diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
index bb0089ea..a09a9ae3 100644
--- a/policy/modules/services/ntp.if
+++ b/policy/modules/services/ntp.if
@@ -35,6 +35,32 @@ interface(`ntp_domtrans',`
domtrans_pattern($1, ntpd_exec_t, ntpd_t)
')
+########################################
+##
+## Execute ntp in the ntp domain, and
+## allow the specified role the ntp domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`ntp_run',`
+ gen_require(`
+ type ntpd_t;
+ ')
+
+ ntp_domtrans($1)
+ role $2 types ntpd_t;
+')
+
########################################
##
## Execute ntp server in the ntpd domain.
@@ -55,7 +81,25 @@ interface(`ntp_domtrans_ntpdate',`
')
########################################
-##
+##
+## Execute ntp server in the ntpd domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`ntp_initrc_domtrans',`
+ gen_require(`
+ type ntpd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
+')
+
+########################################
+##
## Read and write ntpd shared memory.
##
##
@@ -64,7 +108,7 @@ interface(`ntp_domtrans_ntpdate',`
##
##
#
-interface(`ntpd_rw_shm',`
+interface(`ntp_rw_shm',`
gen_require(`
type ntpd_t, ntpd_tmpfs_t;
')
@@ -78,7 +122,7 @@ interface(`ntpd_rw_shm',`
########################################
##
-## All of the rules required to administrate
+## All of the rules required to administrate
## an ntp environment
##
##
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index 330b80f9..745e3a4a 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -1,5 +1,5 @@
-policy_module(ntp, 1.9.0)
+policy_module(ntp, 1.9.1)
########################################
#
@@ -41,10 +41,11 @@ init_system_domain(ntpd_t, ntpdate_exec_t)
# sys_resource and setrlimit is for locking memory
# ntpdate wants sys_nice
-allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock sys_chroot sys_nice sys_resource };
+allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource };
dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };
allow ntpd_t self:fifo_file rw_fifo_file_perms;
+allow ntpd_t self:shm create_shm_perms;
allow ntpd_t self:unix_dgram_socket create_socket_perms;
allow ntpd_t self:unix_stream_socket create_socket_perms;
allow ntpd_t self:tcp_socket create_stream_socket_perms;
@@ -55,6 +56,7 @@ manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
can_exec(ntpd_t, ntpd_exec_t)
read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
+read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
allow ntpd_t ntpd_log_t:dir setattr;
manage_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
@@ -75,6 +77,7 @@ files_pid_filetrans(ntpd_t, ntpd_var_run_t, file)
kernel_read_kernel_sysctls(ntpd_t)
kernel_read_system_state(ntpd_t)
kernel_read_network_state(ntpd_t)
+kernel_request_load_module(ntpd_t)
corenet_all_recvfrom_unlabeled(ntpd_t)
corenet_all_recvfrom_netlabel(ntpd_t)