selinux-policy/policy/modules/system/clock.te

policy_module(clock,1.5.0)

########################################
#
# Declarations
#

type adjtime_t;
files_type(adjtime_t)

type hwclock_t;
type hwclock_exec_t;
init_system_domain(hwclock_t,hwclock_exec_t)
role system_r types hwclock_t;

########################################
#
# Local policy
#

# Give hwclock the capabilities it requires.  dac_override is a surprise,
# but hwclock does require it.
allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config };
dontaudit hwclock_t self:capability sys_tty_config;
allow hwclock_t self:process signal_perms;
allow hwclock_t self:fifo_file { getattr read write };

# Allow hwclock to store & retrieve correction factors.
allow hwclock_t adjtime_t:file { rw_file_perms setattr };

kernel_read_kernel_sysctls(hwclock_t)
kernel_read_system_state(hwclock_t)

corecmd_exec_bin(hwclock_t)
corecmd_exec_shell(hwclock_t)

dev_read_sysfs(hwclock_t)
dev_rw_realtime_clock(hwclock_t)

fs_getattr_xattr_fs(hwclock_t)
fs_search_auto_mountpoints(hwclock_t)

term_dontaudit_use_console(hwclock_t)
term_use_unallocated_ttys(hwclock_t)
term_use_all_user_ttys(hwclock_t)
term_use_all_user_ptys(hwclock_t)

domain_use_interactive_fds(hwclock_t)

init_use_fds(hwclock_t)
init_use_script_ptys(hwclock_t)

files_read_etc_files(hwclock_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(hwclock_t)

libs_use_ld_so(hwclock_t)
libs_use_shared_libs(hwclock_t)

logging_send_audit_msgs(hwclock_t)
logging_send_syslog_msg(hwclock_t)

miscfiles_read_localization(hwclock_t)

optional_policy(`
	apm_append_log(hwclock_t)
	apm_rw_stream_sockets(hwclock_t)
')

optional_policy(`
	nscd_socket_use(hwclock_t)
')

optional_policy(`
	seutil_sigchld_newrole(hwclock_t)
')

optional_policy(`
	udev_read_db(hwclock_t)
')

optional_policy(`
	userdom_dontaudit_use_unpriv_user_fds(hwclock_t)
')