rpms/linuxptp
5
0
Fork 0
Code Issues Pull Requests Releases Activity

package selinux policy

Browse Source 
Package a copy of the current distribution linuxptp policy, following
https://fedoraproject.org/wiki/SELinux/IndependentPolicy
This commit is contained in:
Miroslav Lichvar 2021-07-21 16:56:48 +02:00
parent 6dd3a01fe0
commit 3afde7fc09
4 changed files with 403 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
linuxptp.fc Normal file
View File

@ -0,0 +1,11 @@
/usr/lib/systemd/system/phc2sys.* -- gen_context(system_u:object_r:phc2sys_unit_file_t,s0)
/usr/lib/systemd/system/ptp4l.* -- gen_context(system_u:object_r:ptp4l_unit_file_t,s0)
/usr/lib/systemd/system/timemaster.* -- gen_context(system_u:object_r:timemaster_unit_file_t,s0)
/usr/sbin/ptp4l -- gen_context(system_u:object_r:ptp4l_exec_t,s0)
/usr/sbin/phc2sys -- gen_context(system_u:object_r:phc2sys_exec_t,s0)
/usr/sbin/timemaster -- gen_context(system_u:object_r:timemaster_exec_t,s0)
/var/run/timemaster(/.*)? gen_context(system_u:object_r:timemaster_var_run_t,s0)

142
linuxptp.if Normal file
View File

@ -0,0 +1,142 @@
## <summary>implementation of the Precision Time Protocol (PTP) according to IEEE standard 1588 for Linux.</summary>
########################################
## <summary>
## Execute domain in the phc2sys domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`linuxptp_domtrans_phc2sys',`
gen_require(`
type phc2sys_t, phc2sys_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, phc2sys_exec_t, phc2sys_t)
')
########################################
## <summary>
## Execute domain in the phc2sys domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`linuxptp_domtrans_ptp4l',`
gen_require(`
type ptp4l_t, ptp4l_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, ptp4l_exec_t, ptp4l_t)
')
######################################
## <summary>
## Connect to timemaster using a unix
## domain stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`timemaster_stream_connect',`
gen_require(`
type timemaster_t, timemaster_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, timemaster_var_run_t, timemaster_var_run_t, timemaster_t)
')
########################################
## <summary>
## Read timemaster conf files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`timemaster_read_pid_files',`
gen_require(`
type timemaster_var_run_t;
')
read_files_pattern($1, timemaster_var_run_t, timemaster_var_run_t)
')
########################################
## <summary>
## Read and write timemaster shared memory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`timemaster_rw_shm',`
gen_require(`
type timemaster_t, timemaster_tmpfs_t;
')
allow $1 timemaster_t:shm rw_shm_perms;
list_dirs_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
rw_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
read_lnk_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
fs_search_tmpfs($1)
')
########################################
## <summary>
## Read and write ptp4l_t shared memory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`ptp4l_rw_shm',`
gen_require(`
type ptp4l_t, timemaster_tmpfs_t;
')
allow $1 ptp4l_t:shm rw_shm_perms;
list_dirs_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
rw_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
read_lnk_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
fs_search_tmpfs($1)
')
########################################
## <summary>
## Read and write phc2sys_t shared memory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`phc2sys_rw_shm',`
gen_require(`
type phc2sys_t, timemaster_tmpfs_t;
')
allow $1 phc2sys_t:shm rw_shm_perms;
list_dirs_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
rw_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
read_lnk_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
fs_search_tmpfs($1)
')

59
linuxptp.spec
View File

@ -1,6 +1,8 @@
%global _hardened_build 1 %global _hardened_build 1
%global testsuite_ver ff37e2 %global testsuite_ver ff37e2
%global clknetsim_ver c4ccc2 %global clknetsim_ver c4ccc2
%global selinuxtype targeted
%bcond_without selinux
Name: linuxptp Name: linuxptp
Version: 3.1.1 Version: 3.1.1
@ -20,6 +22,10 @@ Source5: ptp4l.conf
Source10: https://github.com/mlichvar/linuxptp-testsuite/archive/%{testsuite_ver}/linuxptp-testsuite-%{testsuite_ver}.tar.gz Source10: https://github.com/mlichvar/linuxptp-testsuite/archive/%{testsuite_ver}/linuxptp-testsuite-%{testsuite_ver}.tar.gz
# simulator for test suite # simulator for test suite
Source11: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/clknetsim-%{clknetsim_ver}.tar.gz Source11: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/clknetsim-%{clknetsim_ver}.tar.gz
# selinux policy
Source20: linuxptp.fc
Source21: linuxptp.if
Source22: linuxptp.te
# fix handling of zero-length messages # fix handling of zero-length messages
Patch1: linuxptp-zerolength.patch Patch1: linuxptp-zerolength.patch
@ -28,6 +34,10 @@ BuildRequires: gcc gcc-c++ make systemd
%{?systemd_requires} %{?systemd_requires}
%if 0%{?with_selinux}
Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
%endif
%description %description
This software is an implementation of the Precision Time Protocol (PTP) This software is an implementation of the Precision Time Protocol (PTP)
according to IEEE standard 1588 for Linux. The dual design goals are to provide according to IEEE standard 1588 for Linux. The dual design goals are to provide
@ -35,17 +45,38 @@ a robust implementation of the standard and to use the most relevant and modern
Application Programming Interfaces (API) offered by the Linux kernel. Application Programming Interfaces (API) offered by the Linux kernel.
Supporting legacy APIs and other platforms is not a goal. Supporting legacy APIs and other platforms is not a goal.
%if 0%{?with_selinux}
%package selinux
Summary: linuxptp SELinux policy
BuildArch: noarch
Requires: selinux-policy-%{selinuxtype}
Requires(post): selinux-policy-%{selinuxtype}
BuildRequires: selinux-policy-devel
%{?selinux_requires}
%description selinux
linuxptp SELinux policy module
%endif
%prep %prep
%setup -q -a 10 -a 11 -n %{name}-%{!?gitfullver:%{version}}%{?gitfullver} %setup -q -a 10 -a 11 -n %{name}-%{!?gitfullver:%{version}}%{?gitfullver}
%patch1 -p1 -b .zerolength %patch1 -p1 -b .zerolength
mv linuxptp-testsuite-%{testsuite_ver}* testsuite mv linuxptp-testsuite-%{testsuite_ver}* testsuite
mv clknetsim-%{clknetsim_ver}* testsuite/clknetsim mv clknetsim-%{clknetsim_ver}* testsuite/clknetsim
mkdir selinux
cp -p %{SOURCE20} %{SOURCE21} %{SOURCE22} selinux
%build %build
%{make_build} \ %{make_build} \
EXTRA_CFLAGS="$RPM_OPT_FLAGS" \ EXTRA_CFLAGS="$RPM_OPT_FLAGS" \
EXTRA_LDFLAGS="$RPM_LD_FLAGS" EXTRA_LDFLAGS="$RPM_LD_FLAGS"
%if 0%{?with_selinux}
make -C selinux -f %{_datadir}/selinux/devel/Makefile linuxptp.pp
bzip2 -9 selinux/linuxptp.pp
%endif
%install %install
%makeinstall %makeinstall
@ -60,6 +91,13 @@ echo 'OPTIONS="-a -r"' > $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/phc2sys
echo '.so man8/ptp4l.8' > $RPM_BUILD_ROOT%{_mandir}/man5/ptp4l.conf.5 echo '.so man8/ptp4l.8' > $RPM_BUILD_ROOT%{_mandir}/man5/ptp4l.conf.5
echo '.so man8/timemaster.8' > $RPM_BUILD_ROOT%{_mandir}/man5/timemaster.conf.5 echo '.so man8/timemaster.8' > $RPM_BUILD_ROOT%{_mandir}/man5/timemaster.conf.5
%if 0%{?with_selinux}
install -D -m 0644 selinux/linuxptp.pp.bz2 \
$RPM_BUILD_ROOT%{_datadir}/selinux/packages/%{selinuxtype}/linuxptp.pp.bz2
install -D -p -m 0644 selinux/linuxptp.if \
$RPM_BUILD_ROOT%{_datadir}/selinux/devel/include/distributed/linuxptp.if
%endif
%check %check
cd testsuite cd testsuite
# set random seed to get deterministic results # set random seed to get deterministic results
@ -76,6 +114,27 @@ PATH=..:$PATH ./run
%postun %postun
%systemd_postun_with_restart phc2sys.service ptp4l.service timemaster.service %systemd_postun_with_restart phc2sys.service ptp4l.service timemaster.service
%if 0%{?with_selinux}
%pre selinux
%selinux_relabel_pre -s %{selinuxtype}
%post selinux
%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/linuxptp.pp.bz2
%selinux_relabel_post -s %{selinuxtype}
%postun selinux
if [ $1 -eq 0 ]; then
%selinux_modules_uninstall -s %{selinuxtype} linuxptp
%selinux_relabel_post -s %{selinuxtype}
fi
%files selinux
%{_datadir}/selinux/packages/%{selinuxtype}/linuxptp.pp.*
%{_datadir}/selinux/devel/include/distributed/linuxptp.if
%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/linuxptp
%endif
%files %files
%doc COPYING README.org configs %doc COPYING README.org configs
%config(noreplace) %{_sysconfdir}/ptp4l.conf %config(noreplace) %{_sysconfdir}/ptp4l.conf

191
linuxptp.te Normal file
View File

@ -0,0 +1,191 @@
policy_module(linuxptp, 1.0.0)
########################################
#
# Declarations
#
type timemaster_t;
type timemaster_exec_t;
init_daemon_domain(timemaster_t, timemaster_exec_t)
type timemaster_var_run_t;
files_pid_file(timemaster_var_run_t)
type timemaster_tmpfs_t;
files_tmpfs_file(timemaster_tmpfs_t)
type timemaster_unit_file_t;
systemd_unit_file(timemaster_unit_file_t)
type phc2sys_t;
type phc2sys_exec_t;
init_daemon_domain(phc2sys_t, phc2sys_exec_t)
type phc2sys_unit_file_t;
systemd_unit_file(phc2sys_unit_file_t)
type ptp4l_t;
type ptp4l_exec_t;
init_daemon_domain(ptp4l_t, ptp4l_exec_t)
type ptp4l_unit_file_t;
systemd_unit_file(ptp4l_unit_file_t)
########################################
#
# timemaster local policy
#
allow timemaster_t self:process { signal_perms setcap};
allow timemaster_t self:fifo_file rw_fifo_file_perms;
allow timemaster_t self:capability { setuid sys_time kill setgid };
allow timemaster_t self:unix_stream_socket create_stream_socket_perms;
allow timemaster_t self:shm create_shm_perms;
allow timemaster_t self:udp_socket create_socket_perms;
allow timemaster_t ptp4l_t:process signal;
allow timemaster_t phc2sys_t:process signal;
allow timemaster_t ptp4l_t:shm rw_shm_perms;
manage_dirs_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t)
manage_files_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t)
manage_sock_files_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t)
files_pid_filetrans(timemaster_t, timemaster_var_run_t, { dir file sock_file })
manage_dirs_pattern(timemaster_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
manage_files_pattern(timemaster_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
fs_tmpfs_filetrans(timemaster_t, timemaster_tmpfs_t, { dir file })
kernel_read_network_state(timemaster_t)
auth_use_nsswitch(timemaster_t)
corenet_udp_bind_generic_node(timemaster_t)
corenet_udp_bind_ntp_port(timemaster_t)
dev_read_urand(timemaster_t)
logging_send_syslog_msg(timemaster_t)
sysnet_read_config(timemaster_t)
optional_policy(`
ntp_domtrans(timemaster_t)
ntp_signal(timemaster_t)
')
optional_policy(`
chronyd_domtrans(timemaster_t)
chronyd_rw_shm(timemaster_t)
')
optional_policy(`
gpsd_rw_shm(timemaster_t)
')
optional_policy(`
chronyd_signal(timemaster_t)
')
optional_policy(`
linuxptp_domtrans_ptp4l(timemaster_t)
')
optional_policy(`
linuxptp_domtrans_phc2sys(timemaster_t)
')
########################################
#
# phc2sys local policy
#
allow phc2sys_t self:capability sys_time;
allow phc2sys_t self:fifo_file rw_fifo_file_perms;
allow phc2sys_t self:unix_stream_socket create_stream_socket_perms;
allow phc2sys_t self:shm create_shm_perms;
allow phc2sys_t self:udp_socket create_socket_perms;
allow phc2sys_t ptp4l_t:unix_dgram_socket sendto;
allow phc2sys_t timemaster_t:shm rw_shm_perms;
manage_dirs_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t)
manage_files_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t)
manage_sock_files_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t)
files_pid_filetrans(phc2sys_t, timemaster_var_run_t, { dir file sock_file })
manage_dirs_pattern(phc2sys_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
manage_files_pattern(phc2sys_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
fs_tmpfs_filetrans(phc2sys_t, timemaster_tmpfs_t, { dir file })
dev_rw_realtime_clock(phc2sys_t)
logging_send_syslog_msg(phc2sys_t)
optional_policy(`
chronyd_rw_shm(phc2sys_t)
')
optional_policy(`
gpsd_rw_shm(phc2sys_t)
')
optional_policy(`
ntp_rw_shm(phc2sys_t)
')
optional_policy(`
ptp4l_rw_shm(phc2sys_t)
')
########################################
#
# ptp4l local policy
#
allow ptp4l_t self:fifo_file rw_fifo_file_perms;
allow ptp4l_t self:packet_socket create_socket_perms;
allow ptp4l_t self:unix_stream_socket create_stream_socket_perms;
allow ptp4l_t self:shm create_shm_perms;
allow ptp4l_t self:udp_socket create_socket_perms;
allow ptp4l_t self:capability { net_admin net_raw sys_time };
allow ptp4l_t self:capability2 { bpf wake_alarm };
allow ptp4l_t self:netlink_route_socket rw_netlink_socket_perms;
allow ptp4l_t phc2sys_t:unix_dgram_socket sendto;
manage_dirs_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t)
manage_files_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t)
manage_sock_files_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t)
files_pid_filetrans(ptp4l_t, timemaster_var_run_t, { dir file sock_file })
manage_dirs_pattern(ptp4l_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
manage_files_pattern(ptp4l_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
fs_tmpfs_filetrans(ptp4l_t, timemaster_tmpfs_t, { dir file })
corenet_udp_bind_generic_node(ptp4l_t)
corenet_udp_bind_reserved_port(ptp4l_t)
kernel_read_network_state(ptp4l_t)
dev_rw_realtime_clock(ptp4l_t)
files_write_generic_pid_sockets(ptp4l_t)
logging_send_syslog_msg(ptp4l_t)
userdom_dgram_send(ptp4l_t)
optional_policy(`
chronyd_rw_shm(ptp4l_t)
')
optional_policy(`
gpsd_rw_shm(ptp4l_t)
')