From 3afde7fc0960ba572fe0bbc67e89947abb751fb2 Mon Sep 17 00:00:00 2001
From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Wed, 21 Jul 2021 16:56:48 +0200
Subject: [PATCH] package selinux policy

Package a copy of the current distribution linuxptp policy, following
https://fedoraproject.org/wiki/SELinux/IndependentPolicy
---
 linuxptp.fc   |  11 +++
 linuxptp.if   | 142 +++++++++++++++++++++++++++++++++++++
 linuxptp.spec |  59 ++++++++++++++++
 linuxptp.te   | 191 ++++++++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 403 insertions(+)
 create mode 100644 linuxptp.fc
 create mode 100644 linuxptp.if
 create mode 100644 linuxptp.te

diff --git a/linuxptp.fc b/linuxptp.fc
new file mode 100644
index 0000000..d2061a9
--- /dev/null
+++ b/linuxptp.fc
@@ -0,0 +1,11 @@
+/usr/lib/systemd/system/phc2sys.*		--	gen_context(system_u:object_r:phc2sys_unit_file_t,s0)
+
+/usr/lib/systemd/system/ptp4l.*			--	gen_context(system_u:object_r:ptp4l_unit_file_t,s0)
+
+/usr/lib/systemd/system/timemaster.*		--	gen_context(system_u:object_r:timemaster_unit_file_t,s0)
+
+/usr/sbin/ptp4l					--	gen_context(system_u:object_r:ptp4l_exec_t,s0)
+/usr/sbin/phc2sys				--	gen_context(system_u:object_r:phc2sys_exec_t,s0)
+/usr/sbin/timemaster				--	gen_context(system_u:object_r:timemaster_exec_t,s0)
+
+/var/run/timemaster(/.*)?				gen_context(system_u:object_r:timemaster_var_run_t,s0)
diff --git a/linuxptp.if b/linuxptp.if
new file mode 100644
index 0000000..e2c96f4
--- /dev/null
+++ b/linuxptp.if
@@ -0,0 +1,142 @@
+## <summary>implementation of the Precision Time Protocol (PTP) according to IEEE standard 1588 for Linux.</summary>
+
+########################################
+## <summary>
+##	Execute domain in the phc2sys domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`linuxptp_domtrans_phc2sys',`
+	gen_require(`
+		type phc2sys_t, phc2sys_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, phc2sys_exec_t, phc2sys_t)
+')
+
+########################################
+## <summary>
+##	Execute domain in the phc2sys domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`linuxptp_domtrans_ptp4l',`
+	gen_require(`
+		type ptp4l_t, ptp4l_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, ptp4l_exec_t, ptp4l_t)
+')
+######################################
+## <summary>
+##  Connect to timemaster using a unix
+##  domain stream socket.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`timemaster_stream_connect',`
+	gen_require(`
+        	type timemaster_t, timemaster_var_run_t;
+        ')
+
+        files_search_pids($1)
+        stream_connect_pattern($1, timemaster_var_run_t, timemaster_var_run_t, timemaster_t)
+')
+
+########################################
+## <summary>
+## Read timemaster conf files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`timemaster_read_pid_files',`
+	gen_require(`
+		type timemaster_var_run_t;
+	')
+
+    read_files_pattern($1, timemaster_var_run_t, timemaster_var_run_t)
+')
+
+########################################
+## <summary>
+## Read and write timemaster shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`timemaster_rw_shm',`
+	gen_require(`
+		type timemaster_t, timemaster_tmpfs_t;
+	')
+
+	allow $1 timemaster_t:shm rw_shm_perms;
+	list_dirs_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+	rw_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+	read_lnk_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+	fs_search_tmpfs($1)
+')
+
+########################################
+## <summary>
+## Read and write ptp4l_t shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ptp4l_rw_shm',`
+	gen_require(`
+		type ptp4l_t, timemaster_tmpfs_t;
+	')
+
+	allow $1 ptp4l_t:shm rw_shm_perms;
+	list_dirs_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+	rw_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+	read_lnk_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+	fs_search_tmpfs($1)
+')
+
+########################################
+## <summary>
+## Read and write phc2sys_t shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`phc2sys_rw_shm',`
+	gen_require(`
+		type phc2sys_t, timemaster_tmpfs_t;
+	')
+
+	allow $1 phc2sys_t:shm rw_shm_perms;
+	list_dirs_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+	rw_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+	read_lnk_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+	fs_search_tmpfs($1)
+')
diff --git a/linuxptp.spec b/linuxptp.spec
index 3012cf8..513ae46 100644
--- a/linuxptp.spec
+++ b/linuxptp.spec
@@ -1,6 +1,8 @@
 %global _hardened_build 1
 %global testsuite_ver ff37e2
 %global clknetsim_ver c4ccc2
+%global selinuxtype targeted
+%bcond_without selinux
 
 Name:		linuxptp
 Version:	3.1.1
@@ -20,6 +22,10 @@ Source5:	ptp4l.conf
 Source10:	https://github.com/mlichvar/linuxptp-testsuite/archive/%{testsuite_ver}/linuxptp-testsuite-%{testsuite_ver}.tar.gz
 # simulator for test suite
 Source11:	https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/clknetsim-%{clknetsim_ver}.tar.gz
+# selinux policy
+Source20:	linuxptp.fc
+Source21:	linuxptp.if
+Source22:	linuxptp.te
 
 # fix handling of zero-length messages
 Patch1:		linuxptp-zerolength.patch
@@ -28,6 +34,10 @@ BuildRequires:	gcc gcc-c++ make systemd
 
 %{?systemd_requires}
 
+%if 0%{?with_selinux}
+Requires:	(%{name}-selinux if selinux-policy-%{selinuxtype})
+%endif
+
 %description
 This software is an implementation of the Precision Time Protocol (PTP)
 according to IEEE standard 1588 for Linux. The dual design goals are to provide
@@ -35,17 +45,38 @@ a robust implementation of the standard and to use the most relevant and modern
 Application Programming Interfaces (API) offered by the Linux kernel.
 Supporting legacy APIs and other platforms is not a goal.
 
+%if 0%{?with_selinux}
+%package selinux
+Summary:	linuxptp SELinux policy
+BuildArch:	noarch
+Requires:	selinux-policy-%{selinuxtype}
+Requires(post):	selinux-policy-%{selinuxtype}
+BuildRequires:	selinux-policy-devel
+%{?selinux_requires}
+
+%description selinux
+linuxptp SELinux policy module
+
+%endif
+
 %prep
 %setup -q -a 10 -a 11 -n %{name}-%{!?gitfullver:%{version}}%{?gitfullver}
 %patch1 -p1 -b .zerolength
 mv linuxptp-testsuite-%{testsuite_ver}* testsuite
 mv clknetsim-%{clknetsim_ver}* testsuite/clknetsim
+mkdir selinux
+cp -p %{SOURCE20} %{SOURCE21} %{SOURCE22} selinux
 
 %build
 %{make_build} \
 	EXTRA_CFLAGS="$RPM_OPT_FLAGS" \
 	EXTRA_LDFLAGS="$RPM_LD_FLAGS"
 
+%if 0%{?with_selinux}
+make -C selinux -f %{_datadir}/selinux/devel/Makefile linuxptp.pp
+bzip2 -9 selinux/linuxptp.pp
+%endif
+
 %install
 %makeinstall
 
@@ -60,6 +91,13 @@ echo 'OPTIONS="-a -r"' > $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/phc2sys
 echo '.so man8/ptp4l.8' > $RPM_BUILD_ROOT%{_mandir}/man5/ptp4l.conf.5
 echo '.so man8/timemaster.8' > $RPM_BUILD_ROOT%{_mandir}/man5/timemaster.conf.5
 
+%if 0%{?with_selinux}
+install -D -m 0644 selinux/linuxptp.pp.bz2 \
+	$RPM_BUILD_ROOT%{_datadir}/selinux/packages/%{selinuxtype}/linuxptp.pp.bz2
+install -D -p -m 0644 selinux/linuxptp.if \
+	$RPM_BUILD_ROOT%{_datadir}/selinux/devel/include/distributed/linuxptp.if
+%endif
+
 %check
 cd testsuite
 # set random seed to get deterministic results
@@ -76,6 +114,27 @@ PATH=..:$PATH ./run
 %postun
 %systemd_postun_with_restart phc2sys.service ptp4l.service timemaster.service
 
+%if 0%{?with_selinux}
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/linuxptp.pp.bz2
+%selinux_relabel_post -s %{selinuxtype}
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+	%selinux_modules_uninstall -s %{selinuxtype} linuxptp
+	%selinux_relabel_post -s %{selinuxtype}
+fi
+
+%files selinux
+%{_datadir}/selinux/packages/%{selinuxtype}/linuxptp.pp.*
+%{_datadir}/selinux/devel/include/distributed/linuxptp.if
+%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/linuxptp
+
+%endif
+
 %files
 %doc COPYING README.org configs
 %config(noreplace) %{_sysconfdir}/ptp4l.conf
diff --git a/linuxptp.te b/linuxptp.te
new file mode 100644
index 0000000..a8dc3d1
--- /dev/null
+++ b/linuxptp.te
@@ -0,0 +1,191 @@
+policy_module(linuxptp, 1.0.0)
+
+
+########################################
+#
+# Declarations
+#
+
+type timemaster_t;
+type timemaster_exec_t;
+init_daemon_domain(timemaster_t, timemaster_exec_t)
+
+type timemaster_var_run_t;
+files_pid_file(timemaster_var_run_t)
+
+type timemaster_tmpfs_t;
+files_tmpfs_file(timemaster_tmpfs_t)
+
+type timemaster_unit_file_t;
+systemd_unit_file(timemaster_unit_file_t)
+
+type phc2sys_t;
+type phc2sys_exec_t;
+init_daemon_domain(phc2sys_t, phc2sys_exec_t)
+
+type phc2sys_unit_file_t;
+systemd_unit_file(phc2sys_unit_file_t)
+
+type ptp4l_t;
+type ptp4l_exec_t;
+init_daemon_domain(ptp4l_t, ptp4l_exec_t)
+
+type ptp4l_unit_file_t;
+systemd_unit_file(ptp4l_unit_file_t)
+
+########################################
+#
+# timemaster local policy
+#
+
+allow timemaster_t self:process { signal_perms setcap};
+allow timemaster_t self:fifo_file rw_fifo_file_perms;
+allow timemaster_t self:capability { setuid sys_time kill setgid };
+allow timemaster_t self:unix_stream_socket create_stream_socket_perms;
+allow timemaster_t self:shm create_shm_perms;
+allow timemaster_t self:udp_socket create_socket_perms;
+
+allow timemaster_t ptp4l_t:process signal;
+allow timemaster_t phc2sys_t:process signal;
+
+allow timemaster_t ptp4l_t:shm rw_shm_perms;
+
+manage_dirs_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t)
+manage_files_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t)
+manage_sock_files_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t)
+files_pid_filetrans(timemaster_t, timemaster_var_run_t, { dir file sock_file })
+
+manage_dirs_pattern(timemaster_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
+manage_files_pattern(timemaster_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
+fs_tmpfs_filetrans(timemaster_t, timemaster_tmpfs_t, { dir file })
+
+kernel_read_network_state(timemaster_t)
+
+auth_use_nsswitch(timemaster_t)
+
+corenet_udp_bind_generic_node(timemaster_t)
+corenet_udp_bind_ntp_port(timemaster_t)
+
+dev_read_urand(timemaster_t)
+
+logging_send_syslog_msg(timemaster_t)
+
+sysnet_read_config(timemaster_t)
+
+optional_policy(`
+	ntp_domtrans(timemaster_t)
+    ntp_signal(timemaster_t)
+')
+
+optional_policy(`
+	chronyd_domtrans(timemaster_t)
+	chronyd_rw_shm(timemaster_t)
+')
+
+optional_policy(`
+	gpsd_rw_shm(timemaster_t)
+')
+
+
+optional_policy(`
+	chronyd_signal(timemaster_t)
+')
+
+
+optional_policy(`
+	linuxptp_domtrans_ptp4l(timemaster_t)
+')
+
+optional_policy(`
+	linuxptp_domtrans_phc2sys(timemaster_t)
+')
+
+########################################
+#
+# phc2sys local policy
+#
+
+allow phc2sys_t self:capability sys_time;
+allow phc2sys_t self:fifo_file rw_fifo_file_perms;
+allow phc2sys_t self:unix_stream_socket create_stream_socket_perms;
+allow phc2sys_t self:shm create_shm_perms;
+allow phc2sys_t self:udp_socket create_socket_perms;
+
+allow phc2sys_t ptp4l_t:unix_dgram_socket sendto;
+
+allow phc2sys_t timemaster_t:shm rw_shm_perms;
+
+manage_dirs_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t)
+manage_files_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t)
+manage_sock_files_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t)
+files_pid_filetrans(phc2sys_t, timemaster_var_run_t, { dir file sock_file })
+
+manage_dirs_pattern(phc2sys_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
+manage_files_pattern(phc2sys_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
+fs_tmpfs_filetrans(phc2sys_t, timemaster_tmpfs_t, { dir file })
+
+dev_rw_realtime_clock(phc2sys_t)
+
+logging_send_syslog_msg(phc2sys_t)
+
+optional_policy(`
+	chronyd_rw_shm(phc2sys_t)
+')
+
+optional_policy(`
+	gpsd_rw_shm(phc2sys_t)
+')
+
+optional_policy(`
+	ntp_rw_shm(phc2sys_t)
+')
+
+optional_policy(`
+	ptp4l_rw_shm(phc2sys_t)
+')
+
+########################################
+#
+# ptp4l local policy
+#
+
+allow ptp4l_t self:fifo_file rw_fifo_file_perms;
+allow ptp4l_t self:packet_socket create_socket_perms;
+allow ptp4l_t self:unix_stream_socket create_stream_socket_perms;
+allow ptp4l_t self:shm create_shm_perms;
+allow ptp4l_t self:udp_socket create_socket_perms;
+allow ptp4l_t self:capability { net_admin net_raw sys_time };
+allow ptp4l_t self:capability2 { bpf wake_alarm };
+allow ptp4l_t self:netlink_route_socket rw_netlink_socket_perms;
+
+allow ptp4l_t phc2sys_t:unix_dgram_socket sendto;
+
+manage_dirs_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t)
+manage_files_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t)
+manage_sock_files_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t)
+files_pid_filetrans(ptp4l_t, timemaster_var_run_t, { dir file sock_file })
+
+manage_dirs_pattern(ptp4l_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
+manage_files_pattern(ptp4l_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
+fs_tmpfs_filetrans(ptp4l_t, timemaster_tmpfs_t, { dir file })
+
+corenet_udp_bind_generic_node(ptp4l_t)
+corenet_udp_bind_reserved_port(ptp4l_t)
+
+kernel_read_network_state(ptp4l_t)
+
+dev_rw_realtime_clock(ptp4l_t)
+
+files_write_generic_pid_sockets(ptp4l_t)
+
+logging_send_syslog_msg(ptp4l_t)
+
+userdom_dgram_send(ptp4l_t)
+
+optional_policy(`
+	chronyd_rw_shm(ptp4l_t)
+')
+
+optional_policy(`
+	gpsd_rw_shm(ptp4l_t)
+')