpd_unit_t; |
153 |
init_unit_file(ntpd_unit_t) |
154 |
|
155 |
-type ntpd_var_run_t; |
156 |
-files_pid_file(ntpd_var_run_t) |
157 |
- |
158 |
type ntpdate_exec_t; |
159 |
init_system_domain(ntpd_t, ntpdate_exec_t) |
160 |
|
161 |
@@ -47,28 +52,36 @@ init_system_domain(ntpd_t, ntpdate_exec_t) |
162 |
# Local policy |
163 |
# |
164 |
|
165 |
-allow ntpd_t self:capability { chown dac_override ipc_lock ipc_owner kill setgid setuid sys_chroot sys_nice sys_resource sys_time }; |
166 |
-dontaudit ntpd_t self:capability { fsetid net_admin sys_nice sys_tty_config }; |
167 |
+# sys_time : modify system time |
168 |
+allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice }; |
169 |
+dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice sys_resource }; |
170 |
allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit }; |
171 |
allow ntpd_t self:fifo_file rw_fifo_file_perms; |
172 |
allow ntpd_t self:shm create_shm_perms; |
173 |
+allow ntpd_t self:socket create; |
174 |
allow ntpd_t self:tcp_socket { accept listen }; |
175 |
|
176 |
+allow ntpd_t ntp_conf_t:file read_file_perms; |
177 |
+ |
178 |
manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t) |
179 |
manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t) |
180 |
files_var_filetrans(ntpd_t, ntp_drift_t, file) |
181 |
|
182 |
-allow ntpd_t ntp_conf_t:file read_file_perms; |
183 |
- |
184 |
read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) |
185 |
read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) |
186 |
|
187 |
+allow ntpd_t ntpd_lock_t:file write_file_perms; |
188 |
+ |
189 |
allow ntpd_t ntpd_log_t:dir setattr_dir_perms; |
190 |
append_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t) |
191 |
create_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t) |
192 |
setattr_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t) |
193 |
logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir }) |
194 |
|
195 |
+manage_files_pattern(ntpd_t, ntpd_pid_t, ntpd_pid_t) |
196 |
+manage_sock_files_pattern(ntpd_t, ntpd_pid_t, ntpd_pid_t) |
197 |
+files_pid_filetrans(ntpd_t, ntpd_pid_t, { file sock_file }) |
198 |
+ |
199 |
manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t) |
200 |
manage_files_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t) |
201 |
files_tmp_filetrans(ntpd_t, ntpd_tmp_t, { file dir }) |
202 |
@@ -77,10 +90,6 @@ manage_dirs_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t) |
203 |
manage_files_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t) |
204 |
fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file }) |
205 |
|
206 |
-manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t) |
207 |
-manage_sock_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t) |
208 |
-files_pid_filetrans(ntpd_t, ntpd_var_run_t, { file sock_file }) |
209 |
- |
210 |
can_exec(ntpd_t, ntpd_exec_t) |
211 |
|
212 |
kernel_read_kernel_sysctls(ntpd_t) |