selinux-refpolicy.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: dsugar@tresys.com (Dave Sugar)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 1/5-v4] Separate type for chronyd config file.
Date: Mon,  5 Mar 2018 09:02:58 -0500	[thread overview]
Message-ID: <20180305140302.31341-2-dsugar@tresys.com> (raw)
In-Reply-To: <20180305140302.31341-1-dsugar@tresys.com>

Separate label for /etc/chrony.conf (chronyd_conf_t) with interfaces to allow read-only or read/write access.  Needed as I have a process that alters chrony.conf but I didn't want this process to have access to write all etc_t files.

Fixed summary for chronyd_rw_config interface from previous submission.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 chronyd.fc |  1 +
 chronyd.if | 38 ++++++++++++++++++++++++++++++++++++++
 chronyd.te |  5 +++++
 3 files changed, 44 insertions(+)

diff --git a/chronyd.fc b/chronyd.fc
index 5ee3551..3a5dad7 100644
--- a/chronyd.fc
+++ b/chronyd.fc
@@ -1,3 +1,4 @@
+/etc/chrony\.conf			--	gen_context(system_u:object_r:chronyd_conf_t,s0)
 /etc/chrony\.keys			--	gen_context(system_u:object_r:chronyd_keys_t,s0)
 
 /etc/rc\.d/init\.d/chronyd		--	gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
diff --git a/chronyd.if b/chronyd.if
index 3d45be4..e0a751a 100644
--- a/chronyd.if
+++ b/chronyd.if
@@ -76,6 +76,44 @@ interface(`chronyd_read_log',`
 	read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t)
 ')
 
+#####################################
+## <summary>
+##	Read chronyd config file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`chronyd_read_config',`
+	gen_require(`
+		type chronyd_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 chronyd_conf_t:file read_file_perms;
+')
+
+#####################################
+## <summary>
+##	Read and write chronyd config file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`chronyd_rw_config',`
+	gen_require(`
+		type chronyd_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 chronyd_conf_t:file rw_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read and write chronyd shared memory.
diff --git a/chronyd.te b/chronyd.te
index 0de7b52..09d7f83 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -9,6 +9,9 @@ type chronyd_t;
 type chronyd_exec_t;
 init_daemon_domain(chronyd_t, chronyd_exec_t)
 
+type chronyd_conf_t;
+files_config_file(chronyd_conf_t)
+
 type chronyd_initrc_exec_t;
 init_script_file(chronyd_initrc_exec_t)
 
@@ -87,6 +90,8 @@ logging_send_syslog_msg(chronyd_t)
 
 miscfiles_read_localization(chronyd_t)
 
+chronyd_read_config(chronyd_t)
+
 optional_policy(`
 	gpsd_rw_shm(chronyd_t)
 ')
-- 
2.14.3

  reply	other threads:[~2018-03-05 14:02 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-03-05 14:02 [refpolicy] [PATCH 0/5-v4] Updates for chronyd Dave Sugar
2018-03-05 14:02 ` Dave Sugar [this message]
2018-03-05 14:02 ` [refpolicy] [PATCH 2/5-v4] Add interface to start/stop/enable/disable/status of chronyd service Dave Sugar
2018-03-05 14:03 ` [refpolicy] [PATCH 3/5-v4] Chronyd talks ntp client packets to get time from server Dave Sugar
2018-03-05 14:03 ` [refpolicy] [PATCH 4/5-v4] Policy for chronyc - it was running in init_t domain Dave Sugar
2018-03-05 14:03 ` [refpolicy] [PATCH 5/5-v4] Allow execution of chronyc from commandline Dave Sugar
2018-03-07 21:57 ` [refpolicy] [PATCH 0/5-v4] Updates for chronyd Chris PeBenito

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180305140302.31341-2-dsugar@tresys.com \
    --to=dsugar@tresys.com \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).