diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 682a419..6225edb 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -46,6 +46,7 @@ calamaris cipe clamav (Erich Schubert) + clockspeed (Petre Rodan) courier dante dcc diff --git a/refpolicy/policy/modules/services/clockspeed.fc b/refpolicy/policy/modules/services/clockspeed.fc new file mode 100644 index 0000000..a7aa385 --- /dev/null +++ b/refpolicy/policy/modules/services/clockspeed.fc @@ -0,0 +1,14 @@ + +# +# /usr +# +/usr/bin/clockadd -- gen_context(system_u:object_r:clockspeed_cli_exec_t,s0) +/usr/bin/clockspeed -- gen_context(system_u:object_r:clockspeed_srv_exec_t,s0) +/usr/bin/sntpclock -- gen_context(system_u:object_r:clockspeed_cli_exec_t,s0) +/usr/bin/taiclock -- gen_context(system_u:object_r:clockspeed_cli_exec_t,s0) +/usr/bin/taiclockd -- gen_context(system_u:object_r:clockspeed_srv_exec_t,s0) + +# +# /var +# +/var/lib/clockspeed(/.*)? gen_context(system_u:object_r:clockspeed_var_lib_t,s0) diff --git a/refpolicy/policy/modules/services/clockspeed.if b/refpolicy/policy/modules/services/clockspeed.if new file mode 100644 index 0000000..9d4c892 --- /dev/null +++ b/refpolicy/policy/modules/services/clockspeed.if @@ -0,0 +1,53 @@ +## Clockspeed simple network time protocol client + +######################################## +## +## Execute clockspeed utilities in the clockspeed_cli domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`clockspeed_domtrans_cli',` + gen_require(` + type clockspeed_cli_t, clockspeed_cli_exec_t; + ') + + domain_auto_trans($1, clockspeed_cli_exec_t, clockspeed_cli_t) + allow clockspeed_cli_t $1:fd use; + allow clockspeed_cli_t $1:fifo_file { read write }; + allow clockspeed_cli_t $1:process sigchld; +') + +######################################## +## +## Allow the specified role the clockspeed_cli domain. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed the clockspeed_cli domain. +## +## +## +## +## The type of the terminal allow the clockspeed_cli domain to use. +## +## +# +template(`clockspeed_run_cli',` + gen_require(` + type clockspeed_cli_t; + ') + + role $2 types clockspeed_cli_t; + clockspeed_domtrans_cli($1) + allow clockspeed_cli_t $3:chr_file { getattr read write ioctl }; + +') diff --git a/refpolicy/policy/modules/services/clockspeed.te b/refpolicy/policy/modules/services/clockspeed.te new file mode 100644 index 0000000..b06c5ea --- /dev/null +++ b/refpolicy/policy/modules/services/clockspeed.te @@ -0,0 +1,75 @@ + +policy_module(clockspeed,1.0.0) + +######################################## +# +# Declarations +# + +type clockspeed_cli_t; +type clockspeed_cli_exec_t; +domain_type(clockspeed_cli_t) +domain_entry_file(clockspeed_cli_t,clockspeed_cli_exec_t) + +type clockspeed_srv_t; +type clockspeed_srv_exec_t; +init_daemon_domain(clockspeed_srv_t, clockspeed_srv_exec_t) + +type clockspeed_var_lib_t; +files_type(clockspeed_var_lib_t) + +######################################## +# +# Client local policy +# + +allow clockspeed_cli_t self:capability sys_time; +allow clockspeed_cli_t self:udp_socket create_socket_perms; +allow clockspeed_cli_t clockspeed_var_lib_t:dir search; +allow clockspeed_cli_t clockspeed_var_lib_t:file { getattr read }; + +corenet_non_ipsec_sendrecv(clockspeed_cli_t) +corenet_udp_sendrecv_generic_if(clockspeed_cli_t) +corenet_udp_sendrecv_generic_node(clockspeed_cli_t) +corenet_udp_sendrecv_ntp_port(clockspeed_cli_t) + +files_list_var_lib(clockspeed_cli_t) +files_read_etc_files(clockspeed_cli_t) + +libs_use_ld_so(clockspeed_cli_t) +libs_use_shared_libs(clockspeed_cli_t) + +miscfiles_read_localization(clockspeed_cli_t) + +######################################## +# +# Server local policy +# + +allow clockspeed_srv_t self:capability { sys_time net_bind_service }; +allow clockspeed_srv_t self:udp_socket create_socket_perms; +allow clockspeed_srv_t self:unix_dgram_socket create_socket_perms; +allow clockspeed_srv_t self:unix_stream_socket create_socket_perms; + +allow clockspeed_srv_t clockspeed_var_lib_t:dir rw_dir_perms; +allow clockspeed_srv_t clockspeed_var_lib_t:file create_file_perms; +allow clockspeed_srv_t clockspeed_var_lib_t:fifo_file create_file_perms; + +corenet_non_ipsec_sendrecv(clockspeed_srv_t) +corenet_udp_sendrecv_generic_if(clockspeed_srv_t) +corenet_udp_sendrecv_generic_node(clockspeed_srv_t) +corenet_udp_sendrecv_ntp_port(clockspeed_srv_t) +corenet_udp_bind_inaddr_any_node(clockspeed_srv_t) +corenet_udp_bind_clockspeed_port(clockspeed_srv_t) + +files_read_etc_files(clockspeed_srv_t) +files_list_var_lib(clockspeed_srv_t) + +libs_use_ld_so(clockspeed_srv_t) +libs_use_shared_libs(clockspeed_srv_t) + +miscfiles_read_localization(clockspeed_srv_t) + +optional_policy(` + daemontools_service_domain(clockspeed_srv_t,clockspeed_srv_exec_t) +') diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index 6d9e126..1829821 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -232,6 +232,10 @@ ifdef(`targeted_policy',` ') optional_policy(` + clockspeed_run_cli(sysadm_t,sysadm_r,admin_terminal) + ') + + optional_policy(` certwatach_run(sysadm_t,sysadm_r,admin_terminal) ')