selinux-refpolicy.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: dsugar@tresys.com (Dave Sugar)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 5/5-v4] Allow execution of chronyc from commandline
Date: Mon,  5 Mar 2018 09:03:02 -0500	[thread overview]
Message-ID: <20180305140302.31341-6-dsugar@tresys.com> (raw)
In-Reply-To: <20180305140302.31341-1-dsugar@tresys.com>

 With the previous patch moving chronyc into a separate domain this adds interfaces to execute chronyc from the command line and have it run in the chronyc_t domain.

Updated interface names based on suggestion, added missing permission to allow chronyc_t domain access to tty.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 chronyd.if | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 chronyd.te |  8 ++++++++
 2 files changed, 54 insertions(+)

diff --git a/chronyd.if b/chronyd.if
index 3298891..bc4ba69 100644
--- a/chronyd.if
+++ b/chronyd.if
@@ -19,6 +19,25 @@ interface(`chronyd_domtrans',`
 	domtrans_pattern($1, chronyd_exec_t, chronyd_t)
 ')
 
+#####################################
+## <summary>
+##	Execute chronyc in the chronyc domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`chronyd_domtrans_cli',`
+	gen_require(`
+		type chronyc_t, chronyc_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, chronyc_exec_t, chronyc_t)
+')
+
 ########################################
 ## <summary>
 ##	Execute chronyd server in the
@@ -57,6 +76,33 @@ interface(`chronyd_exec',`
 	can_exec($1, chronyd_exec_t)
 ')
 
+########################################
+## <summary>
+##	Execute chronyc in the chronyc domain,
+##	and allow the specified roles the
+##	chronyc domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`chronyd_run_cli',`
+	gen_require(`
+		attribute_role chronyc_roles;
+	')
+
+	chronyd_domtrans_cli($1)
+	roleattribute $2 chronyc_roles;
+')
+
 #####################################
 ## <summary>
 ##	Read chronyd log files.
diff --git a/chronyd.te b/chronyd.te
index 0634548..8277ef8 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -5,6 +5,8 @@ policy_module(chronyd, 1.5.0)
 # Declarations
 #
 
+attribute_role chronyc_roles;
+
 type chronyd_t;
 type chronyd_exec_t;
 init_daemon_domain(chronyd_t, chronyd_exec_t)
@@ -12,6 +14,8 @@ init_daemon_domain(chronyd_t, chronyd_exec_t)
 type chronyc_t;
 type chronyc_exec_t;
 init_daemon_domain(chronyc_t, chronyc_exec_t)
+application_domain(chronyc_t, chronyc_exec_t)
+role chronyc_roles types chronyc_t;
 
 type chronyd_conf_t;
 files_config_file(chronyd_conf_t)
@@ -132,6 +136,8 @@ corenet_udp_sendrecv_chronyd_port(chronyc_t)
 files_read_etc_files(chronyc_t)
 files_read_usr_files(chronyc_t)
 
+locallogin_use_fds(chronyc_t)
+
 logging_send_syslog_msg(chronyc_t)
 
 sysnet_read_config(chronyc_t)
@@ -139,6 +145,8 @@ sysnet_dns_name_resolve(chronyc_t)
 
 miscfiles_read_localization(chronyc_t)
 
+userdom_use_user_ttys(chronyc_t)
+
 chronyd_dgram_send(chronyc_t)
 chronyd_read_config(chronyc_t)
 
-- 
2.14.3

  parent reply	other threads:[~2018-03-05 14:03 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-03-05 14:02 [refpolicy] [PATCH 0/5-v4] Updates for chronyd Dave Sugar
2018-03-05 14:02 ` [refpolicy] [PATCH 1/5-v4] Separate type for chronyd config file Dave Sugar
2018-03-05 14:02 ` [refpolicy] [PATCH 2/5-v4] Add interface to start/stop/enable/disable/status of chronyd service Dave Sugar
2018-03-05 14:03 ` [refpolicy] [PATCH 3/5-v4] Chronyd talks ntp client packets to get time from server Dave Sugar
2018-03-05 14:03 ` [refpolicy] [PATCH 4/5-v4] Policy for chronyc - it was running in init_t domain Dave Sugar
2018-03-05 14:03 ` Dave Sugar [this message]
2018-03-07 21:57 ` [refpolicy] [PATCH 0/5-v4] Updates for chronyd Chris PeBenito

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180305140302.31341-6-dsugar@tresys.com \
    --to=dsugar@tresys.com \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).