policy_module(clock,1.0.0) ######################################## # # Declarations # type adjtime_t; files_type(adjtime_t) type hwclock_t; type hwclock_exec_t; init_system_domain(hwclock_t,hwclock_exec_t) role system_r types hwclock_t; ######################################## # # Local policy # allow hwclock_t self:process signal_perms; # Give hwclock the capabilities it requires. dac_override is a surprise, # but hwclock does require it. allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config }; dontaudit hwclock_t self:capability sys_tty_config; allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; # Allow hwclock to store & retrieve correction factors. allow hwclock_t adjtime_t:file { setattr ioctl read getattr lock write append }; kernel_read_kernel_sysctls(hwclock_t) kernel_list_proc(hwclock_t) kernel_read_proc_symlinks(hwclock_t) dev_read_sysfs(hwclock_t) dev_rw_realtime_clock(hwclock_t) fs_getattr_xattr_fs(hwclock_t) fs_search_auto_mountpoints(hwclock_t) term_dontaudit_use_console(hwclock_t) term_use_unallocated_ttys(hwclock_t) term_use_all_user_ttys(hwclock_t) term_use_all_user_ptys(hwclock_t) domain_use_interactive_fds(hwclock_t) init_use_fd(hwclock_t) init_use_script_ptys(hwclock_t) files_read_etc_files(hwclock_t) # for when /usr is not mounted: files_dontaudit_search_isid_type_dirs(hwclock_t) libs_use_ld_so(hwclock_t) libs_use_shared_libs(hwclock_t) logging_send_syslog_msg(hwclock_t) miscfiles_read_localization(hwclock_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys(hwclock_t) term_dontaudit_use_generic_ptys(hwclock_t) files_dontaudit_read_root_files(hwclock_t) ') optional_policy(`apm',` apm_append_log(hwclock_t) apm_rw_stream_sockets(hwclock_t) ') optional_policy(`nscd',` nscd_socket_use(hwclock_t) ') optional_policy(`selinuxutil',` seutil_sigchld_newrole(hwclock_t) ') optional_policy(`udev',` udev_read_db(hwclock_t) ') optional_policy(`userdomain',` userdom_dontaudit_use_unpriv_user_fds(hwclock_t) ')