policy_module(clock,1.0) ######################################## # # Declarations # type adjtime_t; files_type(adjtime_t) type hwclock_t; type hwclock_exec_t; init_system_domain(hwclock_t,hwclock_exec_t) role system_r types hwclock_t; ######################################## # # Local policy # allow hwclock_t self:process signal_perms; # Give hwclock the capabilities it requires. dac_override is a surprise, # but hwclock does require it. allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config }; dontaudit hwclock_t self:capability sys_tty_config; # Allow hwclock to store & retrieve correction factors. allow hwclock_t adjtime_t:file { setattr ioctl read getattr lock write append }; kernel_read_kernel_sysctl(hwclock_t) kernel_list_proc(hwclock_t) kernel_read_proc_symlinks(hwclock_t) dev_read_sysfs(hwclock_t) dev_rw_realtime_clock(hwclock_t) fs_getattr_xattr_fs(hwclock_t) fs_search_auto_mountpoints(hwclock_t) term_dontaudit_use_console(hwclock_t) term_use_unallocated_tty(hwclock_t) term_use_all_user_ttys(hwclock_t) term_use_all_user_ptys(hwclock_t) domain_use_wide_inherit_fd(hwclock_t) init_use_fd(hwclock_t) init_use_script_pty(hwclock_t) files_list_etc(hwclock_t) # for when /usr is not mounted: files_dontaudit_search_isid_type_dir(hwclock_t) libs_use_ld_so(hwclock_t) libs_use_shared_libs(hwclock_t) logging_send_syslog_msg(hwclock_t) miscfiles_read_localization(hwclock_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(hwclock_t) term_dontaudit_use_generic_pty(hwclock_t) files_dontaudit_read_root_file(hwclock_t) ') optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(hwclock_t) ') optional_policy(`udev.te', ` udev_read_db(hwclock_t) ') optional_policy(`userdomain.te',` userdom_dontaudit_use_unpriv_user_fd(hwclock_t) ') ifdef(`TODO',` optional_policy(`rhgb.te', ` rhgb_domain(hwclock_t) ') optional_policy(`gnome-pty-helper.te', `allow hwclock_t sysadm_gph_t:fd use;') ') dnl end TODO