diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if index bb0089ea..a09a9ae3 100644 --- a/policy/modules/services/ntp.if +++ b/policy/modules/services/ntp.if @@ -35,6 +35,32 @@ interface(`ntp_domtrans',` domtrans_pattern($1, ntpd_exec_t, ntpd_t) ') +######################################## +## +## Execute ntp in the ntp domain, and +## allow the specified role the ntp domain. +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`ntp_run',` + gen_require(` + type ntpd_t; + ') + + ntp_domtrans($1) + role $2 types ntpd_t; +') + ######################################## ## ## Execute ntp server in the ntpd domain. @@ -55,7 +81,25 @@ interface(`ntp_domtrans_ntpdate',` ') ######################################## -## +## +## Execute ntp server in the ntpd domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`ntp_initrc_domtrans',` + gen_require(` + type ntpd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, ntpd_initrc_exec_t) +') + +######################################## +## ## Read and write ntpd shared memory. ## ## @@ -64,7 +108,7 @@ interface(`ntp_domtrans_ntpdate',` ## ## # -interface(`ntpd_rw_shm',` +interface(`ntp_rw_shm',` gen_require(` type ntpd_t, ntpd_tmpfs_t; ') @@ -78,7 +122,7 @@ interface(`ntpd_rw_shm',` ######################################## ## -## All of the rules required to administrate +## All of the rules required to administrate ## an ntp environment ## ## diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te index 330b80f9..745e3a4a 100644 --- a/policy/modules/services/ntp.te +++ b/policy/modules/services/ntp.te @@ -1,5 +1,5 @@ -policy_module(ntp, 1.9.0) +policy_module(ntp, 1.9.1) ######################################## # @@ -41,10 +41,11 @@ init_system_domain(ntpd_t, ntpdate_exec_t) # sys_resource and setrlimit is for locking memory # ntpdate wants sys_nice -allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock sys_chroot sys_nice sys_resource }; +allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource }; dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice }; allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit }; allow ntpd_t self:fifo_file rw_fifo_file_perms; +allow ntpd_t self:shm create_shm_perms; allow ntpd_t self:unix_dgram_socket create_socket_perms; allow ntpd_t self:unix_stream_socket create_socket_perms; allow ntpd_t self:tcp_socket create_stream_socket_perms; @@ -55,6 +56,7 @@ manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t) can_exec(ntpd_t, ntpd_exec_t) read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) +read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) allow ntpd_t ntpd_log_t:dir setattr; manage_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t) @@ -75,6 +77,7 @@ files_pid_filetrans(ntpd_t, ntpd_var_run_t, file) kernel_read_kernel_sysctls(ntpd_t) kernel_read_system_state(ntpd_t) kernel_read_network_state(ntpd_t) +kernel_request_load_module(ntpd_t) corenet_all_recvfrom_unlabeled(ntpd_t) corenet_all_recvfrom_netlabel(ntpd_t)