trunk: ntp and setrans update from dan.

policy/modules/services/ntp.fc

@@ -1,11 +1,14 @@
 
-/etc/ntp(d)?\.conf.*		--	gen_context(system_u:object_r:net_conf_t,s0)
-
 /etc/cron\.(daily|weekly)/ntp-simple -- gen_context(system_u:object_r:ntpd_exec_t,s0)
 /etc/cron\.(daily|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0)
 
-/etc/ntp/step-tickers.*		--	gen_context(system_u:object_r:net_conf_t,s0)
+/etc/ntpd?\.conf.*		--	gen_context(system_u:object_r:net_conf_t,s0)
+/etc/ntp/crypto(/.*)?			gen_context(system_u:object_r:ntpd_key_t,s0)
 /etc/ntp/data(/.*)?			gen_context(system_u:object_r:ntp_drift_t,s0)
+/etc/ntp/keys			--	gen_context(system_u:object_r:ntpd_key_t,s0)
+/etc/ntp/step-tickers.*		--	gen_context(system_u:object_r:net_conf_t,s0)
+
+/etc/rc\.d/init\.d/ntpd		--	gen_context(system_u:object_r:ntpd_script_exec_t,s0)
 
 /usr/sbin/ntpd			--	gen_context(system_u:object_r:ntpd_exec_t,s0)
 /usr/sbin/ntpdate		--	gen_context(system_u:object_r:ntpdate_exec_t,s0)

policy/modules/services/ntp.te

@@ -1,5 +1,5 @@
 
-policy_module(ntp, 1.6.1)
+policy_module(ntp, 1.6.2)
 
 ########################################
 #
@@ -13,9 +13,15 @@ type ntpd_t;
 type ntpd_exec_t;
 init_daemon_domain(ntpd_t, ntpd_exec_t)
 
+type ntpd_key_t;
+files_type(ntpd_key_t)
+
 type ntpd_log_t;
 logging_log_file(ntpd_log_t)
 
+type ntpd_script_exec_t;
+init_script_file(ntpd_script_exec_t)
+
 type ntpd_tmp_t;
 files_tmp_file(ntpd_tmp_t)
 
@@ -34,7 +40,7 @@ init_system_domain(ntpd_t, ntpdate_exec_t)
 # ntpdate wants sys_nice
 allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock sys_chroot sys_nice sys_resource };
 dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
-allow ntpd_t self:process { signal_perms setcap setsched setrlimit };
+allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };
 allow ntpd_t self:fifo_file { read write getattr };
 allow ntpd_t self:unix_dgram_socket create_socket_perms;
 allow ntpd_t self:unix_stream_socket create_socket_perms;
@@ -45,6 +51,8 @@ manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
 
 can_exec(ntpd_t,ntpd_exec_t)
 
+read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
+
 allow ntpd_t ntpd_log_t:dir setattr;
 manage_files_pattern(ntpd_t,ntpd_log_t,ntpd_log_t)
 logging_log_filetrans(ntpd_t,ntpd_log_t,{ file dir })
@@ -83,6 +91,8 @@ dev_read_urand(ntpd_t)
 fs_getattr_all_fs(ntpd_t)
 fs_search_auto_mountpoints(ntpd_t)
 
+term_use_ptmx(ntpd_t)
+
 auth_use_nsswitch(ntpd_t)
 
 corecmd_exec_bin(ntpd_t)
@@ -108,6 +118,7 @@ miscfiles_read_localization(ntpd_t)
 userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
 
 sysadm_list_home_dirs(ntpd_t)
+sysadm_dontaudit_list_home_dirs(ntpd_t)
 
 optional_policy(`
 	# for cron jobs
@@ -120,6 +131,10 @@ optional_policy(`
 	firstboot_dontaudit_rw_stream_sockets(ntpd_t)
 ')
 
+optional_policy(`
+	hal_dontaudit_write_log(ntpd_t)
+')
+
 optional_policy(`
 	logrotate_exec(ntpd_t)
 ')

policy/modules/system/setrans.te

@@ -1,5 +1,5 @@
 
-policy_module(setrans,1.4.0)
+policy_module(setrans, 1.4.1)
 
 ########################################
 #
@@ -28,7 +28,7 @@ ifdef(`enable_mls',`
 #
 
 allow setrans_t self:capability sys_resource;
-allow setrans_t self:process { setrlimit setcap signal_perms };
+allow setrans_t self:process { setrlimit getcap setcap signal_perms };
 allow setrans_t self:unix_stream_socket create_stream_socket_perms;
 allow setrans_t self:unix_dgram_socket create_socket_perms;
 allow setrans_t self:netlink_selinux_socket create_socket_perms;