|
Chris PeBenito |
0fbfa5 |
#DESC Hwclock - Hardware clock manager
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Author: David A. Wheeler <dwheeler@ida.org>
|
|
Chris PeBenito |
0fbfa5 |
# Russell Coker <russell@coker.com.au>
|
|
Chris PeBenito |
0fbfa5 |
# X-Debian-Packages: util-linux
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
#################################
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Rules for the hwclock_t domain.
|
|
Chris PeBenito |
0fbfa5 |
# This domain moves time information between the "hardware clock"
|
|
Chris PeBenito |
0fbfa5 |
# (which runs when the system is off) and the "system clock",
|
|
Chris PeBenito |
0fbfa5 |
# and it stores adjustment values in /etc/adjtime so that errors in the
|
|
Chris PeBenito |
0fbfa5 |
# hardware clock are corrected.
|
|
Chris PeBenito |
0fbfa5 |
# Note that any errors from this domain are NOT recorded by the system logger,
|
|
Chris PeBenito |
0fbfa5 |
# because the system logger isnt running when this domain is active.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
daemon_base_domain(hwclock)
|
|
Chris PeBenito |
0fbfa5 |
role sysadm_r types hwclock_t;
|
|
Chris PeBenito |
a08248 |
ifdef(`targeted_policy', `', `
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans(sysadm_t, hwclock_exec_t, hwclock_t)
|
|
Chris PeBenito |
a08248 |
')
|
|
Chris PeBenito |
0fbfa5 |
type adjtime_t, file_type, sysadmfile;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow hwclock_t fs_t:filesystem getattr;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
read_locale(hwclock_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Give hwclock the capabilities it requires. dac_override is a surprise,
|
|
Chris PeBenito |
0fbfa5 |
# but hwclock does require it.
|
|
Chris PeBenito |
0fbfa5 |
allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Allow hwclock to set the hardware clock.
|
|
Chris PeBenito |
0fbfa5 |
allow hwclock_t clock_device_t:devfile_class_set { setattr rw_file_perms };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Allow hwclock to store & retrieve correction factors.
|
|
Chris PeBenito |
0fbfa5 |
allow hwclock_t adjtime_t:file { setattr rw_file_perms };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Read and write console and ttys.
|
|
Chris PeBenito |
0fbfa5 |
allow hwclock_t tty_device_t:chr_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow hwclock_t ttyfile:chr_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow hwclock_t ptyfile:chr_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`gnome-pty-helper.te', `allow hwclock_t sysadm_gph_t:fd use;')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
read_locale(hwclock_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for when /usr is not mounted
|
|
Chris PeBenito |
0fbfa5 |
dontaudit hwclock_t file_t:dir search;
|
|
Chris PeBenito |
a08248 |
allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|