ntp patch from Dan Walsh.

2010-01-07 09:00:39 -05:00 · 2010-01-07 09:00:39 -05:00 · 82cdffce58
commit 82cdffce58
parent f37b7bd0cb
2 changed files with 52 additions and 5 deletions
--- a/policy/modules/services/ntp.if
+++ b/policy/modules/services/ntp.if
@ -35,6 +35,32 @@ interface(`ntp_domtrans',`
 	domtrans_pattern($1, ntpd_exec_t, ntpd_t)
 ')

+########################################
+## <summary>
+##	Execute ntp in the ntp domain, and
+##	allow the specified role the ntp domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ntp_run',`
+	gen_require(`
+		type ntpd_t;
+	')
+
+	ntp_domtrans($1)
+	role $2 types ntpd_t;
+')
+
 ########################################
 ## <summary>
 ##	Execute ntp server in the ntpd domain.
@ -55,7 +81,25 @@ interface(`ntp_domtrans_ntpdate',`
 ')

 ########################################
-## <summary>    
+## <summary>
+##	Execute ntp server in the ntpd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`ntp_initrc_domtrans',`
+	gen_require(`
+		type ntpd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
+')
+
+########################################
+## <summary>
 ##	Read and write ntpd shared memory.
 ## </summary>
 ## <param name="domain">
@ -64,7 +108,7 @@ interface(`ntp_domtrans_ntpdate',`
 ##	</summary>
 ## </param>
 #
-interface(`ntpd_rw_shm',`
+interface(`ntp_rw_shm',`
 	gen_require(`
 		type ntpd_t, ntpd_tmpfs_t;
 	')
@ -78,7 +122,7 @@ interface(`ntpd_rw_shm',`

 ########################################
 ## <summary>
-##	All of the rules required to administrate 
+##	All of the rules required to administrate
 ##	an ntp environment
 ## </summary>
 ## <param name="domain">
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@ -1,5 +1,5 @@

-policy_module(ntp, 1.9.0)
+policy_module(ntp, 1.9.1)

 ########################################
 #
@ -41,10 +41,11 @@ init_system_domain(ntpd_t, ntpdate_exec_t)

 # sys_resource and setrlimit is for locking memory
 # ntpdate wants sys_nice
-allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock sys_chroot sys_nice sys_resource };
+allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource };
 dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
 allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };
 allow ntpd_t self:fifo_file rw_fifo_file_perms;
+allow ntpd_t self:shm create_shm_perms;
 allow ntpd_t self:unix_dgram_socket create_socket_perms;
 allow ntpd_t self:unix_stream_socket create_socket_perms;
 allow ntpd_t self:tcp_socket create_stream_socket_perms;
@ -55,6 +56,7 @@ manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
 can_exec(ntpd_t, ntpd_exec_t)

 read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
+read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)

 allow ntpd_t ntpd_log_t:dir setattr;
 manage_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
@ -75,6 +77,7 @@ files_pid_filetrans(ntpd_t, ntpd_var_run_t, file)
 kernel_read_kernel_sysctls(ntpd_t)
 kernel_read_system_state(ntpd_t)
 kernel_read_network_state(ntpd_t)
+kernel_request_load_module(ntpd_t)

 corenet_all_recvfrom_unlabeled(ntpd_t)
 corenet_all_recvfrom_netlabel(ntpd_t)