ntp patch from Dan Walsh.

policy/modules/services/ntp.if

@@ -35,6 +35,32 @@ interface(`ntp_domtrans',`
 	domtrans_pattern($1, ntpd_exec_t, ntpd_t)
 ')
 
+########################################
+## <summary>
+##	Execute ntp in the ntp domain, and
+##	allow the specified role the ntp domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ntp_run',`
+	gen_require(`
+		type ntpd_t;
+	')
+
+	ntp_domtrans($1)
+	role $2 types ntpd_t;
+')
+
 ########################################
 ## <summary>
 ##	Execute ntp server in the ntpd domain.
@@ -54,6 +80,24 @@ interface(`ntp_domtrans_ntpdate',`
 	domtrans_pattern($1, ntpdate_exec_t, ntpd_t)
 ')
 
+########################################
+## <summary>
+##	Execute ntp server in the ntpd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`ntp_initrc_domtrans',`
+	gen_require(`
+		type ntpd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
+')
+
 ########################################
 ## <summary>
 ##	Read and write ntpd shared memory.
@@ -64,7 +108,7 @@ interface(`ntp_domtrans_ntpdate',`
 ##	</summary>
 ## </param>
 #
-interface(`ntpd_rw_shm',`
+interface(`ntp_rw_shm',`
 	gen_require(`
 		type ntpd_t, ntpd_tmpfs_t;
 	')

policy/modules/services/ntp.te

@@ -1,5 +1,5 @@
 
-policy_module(ntp, 1.9.0)
+policy_module(ntp, 1.9.1)
 
 ########################################
 #
@@ -41,10 +41,11 @@ init_system_domain(ntpd_t, ntpdate_exec_t)
 
 # sys_resource and setrlimit is for locking memory
 # ntpdate wants sys_nice
-allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock sys_chroot sys_nice sys_resource };
+allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource };
 dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
 allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };
 allow ntpd_t self:fifo_file rw_fifo_file_perms;
+allow ntpd_t self:shm create_shm_perms;
 allow ntpd_t self:unix_dgram_socket create_socket_perms;
 allow ntpd_t self:unix_stream_socket create_socket_perms;
 allow ntpd_t self:tcp_socket create_stream_socket_perms;
@@ -55,6 +56,7 @@ manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
 can_exec(ntpd_t, ntpd_exec_t)
 
 read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
+read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
 
 allow ntpd_t ntpd_log_t:dir setattr;
 manage_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
@@ -75,6 +77,7 @@ files_pid_filetrans(ntpd_t, ntpd_var_run_t, file)
 kernel_read_kernel_sysctls(ntpd_t)
 kernel_read_system_state(ntpd_t)
 kernel_read_network_state(ntpd_t)
+kernel_request_load_module(ntpd_t)
 
 corenet_all_recvfrom_unlabeled(ntpd_t)
 corenet_all_recvfrom_netlabel(ntpd_t)