selinux-policy/policy/modules/system/clock.te

83 lines
1.7 KiB
Plaintext

policy_module(clock, 1.6.0)
########################################
#
# Declarations
#
type adjtime_t;
files_type(adjtime_t)
type hwclock_t;
type hwclock_exec_t;
init_system_domain(hwclock_t, hwclock_exec_t)
role system_r types hwclock_t;
########################################
#
# Local policy
#
# Give hwclock the capabilities it requires. dac_override is a surprise,
# but hwclock does require it.
allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config };
dontaudit hwclock_t self:capability sys_tty_config;
allow hwclock_t self:process signal_perms;
allow hwclock_t self:fifo_file rw_fifo_file_perms;
# Allow hwclock to store & retrieve correction factors.
allow hwclock_t adjtime_t:file { rw_file_perms setattr };
kernel_read_kernel_sysctls(hwclock_t)
kernel_read_system_state(hwclock_t)
corecmd_exec_bin(hwclock_t)
corecmd_exec_shell(hwclock_t)
dev_read_sysfs(hwclock_t)
dev_rw_realtime_clock(hwclock_t)
files_read_etc_files(hwclock_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(hwclock_t)
fs_getattr_xattr_fs(hwclock_t)
fs_search_auto_mountpoints(hwclock_t)
term_dontaudit_use_console(hwclock_t)
term_use_unallocated_ttys(hwclock_t)
term_use_all_ttys(hwclock_t)
term_use_all_ptys(hwclock_t)
domain_use_interactive_fds(hwclock_t)
init_use_fds(hwclock_t)
init_use_script_ptys(hwclock_t)
logging_send_audit_msgs(hwclock_t)
logging_send_syslog_msg(hwclock_t)
miscfiles_read_localization(hwclock_t)
optional_policy(`
apm_append_log(hwclock_t)
apm_rw_stream_sockets(hwclock_t)
')
optional_policy(`
nscd_socket_use(hwclock_t)
')
optional_policy(`
seutil_sigchld_newrole(hwclock_t)
')
optional_policy(`
udev_read_db(hwclock_t)
')
optional_policy(`
userdom_dontaudit_use_unpriv_user_fds(hwclock_t)
')