1 |
commit: 7a8275937a8628ca031dddf5f47cf2b27aaf94b3 |
2 |
Author: Dave Sugar <dsugar <AT> tresys <DOT> com> |
3 |
AuthorDate: Mon Mar 5 14:02:59 2018 +0000 |
4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Mar 25 09:30:44 2018 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7a827593 |
7 |
|
8 |
Add interface to start/stop/enable/disable/status of chronyd service |
9 |
|
10 |
Add interfaces to allow process to systemctl start, stop, enable, disable, and status of chronyd.service |
11 |
|
12 |
Fix summary for chronyd_startstop from previous submission |
13 |
|
14 |
Signed-off-by: Dave Sugar <dsugar <AT> tresys.com> |
15 |
|
16 |
policy/modules/contrib/chronyd.if | 57 +++++++++++++++++++++++++++++++++++++++ |
17 |
1 file changed, 57 insertions(+) |
18 |
|
19 |
diff --git a/policy/modules/contrib/chronyd.if b/policy/modules/contrib/chronyd.if |
20 |
index e0a751ac..a42bc4f4 100644 |
21 |
--- a/policy/modules/contrib/chronyd.if |
22 |
+++ b/policy/modules/contrib/chronyd.if |
23 |
@@ -195,6 +195,63 @@ interface(`chronyd_read_key_files',` |
24 |
read_files_pattern($1, chronyd_keys_t, chronyd_keys_t) |
25 |
') |
26 |
|
27 |
+######################################## |
28 |
+## <summary> |
29 |
+## Allow specified domain to enable and disable chronyd unit |
30 |
+## </summary> |
31 |
+## <param name="domain"> |
32 |
+## <summary> |
33 |
+## Domain allowed access. |
34 |
+## </summary> |
35 |
+## </param> |
36 |
+# |
37 |
+interface(`chronyd_enabledisable',` |
38 |
+ gen_require(` |
39 |
+ type chronyd_unit_t; |
40 |
+ class service { enable disable }; |
41 |
+ ') |
42 |
+ |
43 |
+ allow $1 chronyd_unit_t:service { enable disable }; |
44 |
+') |
45 |
+ |
46 |
+######################################## |
47 |
+## <summary> |
48 |
+## Allow specified domain to start and stop chronyd unit |
49 |
+## </summary> |
50 |
+## <param name="domain"> |
51 |
+## <summary> |
52 |
+## Domain allowed access. |
53 |
+## </summary> |
54 |
+## </param> |
55 |
+# |
56 |
+interface(`chronyd_startstop',` |
57 |
+ gen_require(` |
58 |
+ type chronyd_unit_t; |
59 |
+ class service { start stop }; |
60 |
+ ') |
61 |
+ |
62 |
+ allow $1 chronyd_unit_t:service { start stop }; |
63 |
+') |
64 |
+ |
65 |
+######################################## |
66 |
+## <summary> |
67 |
+## Allow specified domain to get status of chronyd unit |
68 |
+## </summary> |
69 |
+## <param name="domain"> |
70 |
+## <summary> |
71 |
+## Domain allowed access. |
72 |
+## </summary> |
73 |
+## </param> |
74 |
+# |
75 |
+interface(`chronyd_status',` |
76 |
+ gen_require(` |
77 |
+ type chronyd_unit_t; |
78 |
+ class service status; |
79 |
+ ') |
80 |
+ |
81 |
+ allow $1 chronyd_unit_t:service status; |
82 |
+') |
83 |
+ |
84 |
#################################### |
85 |
## <summary> |
86 |
## All of the rules required to |