1 |
commit: a70aa3e3b948e30a7ed01a9d09b762419fa76d48 |
2 |
Author: Dave Sugar <dsugar <AT> tresys <DOT> com> |
3 |
AuthorDate: Mon Mar 5 14:02:58 2018 +0000 |
4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Mar 25 09:30:41 2018 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a70aa3e3 |
7 |
|
8 |
Separate type for chronyd config file. |
9 |
|
10 |
Separate label for /etc/chrony.conf (chronyd_conf_t) with interfaces to allow read-only or read/write access. Needed as I have a process that alters chrony.conf but I didn't want this process to have access to write all etc_t files. |
11 |
|
12 |
Fixed summary for chronyd_rw_config interface from previous submission. |
13 |
|
14 |
Signed-off-by: Dave Sugar <dsugar <AT> tresys.com> |
15 |
|
16 |
policy/modules/contrib/chronyd.fc | 1 + |
17 |
policy/modules/contrib/chronyd.if | 38 ++++++++++++++++++++++++++++++++++++++ |
18 |
policy/modules/contrib/chronyd.te | 5 +++++ |
19 |
3 files changed, 44 insertions(+) |
20 |
|
21 |
diff --git a/policy/modules/contrib/chronyd.fc b/policy/modules/contrib/chronyd.fc |
22 |
index ca2747e7..445f3749 100644 |
23 |
--- a/policy/modules/contrib/chronyd.fc |
24 |
+++ b/policy/modules/contrib/chronyd.fc |
25 |
@@ -1,3 +1,4 @@ |
26 |
+/etc/chrony\.conf -- gen_context(system_u:object_r:chronyd_conf_t,s0) |
27 |
/etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0) |
28 |
|
29 |
/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0) |
30 |
|
31 |
diff --git a/policy/modules/contrib/chronyd.if b/policy/modules/contrib/chronyd.if |
32 |
index 3d45be4c..e0a751ac 100644 |
33 |
--- a/policy/modules/contrib/chronyd.if |
34 |
+++ b/policy/modules/contrib/chronyd.if |
35 |
@@ -76,6 +76,44 @@ interface(`chronyd_read_log',` |
36 |
read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t) |
37 |
') |
38 |
|
39 |
+##################################### |
40 |
+## <summary> |
41 |
+## Read chronyd config file. |
42 |
+## </summary> |
43 |
+## <param name="domain"> |
44 |
+## <summary> |
45 |
+## Domain allowed access. |
46 |
+## </summary> |
47 |
+## </param> |
48 |
+# |
49 |
+interface(`chronyd_read_config',` |
50 |
+ gen_require(` |
51 |
+ type chronyd_conf_t; |
52 |
+ ') |
53 |
+ |
54 |
+ files_search_etc($1) |
55 |
+ allow $1 chronyd_conf_t:file read_file_perms; |
56 |
+') |
57 |
+ |
58 |
+##################################### |
59 |
+## <summary> |
60 |
+## Read and write chronyd config file. |
61 |
+## </summary> |
62 |
+## <param name="domain"> |
63 |
+## <summary> |
64 |
+## Domain allowed access. |
65 |
+## </summary> |
66 |
+## </param> |
67 |
+# |
68 |
+interface(`chronyd_rw_config',` |
69 |
+ gen_require(` |
70 |
+ type chronyd_conf_t; |
71 |
+ ') |
72 |
+ |
73 |
+ files_search_etc($1) |
74 |
+ allow $1 chronyd_conf_t:file rw_file_perms; |
75 |
+') |
76 |
+ |
77 |
######################################## |
78 |
## <summary> |
79 |
## Read and write chronyd shared memory. |
80 |
|
81 |
diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te |
82 |
index 0de7b520..09d7f834 100644 |
83 |
--- a/policy/modules/contrib/chronyd.te |
84 |
+++ b/policy/modules/contrib/chronyd.te |
85 |
@@ -9,6 +9,9 @@ type chronyd_t; |
86 |
type chronyd_exec_t; |
87 |
init_daemon_domain(chronyd_t, chronyd_exec_t) |
88 |
|
89 |
+type chronyd_conf_t; |
90 |
+files_config_file(chronyd_conf_t) |
91 |
+ |
92 |
type chronyd_initrc_exec_t; |
93 |
init_script_file(chronyd_initrc_exec_t) |
94 |
|
95 |
@@ -87,6 +90,8 @@ logging_send_syslog_msg(chronyd_t) |
96 |
|
97 |
miscfiles_read_localization(chronyd_t) |
98 |
|
99 |
+chronyd_read_config(chronyd_t) |
100 |
+ |
101 |
optional_policy(` |
102 |
gpsd_rw_shm(chronyd_t) |
103 |
') |