diff options
author | Dave Sugar <dsugar@tresys.com> | 2018-03-05 09:02:58 -0500 |
---|---|---|
committer | Sven Vermeulen <swift@gentoo.org> | 2018-03-25 11:30:41 +0200 |
commit | a70aa3e3b948e30a7ed01a9d09b762419fa76d48 (patch) | |
tree | 2adf06d4857373a2983fa4a4e6ecebff3bc94198 | |
parent | ntp: Module version bump. (diff) | |
download | hardened-refpolicy-a70aa3e3b948e30a7ed01a9d09b762419fa76d48.tar.gz hardened-refpolicy-a70aa3e3b948e30a7ed01a9d09b762419fa76d48.tar.bz2 hardened-refpolicy-a70aa3e3b948e30a7ed01a9d09b762419fa76d48.zip |
Separate type for chronyd config file.
Separate label for /etc/chrony.conf (chronyd_conf_t) with interfaces to allow read-only or read/write access. Needed as I have a process that alters chrony.conf but I didn't want this process to have access to write all etc_t files.
Fixed summary for chronyd_rw_config interface from previous submission.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
-rw-r--r-- | policy/modules/contrib/chronyd.fc | 1 | ||||
-rw-r--r-- | policy/modules/contrib/chronyd.if | 38 | ||||
-rw-r--r-- | policy/modules/contrib/chronyd.te | 5 |
3 files changed, 44 insertions, 0 deletions
diff --git a/policy/modules/contrib/chronyd.fc b/policy/modules/contrib/chronyd.fc index ca2747e72..445f37494 100644 --- a/policy/modules/contrib/chronyd.fc +++ b/policy/modules/contrib/chronyd.fc @@ -1,3 +1,4 @@ +/etc/chrony\.conf -- gen_context(system_u:object_r:chronyd_conf_t,s0) /etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0) /etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0) diff --git a/policy/modules/contrib/chronyd.if b/policy/modules/contrib/chronyd.if index 3d45be4cb..e0a751ac9 100644 --- a/policy/modules/contrib/chronyd.if +++ b/policy/modules/contrib/chronyd.if @@ -76,6 +76,44 @@ interface(`chronyd_read_log',` read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t) ') +##################################### +## <summary> +## Read chronyd config file. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`chronyd_read_config',` + gen_require(` + type chronyd_conf_t; + ') + + files_search_etc($1) + allow $1 chronyd_conf_t:file read_file_perms; +') + +##################################### +## <summary> +## Read and write chronyd config file. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`chronyd_rw_config',` + gen_require(` + type chronyd_conf_t; + ') + + files_search_etc($1) + allow $1 chronyd_conf_t:file rw_file_perms; +') + ######################################## ## <summary> ## Read and write chronyd shared memory. diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te index 0de7b520a..09d7f8343 100644 --- a/policy/modules/contrib/chronyd.te +++ b/policy/modules/contrib/chronyd.te @@ -9,6 +9,9 @@ type chronyd_t; type chronyd_exec_t; init_daemon_domain(chronyd_t, chronyd_exec_t) +type chronyd_conf_t; +files_config_file(chronyd_conf_t) + type chronyd_initrc_exec_t; init_script_file(chronyd_initrc_exec_t) @@ -87,6 +90,8 @@ logging_send_syslog_msg(chronyd_t) miscfiles_read_localization(chronyd_t) +chronyd_read_config(chronyd_t) + optional_policy(` gpsd_rw_shm(chronyd_t) ') |