selinux-policy/policy/modules/services/ntp.if

## <summary>Network time protocol daemon</summary>

########################################
## <summary>
##	NTP stub interface.  No access allowed.
## </summary>
## <param name="domain" unused="true">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`ntp_stub',`
	gen_require(`
		type ntpd_t;
	')
')

########################################
## <summary>
##	Execute ntp server in the ntpd domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`ntp_domtrans',`
	gen_require(`
		type ntpd_t, ntpd_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, ntpd_exec_t, ntpd_t)
')

########################################
## <summary>
##	Execute ntp in the ntp domain, and
##	allow the specified role the ntp domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`ntp_run',`
	gen_require(`
		type ntpd_t;
	')

	ntp_domtrans($1)
	role $2 types ntpd_t;
')

########################################
## <summary>
##	Execute ntp server in the ntpd domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`ntp_domtrans_ntpdate',`
	gen_require(`
		type ntpd_t, ntpdate_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, ntpdate_exec_t, ntpd_t)
')

########################################
## <summary>
##	Execute ntp server in the ntpd domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`ntp_initrc_domtrans',`
	gen_require(`
		type ntpd_initrc_exec_t;
	')

	init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
')

########################################
## <summary>
##	Read and write ntpd shared memory.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`ntp_rw_shm',`
	gen_require(`
		type ntpd_t, ntpd_tmpfs_t;
	')

	allow $1 ntpd_t:shm rw_shm_perms;
	list_dirs_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t)
	rw_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t)
	read_lnk_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t)
	fs_search_tmpfs($1)
')

########################################
## <summary>
##	All of the rules required to administrate
##	an ntp environment
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to be allowed to manage the ntp domain.
##	</summary>
## </param>
## <rolecap/>
#
interface(`ntp_admin',`
	gen_require(`
		type ntpd_t, ntpd_tmp_t, ntpd_log_t;
		type ntpd_key_t, ntpd_var_run_t, ntpd_initrc_exec_t;
	')

	allow $1 ntpd_t:process { ptrace signal_perms };
	ps_process_pattern($1, ntpd_t)

	init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
	domain_system_change_exemption($1)
	role_transition $2 ntpd_initrc_exec_t system_r;
	allow $2 system_r;

	admin_pattern($1, ntpd_key_t)

	logging_list_logs($1)
	admin_pattern($1, ntpd_log_t)

	files_list_tmp($1)
	admin_pattern($1, ntpd_tmp_t)

	files_list_pids($1)
	admin_pattern($1, ntpd_var_run_t)
')
add ntp 2005-09-05 16:47:19 +00:00			`## <summary>Network time protocol daemon</summary>`

more updates 2005-09-15 21:03:29 +00:00			`########################################`
			`## <summary>`
			`## NTP stub interface. No access allowed.`
			`## </summary>`
trunk: more xml doc fixes. 2008-06-24 14:43:47 +00:00			`## <param name="domain" unused="true">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
trunk: more xml doc fixes. 2008-06-24 14:43:47 +00:00			`## Domain allowed access.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
more updates 2005-09-15 21:03:29 +00:00			`## </param>`
			`#`
			interface(`ntp_stub',`
add cpucontrol 2005-09-20 18:15:35 +00:00			gen_require(`
more updates 2005-09-15 21:03:29 +00:00			`type ntpd_t;`
			`')`
			`')`

add ntp 2005-09-05 16:47:19 +00:00			`########################################`
			`## <summary>`
			`## Execute ntp server in the ntpd domain.`
			`## </summary>`
			`## <param name="domain">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
Services layer xml files. Signed-off-by: Dominick Grift <domg472@gmail.com> 2010-08-05 13:03:19 +00:00			`## Domain allowed to transition.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
add ntp 2005-09-05 16:47:19 +00:00			`## </param>`
			`#`
			interface(`ntp_domtrans',`
			gen_require(`
			`type ntpd_t, ntpd_exec_t;`
			`')`

Merge sbin_t and ls_exec_t into bin_t. 2007-03-23 23:24:59 +00:00			`corecmd_search_bin($1)`
trunk: massive whitespace cleanup from dominick grift. 2008-07-23 21:38:39 +00:00			`domtrans_pattern($1, ntpd_exec_t, ntpd_t)`
add ntp 2005-09-05 16:47:19 +00:00			`')`

ntp patch from Dan Walsh. 2010-01-07 14:00:39 +00:00			`########################################`
			`## <summary>`
			`## Execute ntp in the ntp domain, and`
			`## allow the specified role the ntp domain.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
Services layer xml files. Signed-off-by: Dominick Grift <domg472@gmail.com> 2010-08-05 13:03:19 +00:00			`## Domain allowed to transition.`
ntp patch from Dan Walsh. 2010-01-07 14:00:39 +00:00			`## </summary>`
			`## </param>`
			`## <param name="role">`
			`## <summary>`
			`## Role allowed access.`
			`## </summary>`
			`## </param>`
			`## <rolecap/>`
			`#`
			interface(`ntp_run',`
			gen_require(`
			`type ntpd_t;`
			`')`

			`ntp_domtrans($1)`
			`role $2 types ntpd_t;`
			`')`

add ntp 2005-09-05 16:47:19 +00:00			`########################################`
			`## <summary>`
			`## Execute ntp server in the ntpd domain.`
			`## </summary>`
			`## <param name="domain">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
Services layer xml files. Signed-off-by: Dominick Grift <domg472@gmail.com> 2010-08-05 13:03:19 +00:00			`## Domain allowed to transition.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
add ntp 2005-09-05 16:47:19 +00:00			`## </param>`
			`#`
			interface(`ntp_domtrans_ntpdate',`
			gen_require(`
			`type ntpd_t, ntpdate_exec_t;`
			`')`

Merge sbin_t and ls_exec_t into bin_t. 2007-03-23 23:24:59 +00:00			`corecmd_search_bin($1)`
trunk: massive whitespace cleanup from dominick grift. 2008-07-23 21:38:39 +00:00			`domtrans_pattern($1, ntpdate_exec_t, ntpd_t)`
add ntp 2005-09-05 16:47:19 +00:00			`')`
trunk: 21 patches from dan. 2008-10-08 15:50:03 +00:00
trunk: add gpsd from miroslav grepl 2009-06-02 14:28:40 +00:00			`########################################`
ntp patch from Dan Walsh. 2010-01-07 14:00:39 +00:00			`## <summary>`
			`## Execute ntp server in the ntpd domain.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
Services layer xml files. Signed-off-by: Dominick Grift <domg472@gmail.com> 2010-08-05 13:03:19 +00:00			`## Domain allowed to transition.`
ntp patch from Dan Walsh. 2010-01-07 14:00:39 +00:00			`## </summary>`
			`## </param>`
			`#`
			interface(`ntp_initrc_domtrans',`
			gen_require(`
			`type ntpd_initrc_exec_t;`
			`')`

			`init_labeled_script_domtrans($1, ntpd_initrc_exec_t)`
			`')`

			`########################################`
			`## <summary>`
trunk: whitespace fixes 2009-06-26 14:40:13 +00:00			`## Read and write ntpd shared memory.`
trunk: add gpsd from miroslav grepl 2009-06-02 14:28:40 +00:00			`## </summary>`
			`## <param name="domain">`
trunk: whitespace fixes 2009-06-26 14:40:13 +00:00			`## <summary>`
Interface documentation standardization patch from Dan Walsh. 2010-08-02 13:22:09 +00:00			`## Domain allowed access.`
trunk: whitespace fixes 2009-06-26 14:40:13 +00:00			`## </summary>`
trunk: add gpsd from miroslav grepl 2009-06-02 14:28:40 +00:00			`## </param>`
			`#`
ntp patch from Dan Walsh. 2010-01-07 14:00:39 +00:00			interface(`ntp_rw_shm',`
trunk: whitespace fixes 2009-06-26 14:40:13 +00:00			gen_require(`
			`type ntpd_t, ntpd_tmpfs_t;`
			`')`
trunk: add gpsd from miroslav grepl 2009-06-02 14:28:40 +00:00
trunk: whitespace fixes 2009-06-26 14:40:13 +00:00			`allow $1 ntpd_t:shm rw_shm_perms;`
			`list_dirs_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t)`
			`rw_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t)`
			`read_lnk_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t)`
			`fs_search_tmpfs($1)`
trunk: add gpsd from miroslav grepl 2009-06-02 14:28:40 +00:00			`')`

trunk: 21 patches from dan. 2008-10-08 15:50:03 +00:00			`########################################`
			`## <summary>`
ntp patch from Dan Walsh. 2010-01-07 14:00:39 +00:00			`## All of the rules required to administrate`
trunk: 21 patches from dan. 2008-10-08 15:50:03 +00:00			`## an ntp environment`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`## <param name="role">`
			`## <summary>`
			`## The role to be allowed to manage the ntp domain.`
			`## </summary>`
			`## </param>`
			`## <rolecap/>`
			`#`
			interface(`ntp_admin',`
			gen_require(`
			`type ntpd_t, ntpd_tmp_t, ntpd_log_t;`
Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Syntax error. Squash me with 959aa527a5394d23b994ecf75347d2445106d0c4 Replace type and attributes statements by comma delimiters where possible. Syntax error. Squach me with 779a708452142d6e4ac2ba2a158f724782a03291 Replace type and attributes statements by comma delimiters where possible. Syntax error. Squash me with 89180ea115794aadddaa9b356ab1dfcdc9ff102 2010-09-20 10:09:09 +00:00			`type ntpd_key_t, ntpd_var_run_t, ntpd_initrc_exec_t;`
trunk: 21 patches from dan. 2008-10-08 15:50:03 +00:00			`')`

Access to get attributes of target accountsd_t domain is included with ps_process_pattern. Permission to get attributes of target arpwatch_t domain is included with ps_process_pattern. Access to get attributes of target asterisk_t domain is included with ps_process_pattern. Permission to get attributes of target automount_t domain is included with ps_process_pattern. Access to get attributes of target ntpd_t domain is included with ps_process_pattern. Signed-off-by: Dominick Grift <domg472@gmail.com> 2010-09-15 08:23:24 +00:00			`allow $1 ntpd_t:process { ptrace signal_perms };`
trunk: 21 patches from dan. 2008-10-08 15:50:03 +00:00			`ps_process_pattern($1, ntpd_t)`

			`init_labeled_script_domtrans($1, ntpd_initrc_exec_t)`
			`domain_system_change_exemption($1)`
			`role_transition $2 ntpd_initrc_exec_t system_r;`
			`allow $2 system_r;`

			`admin_pattern($1, ntpd_key_t)`

			`logging_list_logs($1)`
			`admin_pattern($1, ntpd_log_t)`

			`files_list_tmp($1)`
			`admin_pattern($1, ntpd_tmp_t)`

			`files_list_pids($1)`
			`admin_pattern($1, ntpd_var_run_t)`
			`')`