selinux-policy/targeted/domains/program/ntpd.te

#DESC NTPD - Time synchronisation daemon
#
# Author:  Russell Coker <russell@coker.com.au>
# X-Debian-Packages: ntp ntp-simple
#

#################################
#
# Rules for the ntpd_t domain.
#
daemon_domain(ntpd, `, nscd_client_domain')
type ntp_drift_t, file_type, sysadmfile;

type ntpdate_exec_t, file_type, sysadmfile, exec_type;
domain_auto_trans(initrc_t, ntpdate_exec_t, ntpd_t)

logdir_domain(ntpd)

allow ntpd_t var_lib_t:dir r_dir_perms;
allow ntpd_t usr_t:file r_file_perms;
# reading  /usr/share/ssl/cert.pem requires
allow ntpd_t usr_t:lnk_file read;
allow ntpd_t ntp_drift_t:dir rw_dir_perms;
allow ntpd_t ntp_drift_t:file create_file_perms;

# for SSP
allow ntpd_t urandom_device_t:chr_file { getattr read };

# sys_resource and setrlimit is for locking memory
allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time net_bind_service ipc_lock sys_chroot sys_nice sys_resource };
dontaudit ntpd_t self:capability { fsetid net_admin };
allow ntpd_t self:process { setcap setsched setrlimit };
# ntpdate wants sys_nice

# for some reason it creates a file in /tmp
tmp_domain(ntpd)

allow ntpd_t etc_t:dir r_dir_perms;
allow ntpd_t etc_t:file { read getattr };

# Use the network.
can_network(ntpd_t)
allow ntpd_t ntp_port_t:tcp_socket name_connect;
can_ypbind(ntpd_t)
allow ntpd_t ntp_port_t:udp_socket name_bind;
allow sysadm_t ntp_port_t:udp_socket name_bind;
allow ntpd_t self:unix_dgram_socket create_socket_perms;
allow ntpd_t self:unix_stream_socket create_socket_perms;
allow ntpd_t self:netlink_route_socket r_netlink_socket_perms;

# so the start script can change firewall entries
allow initrc_t net_conf_t:file { getattr read ioctl };

# for cron jobs
# system_crond_t is not right, cron is not doing what it should
ifdef(`crond.te', `
system_crond_entry(ntpdate_exec_t, ntpd_t)
')

can_exec(ntpd_t, initrc_exec_t)
allow ntpd_t self:fifo_file { read write getattr };
allow ntpd_t etc_runtime_t:file r_file_perms;
can_exec(ntpd_t, { bin_t shell_exec_t sbin_t ls_exec_t ntpd_exec_t })
allow ntpd_t { sbin_t bin_t }:dir search;
allow ntpd_t bin_t:lnk_file read;
read_sysctl(ntpd_t);
allow ntpd_t proc_t:file r_file_perms;
allow ntpd_t sysadm_home_dir_t:dir r_dir_perms;
allow ntpd_t self:file { getattr read };
dontaudit ntpd_t domain:dir search;
ifdef(`logrotate.te', `
can_exec(ntpd_t, logrotate_exec_t)
')

allow ntpd_t devtty_t:chr_file rw_file_perms;

can_udp_send(ntpd_t, sysadm_t)
can_udp_send(sysadm_t, ntpd_t)
can_udp_send(ntpd_t, ntpd_t)
ifdef(`firstboot.te', `
dontaudit ntpd_t firstboot_t:fd use;
')
ifdef(`winbind.te', `
allow ntpd_t winbind_var_run_t:dir r_dir_perms;
allow ntpd_t winbind_var_run_t:sock_file rw_file_perms;
')
# For clock devices like wwvb1
allow ntpd_t device_t:lnk_file read;
add 1.27.1-22 targeted policy 2005-10-21 18:05:21 +00:00			`#DESC NTPD - Time synchronisation daemon`
			`#`
			`# Author: Russell Coker <russell@coker.com.au>`
			`# X-Debian-Packages: ntp ntp-simple`
			`#`

			`#################################`
			`#`
			`# Rules for the ntpd_t domain.`
			`#`
			daemon_domain(ntpd, `, nscd_client_domain')
			`type ntp_drift_t, file_type, sysadmfile;`

			`type ntpdate_exec_t, file_type, sysadmfile, exec_type;`
			`domain_auto_trans(initrc_t, ntpdate_exec_t, ntpd_t)`

			`logdir_domain(ntpd)`

			`allow ntpd_t var_lib_t:dir r_dir_perms;`
			`allow ntpd_t usr_t:file r_file_perms;`
			`# reading /usr/share/ssl/cert.pem requires`
			`allow ntpd_t usr_t:lnk_file read;`
			`allow ntpd_t ntp_drift_t:dir rw_dir_perms;`
			`allow ntpd_t ntp_drift_t:file create_file_perms;`

			`# for SSP`
			`allow ntpd_t urandom_device_t:chr_file { getattr read };`

			`# sys_resource and setrlimit is for locking memory`
			`allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time net_bind_service ipc_lock sys_chroot sys_nice sys_resource };`
			`dontaudit ntpd_t self:capability { fsetid net_admin };`
			`allow ntpd_t self:process { setcap setsched setrlimit };`
			`# ntpdate wants sys_nice`

			`# for some reason it creates a file in /tmp`
			`tmp_domain(ntpd)`

			`allow ntpd_t etc_t:dir r_dir_perms;`
			`allow ntpd_t etc_t:file { read getattr };`

			`# Use the network.`
			`can_network(ntpd_t)`
			`allow ntpd_t ntp_port_t:tcp_socket name_connect;`
			`can_ypbind(ntpd_t)`
			`allow ntpd_t ntp_port_t:udp_socket name_bind;`
			`allow sysadm_t ntp_port_t:udp_socket name_bind;`
			`allow ntpd_t self:unix_dgram_socket create_socket_perms;`
			`allow ntpd_t self:unix_stream_socket create_socket_perms;`
			`allow ntpd_t self:netlink_route_socket r_netlink_socket_perms;`

			`# so the start script can change firewall entries`
			`allow initrc_t net_conf_t:file { getattr read ioctl };`

			`# for cron jobs`
			`# system_crond_t is not right, cron is not doing what it should`
			ifdef(`crond.te', `
			`system_crond_entry(ntpdate_exec_t, ntpd_t)`
			`')`

			`can_exec(ntpd_t, initrc_exec_t)`
			`allow ntpd_t self:fifo_file { read write getattr };`
			`allow ntpd_t etc_runtime_t:file r_file_perms;`
			`can_exec(ntpd_t, { bin_t shell_exec_t sbin_t ls_exec_t ntpd_exec_t })`
			`allow ntpd_t { sbin_t bin_t }:dir search;`
			`allow ntpd_t bin_t:lnk_file read;`
			`read_sysctl(ntpd_t);`
			`allow ntpd_t proc_t:file r_file_perms;`
			`allow ntpd_t sysadm_home_dir_t:dir r_dir_perms;`
			`allow ntpd_t self:file { getattr read };`
			`dontaudit ntpd_t domain:dir search;`
			ifdef(`logrotate.te', `
			`can_exec(ntpd_t, logrotate_exec_t)`
			`')`

			`allow ntpd_t devtty_t:chr_file rw_file_perms;`

			`can_udp_send(ntpd_t, sysadm_t)`
			`can_udp_send(sysadm_t, ntpd_t)`
			`can_udp_send(ntpd_t, ntpd_t)`
			ifdef(`firstboot.te', `
			`dontaudit ntpd_t firstboot_t:fd use;`
			`')`
			ifdef(`winbind.te', `
			`allow ntpd_t winbind_var_run_t:dir r_dir_perms;`
			`allow ntpd_t winbind_var_run_t:sock_file rw_file_perms;`
			`')`
			`# For clock devices like wwvb1`
			`allow ntpd_t device_t:lnk_file read;`