From 8786916e8d817282c72799dca74cdbc98605a07e Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Sep 11 2008 14:54:40 +0000 Subject: trunk: ntp and setrans update from dan. --- diff --git a/policy/modules/services/ntp.fc b/policy/modules/services/ntp.fc index 6719480..1a6eec2 100644 --- a/policy/modules/services/ntp.fc +++ b/policy/modules/services/ntp.fc @@ -1,11 +1,14 @@ -/etc/ntp(d)?\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) - /etc/cron\.(daily|weekly)/ntp-simple -- gen_context(system_u:object_r:ntpd_exec_t,s0) /etc/cron\.(daily|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0) -/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:net_conf_t,s0) +/etc/ntpd?\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) +/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0) /etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) +/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0) +/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:net_conf_t,s0) + +/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_script_exec_t,s0) /usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te index 1b51801..f6a6ba1 100644 --- a/policy/modules/services/ntp.te +++ b/policy/modules/services/ntp.te @@ -1,5 +1,5 @@ -policy_module(ntp, 1.6.1) +policy_module(ntp, 1.6.2) ######################################## # @@ -13,9 +13,15 @@ type ntpd_t; type ntpd_exec_t; init_daemon_domain(ntpd_t, ntpd_exec_t) +type ntpd_key_t; +files_type(ntpd_key_t) + type ntpd_log_t; logging_log_file(ntpd_log_t) +type ntpd_script_exec_t; +init_script_file(ntpd_script_exec_t) + type ntpd_tmp_t; files_tmp_file(ntpd_tmp_t) @@ -34,7 +40,7 @@ init_system_domain(ntpd_t, ntpdate_exec_t) # ntpdate wants sys_nice allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock sys_chroot sys_nice sys_resource }; dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice }; -allow ntpd_t self:process { signal_perms setcap setsched setrlimit }; +allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit }; allow ntpd_t self:fifo_file { read write getattr }; allow ntpd_t self:unix_dgram_socket create_socket_perms; allow ntpd_t self:unix_stream_socket create_socket_perms; @@ -45,6 +51,8 @@ manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t) can_exec(ntpd_t,ntpd_exec_t) +read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) + allow ntpd_t ntpd_log_t:dir setattr; manage_files_pattern(ntpd_t,ntpd_log_t,ntpd_log_t) logging_log_filetrans(ntpd_t,ntpd_log_t,{ file dir }) @@ -83,6 +91,8 @@ dev_read_urand(ntpd_t) fs_getattr_all_fs(ntpd_t) fs_search_auto_mountpoints(ntpd_t) +term_use_ptmx(ntpd_t) + auth_use_nsswitch(ntpd_t) corecmd_exec_bin(ntpd_t) @@ -108,6 +118,7 @@ miscfiles_read_localization(ntpd_t) userdom_dontaudit_use_unpriv_user_fds(ntpd_t) sysadm_list_home_dirs(ntpd_t) +sysadm_dontaudit_list_home_dirs(ntpd_t) optional_policy(` # for cron jobs @@ -121,6 +132,10 @@ optional_policy(` ') optional_policy(` + hal_dontaudit_write_log(ntpd_t) +') + +optional_policy(` logrotate_exec(ntpd_t) ') diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te index d79f9fe..ea4aa26 100644 --- a/policy/modules/system/setrans.te +++ b/policy/modules/system/setrans.te @@ -1,5 +1,5 @@ -policy_module(setrans,1.4.0) +policy_module(setrans, 1.4.1) ######################################## # @@ -28,7 +28,7 @@ ifdef(`enable_mls',` # allow setrans_t self:capability sys_resource; -allow setrans_t self:process { setrlimit setcap signal_perms }; +allow setrans_t self:process { setrlimit getcap setcap signal_perms }; allow setrans_t self:unix_stream_socket create_stream_socket_perms; allow setrans_t self:unix_dgram_socket create_socket_perms; allow setrans_t self:netlink_selinux_socket create_socket_perms;