Return-Path: <SRS0=5OZA=N4=vger.kernel.org=selinux-refpolicy-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-8.5 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED,
	DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,
	SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id BD861C04EBF
	for <selinux-refpolicy@archiver.kernel.org>; Sat, 17 Nov 2018 04:23:52 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 7B0B020824
	for <selinux-refpolicy@archiver.kernel.org>; Sat, 17 Nov 2018 04:23:52 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (1024-bit key) header.d=tresys.onmicrosoft.com header.i=@tresys.onmicrosoft.com header.b="JNlEdME2"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 7B0B020824
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=tresys.com
Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728478AbeKQOjK (ORCPT
        <rfc822;selinux-refpolicy@archiver.kernel.org>);
        Sat, 17 Nov 2018 09:39:10 -0500
Received: from mail-eopbgr800129.outbound.protection.outlook.com ([40.107.80.129]:6123
        "EHLO NAM03-DM3-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1729796AbeKQOjK (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Sat, 17 Nov 2018 09:39:10 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=tresys.onmicrosoft.com; s=selector1-tresys-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=9obAzQ//YCIGKoY6+ysZ60HMdc9glC9hcjIfGYbTx/o=;
 b=JNlEdME2xbD2EA0KvRDtaMPxQ40zCSseOWo6LFLnb24nrjROEVzsBmthtEdEzKbYwFOxVjLNJGQDopWvlVKWIWDPaNP/usBuNUdS2my1SzCxLcsfTvACobk0Pjs+d34XcxlPHAfw2CGTvqxjx5+Lg8HYfKFgizicVtzzE4aeMlo=
Received: from BN6PR15MB1507.namprd15.prod.outlook.com (10.172.151.147) by
 BN6PR15MB1795.namprd15.prod.outlook.com (10.174.238.149) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.1294.26; Sat, 17 Nov 2018 04:23:43 +0000
Received: from BN6PR15MB1507.namprd15.prod.outlook.com
 ([fe80::19a7:1a53:2419:2929]) by BN6PR15MB1507.namprd15.prod.outlook.com
 ([fe80::19a7:1a53:2419:2929%9]) with mapi id 15.20.1339.023; Sat, 17 Nov 2018
 04:23:43 +0000
From:   David Sugar <dsugar@tresys.com>
To:     "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
Subject: [PATCH 1/2] Add interfaces to control ntpd_unit_t systemd services
Thread-Topic: [PATCH 1/2] Add interfaces to control ntpd_unit_t systemd
 services
Thread-Index: AQHUfi1SF1K1T7dpQUeiqRm+9ptWMw==
Date:   Sat, 17 Nov 2018 04:23:43 +0000
Message-ID: <20181117042305.23949-1-dsugar@tresys.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [73.180.141.176]
x-clientproxiedby: BN4PR12CA0022.namprd12.prod.outlook.com
 (2603:10b6:403:2::32) To BN6PR15MB1507.namprd15.prod.outlook.com
 (2603:10b6:404:c6::19)
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=dsugar@tresys.com; 
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1;BN6PR15MB1795;6:+GsLuKG2ntpmdirOQKb2A1QkXF/2m4ffSqCucpXmj6SLMR5fp9QWkdqiTgwYdTnl+lnj2kT/k0wVPqJP/dxvaneHElJIClT5vyGHKCpsTI2WEfhNMAsrF4B2DlW84vGhtoBLUgw32t8U2URVFMxnLvKhvkJD6XWnSKjYlsMFSP4GKq98/pYv4BDuvqusQIMUrKUBht8XdxItIom2V9bSldxCT7latAtbKpMZsN6OXgr249BJ8uTMxhg9gV4WevaaMjq7FT699HZj+IcTmnEXfqWzNV5IyWiA4UD/vy2qgIHjJTsbsOHO9tbZB31GNEoq/JT5QiB906tqbC40Cen8+/w8Gsaucy/H9TxN0YW/QTvGDhvI0sotSZ2RX2EHsdSFZbFsD2B8ltuI3RkyDrNc7NCd/pONCI3m20e1NNaS9wvEPU3hAnsUuiUHRtWx2GbPEPhNKT0XDcL8kVdI2w9aAg==;5:Zp07ILBkdLVWxUe6sV8yF/XFlVC6cqFGOopJOXitXlbhfeTUv0BcyBD4DDLHxagp8vdcL5P3jDq3VqyLz24JxHK3Bq9gSA/W90pa0Std7mNP5POF9uFRnVJm4ukwq6qIqTX1cCsskSSqmIKdSz0KKg4+fXF8qEZzUb76gnTHIZM=;7:c6EbV6IWYAyvhMUMI5w0CS4nGMq2Wu2oetuEfzrl37ec04aJI+4Ge8mqFANAev/a4zPUI1ZQ09cKMDbKvOy5XdYeccY4ZQWiydql9QJmb/wgpeKOACI5f4bSB1xzinf5/QQ3bOc6i+Wop4uMdOii4g==
x-ms-office365-filtering-correlation-id: d0403f50-cda5-4f29-0030-08d64c447514
x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390098)(7020095)(4652040)(7021145)(8989299)(5600074)(711020)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(2017052603328)(7153060)(7193020);SRVR:BN6PR15MB1795;
x-ms-traffictypediagnostic: BN6PR15MB1795:
x-microsoft-antispam-prvs: <BN6PR15MB1795C2D153721417DA09552AB9DE0@BN6PR15MB1795.namprd15.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(269456686620040);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(10201501046)(3231415)(944501410)(52105112)(3002001)(93006095)(93001095)(148016)(149066)(150057)(6041310)(20161123562045)(20161123564045)(20161123558120)(2016111802025)(20161123560045)(6043046)(201708071742011)(7699051)(76991095);SRVR:BN6PR15MB1795;BCL:0;PCL:0;RULEID:;SRVR:BN6PR15MB1795;
x-forefront-prvs: 085956473E
x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(396003)(366004)(376002)(346002)(136003)(39830400003)(199004)(189003)(2616005)(486006)(476003)(8676002)(81156014)(53936002)(81166006)(52116002)(102836004)(508600001)(5660300001)(2900100001)(6512007)(386003)(68736007)(6506007)(186003)(2501003)(97736004)(26005)(6436002)(5640700003)(99286004)(305945005)(3846002)(14454004)(6116002)(1076002)(7736002)(256004)(14444005)(71190400001)(71200400001)(36756003)(86362001)(2906002)(2351001)(66066001)(6916009)(25786009)(105586002)(8936002)(6486002)(106356001)(316002);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1795;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;A:1;MX:1;
received-spf: None (protection.outlook.com: tresys.com does not designate
 permitted sender hosts)
x-microsoft-antispam-message-info: Njd6kh6XdIW7HMdjUuiU1CKm7uc9dvgTAQiXWwv6VpAgxMZv1iPnzqGBPra05/QL841YfenGYjoD5hBp0SF1MNw4fB+yB2rtui/cDLmRnkGeqfl4aB7af8eJGnpIB/9Rngb65Db2ISW/sYsHwelBBnvaGrupWie7y9KsMQbf7E8naebWPxNvBHf74ltQWd96/mFGjWt4Pro7b4I7T97fqu7IS2burtUEjE+xboN/ZqFRD9CjMijPLdskhRnMKakkhZjSuO4TJIPDFh9mr24avud829XkutEKDrMZBHKaxivXfLfGwLUhzFSWxwRWJzP/XUG/aZ6RAx47zh7fsvfFUCpeLlsUpMcUspIF74Awso0=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: tresys.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d0403f50-cda5-4f29-0030-08d64c447514
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Nov 2018 04:23:43.2892
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1795
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/services/ntp.if | 63 ++++++++++++++++++++++++++++++++++
 1 file changed, 63 insertions(+)

diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.i=
f
index 00c7620b..f1a90c55 100644
--- a/policy/modules/services/ntp.if
+++ b/policy/modules/services/ntp.if
@@ -177,6 +177,69 @@ interface(`ntp_rw_shm',`
 	fs_search_tmpfs($1)
 ')
=20
+########################################
+## <summary>
+##	Allow specified domain to enable/disable ntpd unit
+## </summary>
+## <param name=3D"domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ntp_enabledisable',`
+	ifdef(`init_systemd',`
+		gen_require(`
+			type ntpd_unit_t;
+			class service { enable disable };
+		')
+
+		allow $1 ntpd_unit_t:service { enable disable };
+	')
+')
+
+########################################
+## <summary>
+##	Allow specified domain to start/stop ntpd unit
+## </summary>
+## <param name=3D"domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ntp_startstop',`
+	ifdef(`init_systemd',`
+		gen_require(`
+			type ntpd_unit_t;
+			class service { start stop };
+		')
+
+		allow $1 ntpd_unit_t:service { start stop };
+	')
+')
+
+########################################
+## <summary>
+##	Allow specified domain to get status of ntpd unit
+## </summary>
+## <param name=3D"domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ntp_status',`
+	ifdef(`init_systemd',`
+		gen_require(`
+			type ntpd_unit_t;
+			class service status;
+		')
+
+		allow $1 ntpd_unit_t:service status;
+	')
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
--=20
2.19.1