From: dsugar@tresys.com (Dave Sugar)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 1/5-v4] Separate type for chronyd config file.
Date: Mon, 5 Mar 2018 09:02:58 -0500 [thread overview]
Message-ID: <20180305140302.31341-2-dsugar@tresys.com> (raw)
In-Reply-To: <20180305140302.31341-1-dsugar@tresys.com>
Separate label for /etc/chrony.conf (chronyd_conf_t) with interfaces to allow read-only or read/write access. Needed as I have a process that alters chrony.conf but I didn't want this process to have access to write all etc_t files.
Fixed summary for chronyd_rw_config interface from previous submission.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
chronyd.fc | 1 +
chronyd.if | 38 ++++++++++++++++++++++++++++++++++++++
chronyd.te | 5 +++++
3 files changed, 44 insertions(+)
diff --git a/chronyd.fc b/chronyd.fc
index 5ee3551..3a5dad7 100644
--- a/chronyd.fc
+++ b/chronyd.fc
@@ -1,3 +1,4 @@
+/etc/chrony\.conf -- gen_context(system_u:object_r:chronyd_conf_t,s0)
/etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0)
/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
diff --git a/chronyd.if b/chronyd.if
index 3d45be4..e0a751a 100644
--- a/chronyd.if
+++ b/chronyd.if
@@ -76,6 +76,44 @@ interface(`chronyd_read_log',`
read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t)
')
+#####################################
+## <summary>
+## Read chronyd config file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`chronyd_read_config',`
+ gen_require(`
+ type chronyd_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 chronyd_conf_t:file read_file_perms;
+')
+
+#####################################
+## <summary>
+## Read and write chronyd config file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`chronyd_rw_config',`
+ gen_require(`
+ type chronyd_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 chronyd_conf_t:file rw_file_perms;
+')
+
########################################
## <summary>
## Read and write chronyd shared memory.
diff --git a/chronyd.te b/chronyd.te
index 0de7b52..09d7f83 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -9,6 +9,9 @@ type chronyd_t;
type chronyd_exec_t;
init_daemon_domain(chronyd_t, chronyd_exec_t)
+type chronyd_conf_t;
+files_config_file(chronyd_conf_t)
+
type chronyd_initrc_exec_t;
init_script_file(chronyd_initrc_exec_t)
@@ -87,6 +90,8 @@ logging_send_syslog_msg(chronyd_t)
miscfiles_read_localization(chronyd_t)
+chronyd_read_config(chronyd_t)
+
optional_policy(`
gpsd_rw_shm(chronyd_t)
')
--
2.14.3
next prev parent reply other threads:[~2018-03-05 14:02 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-05 14:02 [refpolicy] [PATCH 0/5-v4] Updates for chronyd Dave Sugar
2018-03-05 14:02 ` Dave Sugar [this message]
2018-03-05 14:02 ` [refpolicy] [PATCH 2/5-v4] Add interface to start/stop/enable/disable/status of chronyd service Dave Sugar
2018-03-05 14:03 ` [refpolicy] [PATCH 3/5-v4] Chronyd talks ntp client packets to get time from server Dave Sugar
2018-03-05 14:03 ` [refpolicy] [PATCH 4/5-v4] Policy for chronyc - it was running in init_t domain Dave Sugar
2018-03-05 14:03 ` [refpolicy] [PATCH 5/5-v4] Allow execution of chronyc from commandline Dave Sugar
2018-03-07 21:57 ` [refpolicy] [PATCH 0/5-v4] Updates for chronyd Chris PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180305140302.31341-2-dsugar@tresys.com \
--to=dsugar@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).