selinux-policy/policy/modules/services/chronyd.if

181 lines
3.6 KiB
Plaintext
Raw Normal View History

2010-02-16 19:53:59 +00:00
## <summary>Chrony NTP background daemon</summary>
#####################################
## <summary>
## Execute chronyd in the chronyd domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
2010-02-16 19:53:59 +00:00
## </summary>
## </param>
#
interface(`chronyd_domtrans',`
gen_require(`
type chronyd_t, chronyd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, chronyd_exec_t, chronyd_t)
')
2010-08-26 13:41:21 +00:00
########################################
## <summary>
## Execute chronyd server in the chronyd domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
2010-08-26 13:41:21 +00:00
## </summary>
## </param>
#
interface(`chronyd_initrc_domtrans',`
gen_require(`
type chronyd_initrc_exec_t;
')
init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
')
2010-02-16 19:53:59 +00:00
####################################
## <summary>
## Execute chronyd
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
2010-02-16 19:53:59 +00:00
## </summary>
## </param>
#
interface(`chronyd_exec',`
gen_require(`
type chronyd_exec_t;
')
can_exec($1, chronyd_exec_t)
')
#####################################
## <summary>
## Read chronyd logs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`chronyd_read_log',`
gen_require(`
type chronyd_var_log_t;
')
logging_search_logs($1)
read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t)
')
2010-08-26 13:41:21 +00:00
########################################
## <summary>
## Read and write chronyd shared memory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`chronyd_rw_shm',`
gen_require(`
type chronyd_t, chronyd_tmpfs_t;
')
allow $1 chronyd_t:shm rw_shm_perms;
allow $1 chronyd_tmpfs_t:dir list_dir_perms;
rw_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t)
read_lnk_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t)
fs_search_tmpfs($1)
')
########################################
## <summary>
## Read chronyd keys files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`chronyd_read_keys',`
gen_require(`
type chronyd_keys_t;
')
read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
')
########################################
## <summary>
## Append chronyd keys files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`chronyd_append_keys',`
gen_require(`
type chronyd_keys_t;
')
append_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
')
2010-02-16 19:53:59 +00:00
####################################
## <summary>
## All of the rules required to administrate
## an chronyd environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the chronyd domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`chronyd_admin',`
gen_require(`
Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible.
2010-09-17 07:49:15 +00:00
type chronyd_t, chronyd_var_log_t, chronyd_var_run_t;
type chronyd_var_lib_t, chronyd_tmpfs_t, chronyd_initrc_exec_t;
type chronyd_keys_t;
2010-02-16 19:53:59 +00:00
')
allow $1 chronyd_t:process { ptrace signal_perms };
ps_process_pattern($1, chronyd_t)
init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 chronyd_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, chronyd_keys_t)
logging_list_logs($1)
2010-02-16 19:53:59 +00:00
admin_pattern($1, chronyd_var_log_t)
files_list_var_lib($1)
2010-02-16 19:53:59 +00:00
admin_pattern($1, chronyd_var_lib_t)
files_list_pids($1)
2010-02-16 19:53:59 +00:00
admin_pattern($1, chronyd_var_run_t)
2010-08-26 13:41:21 +00:00
admin_pattern($1, chronyd_tmpfs_t)
2010-02-16 19:53:59 +00:00
')