diff --git a/linuxptp.fc b/linuxptp.fc
new file mode 100644
index 0000000..d2061a9
--- /dev/null
+++ b/linuxptp.fc
@@ -0,0 +1,11 @@
+/usr/lib/systemd/system/phc2sys.* -- gen_context(system_u:object_r:phc2sys_unit_file_t,s0)
+
+/usr/lib/systemd/system/ptp4l.* -- gen_context(system_u:object_r:ptp4l_unit_file_t,s0)
+
+/usr/lib/systemd/system/timemaster.* -- gen_context(system_u:object_r:timemaster_unit_file_t,s0)
+
+/usr/sbin/ptp4l -- gen_context(system_u:object_r:ptp4l_exec_t,s0)
+/usr/sbin/phc2sys -- gen_context(system_u:object_r:phc2sys_exec_t,s0)
+/usr/sbin/timemaster -- gen_context(system_u:object_r:timemaster_exec_t,s0)
+
+/var/run/timemaster(/.*)? gen_context(system_u:object_r:timemaster_var_run_t,s0)
diff --git a/linuxptp.if b/linuxptp.if
new file mode 100644
index 0000000..e2c96f4
--- /dev/null
+++ b/linuxptp.if
@@ -0,0 +1,142 @@
+## implementation of the Precision Time Protocol (PTP) according to IEEE standard 1588 for Linux.
+
+########################################
+##
+## Execute domain in the phc2sys domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`linuxptp_domtrans_phc2sys',`
+ gen_require(`
+ type phc2sys_t, phc2sys_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, phc2sys_exec_t, phc2sys_t)
+')
+
+########################################
+##
+## Execute domain in the phc2sys domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`linuxptp_domtrans_ptp4l',`
+ gen_require(`
+ type ptp4l_t, ptp4l_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ptp4l_exec_t, ptp4l_t)
+')
+######################################
+##
+## Connect to timemaster using a unix
+## domain stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`timemaster_stream_connect',`
+ gen_require(`
+ type timemaster_t, timemaster_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, timemaster_var_run_t, timemaster_var_run_t, timemaster_t)
+')
+
+########################################
+##
+## Read timemaster conf files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`timemaster_read_pid_files',`
+ gen_require(`
+ type timemaster_var_run_t;
+ ')
+
+ read_files_pattern($1, timemaster_var_run_t, timemaster_var_run_t)
+')
+
+########################################
+##
+## Read and write timemaster shared memory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`timemaster_rw_shm',`
+ gen_require(`
+ type timemaster_t, timemaster_tmpfs_t;
+ ')
+
+ allow $1 timemaster_t:shm rw_shm_perms;
+ list_dirs_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+ rw_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+ read_lnk_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+ fs_search_tmpfs($1)
+')
+
+########################################
+##
+## Read and write ptp4l_t shared memory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ptp4l_rw_shm',`
+ gen_require(`
+ type ptp4l_t, timemaster_tmpfs_t;
+ ')
+
+ allow $1 ptp4l_t:shm rw_shm_perms;
+ list_dirs_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+ rw_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+ read_lnk_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+ fs_search_tmpfs($1)
+')
+
+########################################
+##
+## Read and write phc2sys_t shared memory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`phc2sys_rw_shm',`
+ gen_require(`
+ type phc2sys_t, timemaster_tmpfs_t;
+ ')
+
+ allow $1 phc2sys_t:shm rw_shm_perms;
+ list_dirs_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+ rw_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+ read_lnk_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+ fs_search_tmpfs($1)
+')
diff --git a/linuxptp.spec b/linuxptp.spec
index 3012cf8..513ae46 100644
--- a/linuxptp.spec
+++ b/linuxptp.spec
@@ -1,6 +1,8 @@
%global _hardened_build 1
%global testsuite_ver ff37e2
%global clknetsim_ver c4ccc2
+%global selinuxtype targeted
+%bcond_without selinux
Name: linuxptp
Version: 3.1.1
@@ -20,6 +22,10 @@ Source5: ptp4l.conf
Source10: https://github.com/mlichvar/linuxptp-testsuite/archive/%{testsuite_ver}/linuxptp-testsuite-%{testsuite_ver}.tar.gz
# simulator for test suite
Source11: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/clknetsim-%{clknetsim_ver}.tar.gz
+# selinux policy
+Source20: linuxptp.fc
+Source21: linuxptp.if
+Source22: linuxptp.te
# fix handling of zero-length messages
Patch1: linuxptp-zerolength.patch
@@ -28,6 +34,10 @@ BuildRequires: gcc gcc-c++ make systemd
%{?systemd_requires}
+%if 0%{?with_selinux}
+Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
+%endif
+
%description
This software is an implementation of the Precision Time Protocol (PTP)
according to IEEE standard 1588 for Linux. The dual design goals are to provide
@@ -35,17 +45,38 @@ a robust implementation of the standard and to use the most relevant and modern
Application Programming Interfaces (API) offered by the Linux kernel.
Supporting legacy APIs and other platforms is not a goal.
+%if 0%{?with_selinux}
+%package selinux
+Summary: linuxptp SELinux policy
+BuildArch: noarch
+Requires: selinux-policy-%{selinuxtype}
+Requires(post): selinux-policy-%{selinuxtype}
+BuildRequires: selinux-policy-devel
+%{?selinux_requires}
+
+%description selinux
+linuxptp SELinux policy module
+
+%endif
+
%prep
%setup -q -a 10 -a 11 -n %{name}-%{!?gitfullver:%{version}}%{?gitfullver}
%patch1 -p1 -b .zerolength
mv linuxptp-testsuite-%{testsuite_ver}* testsuite
mv clknetsim-%{clknetsim_ver}* testsuite/clknetsim
+mkdir selinux
+cp -p %{SOURCE20} %{SOURCE21} %{SOURCE22} selinux
%build
%{make_build} \
EXTRA_CFLAGS="$RPM_OPT_FLAGS" \
EXTRA_LDFLAGS="$RPM_LD_FLAGS"
+%if 0%{?with_selinux}
+make -C selinux -f %{_datadir}/selinux/devel/Makefile linuxptp.pp
+bzip2 -9 selinux/linuxptp.pp
+%endif
+
%install
%makeinstall
@@ -60,6 +91,13 @@ echo 'OPTIONS="-a -r"' > $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/phc2sys
echo '.so man8/ptp4l.8' > $RPM_BUILD_ROOT%{_mandir}/man5/ptp4l.conf.5
echo '.so man8/timemaster.8' > $RPM_BUILD_ROOT%{_mandir}/man5/timemaster.conf.5
+%if 0%{?with_selinux}
+install -D -m 0644 selinux/linuxptp.pp.bz2 \
+ $RPM_BUILD_ROOT%{_datadir}/selinux/packages/%{selinuxtype}/linuxptp.pp.bz2
+install -D -p -m 0644 selinux/linuxptp.if \
+ $RPM_BUILD_ROOT%{_datadir}/selinux/devel/include/distributed/linuxptp.if
+%endif
+
%check
cd testsuite
# set random seed to get deterministic results
@@ -76,6 +114,27 @@ PATH=..:$PATH ./run
%postun
%systemd_postun_with_restart phc2sys.service ptp4l.service timemaster.service
+%if 0%{?with_selinux}
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/linuxptp.pp.bz2
+%selinux_relabel_post -s %{selinuxtype}
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+ %selinux_modules_uninstall -s %{selinuxtype} linuxptp
+ %selinux_relabel_post -s %{selinuxtype}
+fi
+
+%files selinux
+%{_datadir}/selinux/packages/%{selinuxtype}/linuxptp.pp.*
+%{_datadir}/selinux/devel/include/distributed/linuxptp.if
+%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/linuxptp
+
+%endif
+
%files
%doc COPYING README.org configs
%config(noreplace) %{_sysconfdir}/ptp4l.conf
diff --git a/linuxptp.te b/linuxptp.te
new file mode 100644
index 0000000..a8dc3d1
--- /dev/null
+++ b/linuxptp.te
@@ -0,0 +1,191 @@
+policy_module(linuxptp, 1.0.0)
+
+
+########################################
+#
+# Declarations
+#
+
+type timemaster_t;
+type timemaster_exec_t;
+init_daemon_domain(timemaster_t, timemaster_exec_t)
+
+type timemaster_var_run_t;
+files_pid_file(timemaster_var_run_t)
+
+type timemaster_tmpfs_t;
+files_tmpfs_file(timemaster_tmpfs_t)
+
+type timemaster_unit_file_t;
+systemd_unit_file(timemaster_unit_file_t)
+
+type phc2sys_t;
+type phc2sys_exec_t;
+init_daemon_domain(phc2sys_t, phc2sys_exec_t)
+
+type phc2sys_unit_file_t;
+systemd_unit_file(phc2sys_unit_file_t)
+
+type ptp4l_t;
+type ptp4l_exec_t;
+init_daemon_domain(ptp4l_t, ptp4l_exec_t)
+
+type ptp4l_unit_file_t;
+systemd_unit_file(ptp4l_unit_file_t)
+
+########################################
+#
+# timemaster local policy
+#
+
+allow timemaster_t self:process { signal_perms setcap};
+allow timemaster_t self:fifo_file rw_fifo_file_perms;
+allow timemaster_t self:capability { setuid sys_time kill setgid };
+allow timemaster_t self:unix_stream_socket create_stream_socket_perms;
+allow timemaster_t self:shm create_shm_perms;
+allow timemaster_t self:udp_socket create_socket_perms;
+
+allow timemaster_t ptp4l_t:process signal;
+allow timemaster_t phc2sys_t:process signal;
+
+allow timemaster_t ptp4l_t:shm rw_shm_perms;
+
+manage_dirs_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t)
+manage_files_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t)
+manage_sock_files_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t)
+files_pid_filetrans(timemaster_t, timemaster_var_run_t, { dir file sock_file })
+
+manage_dirs_pattern(timemaster_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
+manage_files_pattern(timemaster_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
+fs_tmpfs_filetrans(timemaster_t, timemaster_tmpfs_t, { dir file })
+
+kernel_read_network_state(timemaster_t)
+
+auth_use_nsswitch(timemaster_t)
+
+corenet_udp_bind_generic_node(timemaster_t)
+corenet_udp_bind_ntp_port(timemaster_t)
+
+dev_read_urand(timemaster_t)
+
+logging_send_syslog_msg(timemaster_t)
+
+sysnet_read_config(timemaster_t)
+
+optional_policy(`
+ ntp_domtrans(timemaster_t)
+ ntp_signal(timemaster_t)
+')
+
+optional_policy(`
+ chronyd_domtrans(timemaster_t)
+ chronyd_rw_shm(timemaster_t)
+')
+
+optional_policy(`
+ gpsd_rw_shm(timemaster_t)
+')
+
+
+optional_policy(`
+ chronyd_signal(timemaster_t)
+')
+
+
+optional_policy(`
+ linuxptp_domtrans_ptp4l(timemaster_t)
+')
+
+optional_policy(`
+ linuxptp_domtrans_phc2sys(timemaster_t)
+')
+
+########################################
+#
+# phc2sys local policy
+#
+
+allow phc2sys_t self:capability sys_time;
+allow phc2sys_t self:fifo_file rw_fifo_file_perms;
+allow phc2sys_t self:unix_stream_socket create_stream_socket_perms;
+allow phc2sys_t self:shm create_shm_perms;
+allow phc2sys_t self:udp_socket create_socket_perms;
+
+allow phc2sys_t ptp4l_t:unix_dgram_socket sendto;
+
+allow phc2sys_t timemaster_t:shm rw_shm_perms;
+
+manage_dirs_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t)
+manage_files_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t)
+manage_sock_files_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t)
+files_pid_filetrans(phc2sys_t, timemaster_var_run_t, { dir file sock_file })
+
+manage_dirs_pattern(phc2sys_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
+manage_files_pattern(phc2sys_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
+fs_tmpfs_filetrans(phc2sys_t, timemaster_tmpfs_t, { dir file })
+
+dev_rw_realtime_clock(phc2sys_t)
+
+logging_send_syslog_msg(phc2sys_t)
+
+optional_policy(`
+ chronyd_rw_shm(phc2sys_t)
+')
+
+optional_policy(`
+ gpsd_rw_shm(phc2sys_t)
+')
+
+optional_policy(`
+ ntp_rw_shm(phc2sys_t)
+')
+
+optional_policy(`
+ ptp4l_rw_shm(phc2sys_t)
+')
+
+########################################
+#
+# ptp4l local policy
+#
+
+allow ptp4l_t self:fifo_file rw_fifo_file_perms;
+allow ptp4l_t self:packet_socket create_socket_perms;
+allow ptp4l_t self:unix_stream_socket create_stream_socket_perms;
+allow ptp4l_t self:shm create_shm_perms;
+allow ptp4l_t self:udp_socket create_socket_perms;
+allow ptp4l_t self:capability { net_admin net_raw sys_time };
+allow ptp4l_t self:capability2 { bpf wake_alarm };
+allow ptp4l_t self:netlink_route_socket rw_netlink_socket_perms;
+
+allow ptp4l_t phc2sys_t:unix_dgram_socket sendto;
+
+manage_dirs_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t)
+manage_files_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t)
+manage_sock_files_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t)
+files_pid_filetrans(ptp4l_t, timemaster_var_run_t, { dir file sock_file })
+
+manage_dirs_pattern(ptp4l_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
+manage_files_pattern(ptp4l_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
+fs_tmpfs_filetrans(ptp4l_t, timemaster_tmpfs_t, { dir file })
+
+corenet_udp_bind_generic_node(ptp4l_t)
+corenet_udp_bind_reserved_port(ptp4l_t)
+
+kernel_read_network_state(ptp4l_t)
+
+dev_rw_realtime_clock(ptp4l_t)
+
+files_write_generic_pid_sockets(ptp4l_t)
+
+logging_send_syslog_msg(ptp4l_t)
+
+userdom_dgram_send(ptp4l_t)
+
+optional_policy(`
+ chronyd_rw_shm(ptp4l_t)
+')
+
+optional_policy(`
+ gpsd_rw_shm(ptp4l_t)
+')