1 |
commit: a62050c31b26767018a3c7585b2905d9b7a40b0f |
2 |
Author: Jason Zaman <jason <AT> perfinion <DOT> com> |
3 |
AuthorDate: Mon Jun 23 18:41:01 2014 +0000 |
4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Jun 25 19:04:46 2014 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a62050c3 |
7 |
|
8 |
Add filetrans for ntp-kod file |
9 |
|
10 |
sntp has a file used to persist the history of KoD responses |
11 |
received from servers. The default is /var/db/ntp-kod. |
12 |
|
13 |
This patch adds the fcontext and a filetrans so it can be created. |
14 |
|
15 |
Changes from v1: |
16 |
* use files_var_filetrans instead of filetrans_pattern |
17 |
|
18 |
Signed-off-by: Jason Zaman <jason <AT> perfinion.com> |
19 |
|
20 |
--- |
21 |
policy/modules/contrib/ntp.fc | 1 + |
22 |
policy/modules/contrib/ntp.te | 1 + |
23 |
2 files changed, 2 insertions(+) |
24 |
|
25 |
diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc |
26 |
index 147e480..89b9cb1 100644 |
27 |
--- a/policy/modules/contrib/ntp.fc |
28 |
+++ b/policy/modules/contrib/ntp.fc |
29 |
@@ -17,6 +17,7 @@ |
30 |
|
31 |
/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) |
32 |
/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) |
33 |
+/var/db/ntp-kod -- gen_context(system_u:object_r:ntp_drift_t,s0) |
34 |
|
35 |
/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0) |
36 |
/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0) |
37 |
|
38 |
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te |
39 |
index c37385e..37d974a 100644 |
40 |
--- a/policy/modules/contrib/ntp.te |
41 |
+++ b/policy/modules/contrib/ntp.te |
42 |
@@ -53,6 +53,7 @@ allow ntpd_t self:tcp_socket { accept listen }; |
43 |
|
44 |
manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t) |
45 |
manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t) |
46 |
+files_var_filetrans(ntpd_t, ntp_drift_t, file, "ntp-kod") |
47 |
|
48 |
allow ntpd_t ntp_conf_t:file read_file_perms; |