policy_module(clockspeed,1.0.0) ######################################## # # Declarations # type clockspeed_cli_t; type clockspeed_cli_exec_t; domain_type(clockspeed_cli_t) domain_entry_file(clockspeed_cli_t,clockspeed_cli_exec_t) type clockspeed_srv_t; type clockspeed_srv_exec_t; init_daemon_domain(clockspeed_srv_t, clockspeed_srv_exec_t) type clockspeed_var_lib_t; files_type(clockspeed_var_lib_t) ######################################## # # Client local policy # allow clockspeed_cli_t self:capability sys_time; allow clockspeed_cli_t self:udp_socket create_socket_perms; allow clockspeed_cli_t clockspeed_var_lib_t:dir search; allow clockspeed_cli_t clockspeed_var_lib_t:file { getattr read }; corenet_non_ipsec_sendrecv(clockspeed_cli_t) corenet_udp_sendrecv_generic_if(clockspeed_cli_t) corenet_udp_sendrecv_generic_node(clockspeed_cli_t) corenet_udp_sendrecv_ntp_port(clockspeed_cli_t) files_list_var_lib(clockspeed_cli_t) files_read_etc_files(clockspeed_cli_t) libs_use_ld_so(clockspeed_cli_t) libs_use_shared_libs(clockspeed_cli_t) miscfiles_read_localization(clockspeed_cli_t) ######################################## # # Server local policy # allow clockspeed_srv_t self:capability { sys_time net_bind_service }; allow clockspeed_srv_t self:udp_socket create_socket_perms; allow clockspeed_srv_t self:unix_dgram_socket create_socket_perms; allow clockspeed_srv_t self:unix_stream_socket create_socket_perms; allow clockspeed_srv_t clockspeed_var_lib_t:dir rw_dir_perms; allow clockspeed_srv_t clockspeed_var_lib_t:file create_file_perms; allow clockspeed_srv_t clockspeed_var_lib_t:fifo_file create_file_perms; corenet_non_ipsec_sendrecv(clockspeed_srv_t) corenet_udp_sendrecv_generic_if(clockspeed_srv_t) corenet_udp_sendrecv_generic_node(clockspeed_srv_t) corenet_udp_sendrecv_ntp_port(clockspeed_srv_t) corenet_udp_bind_inaddr_any_node(clockspeed_srv_t) corenet_udp_bind_clockspeed_port(clockspeed_srv_t) files_read_etc_files(clockspeed_srv_t) files_list_var_lib(clockspeed_srv_t) libs_use_ld_so(clockspeed_srv_t) libs_use_shared_libs(clockspeed_srv_t) miscfiles_read_localization(clockspeed_srv_t) optional_policy(` daemontools_service_domain(clockspeed_srv_t,clockspeed_srv_exec_t) ')