Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/services/ntp.if | 63 ++++++++++++++++++++++++++++++++++
1 file changed, 63 insertions(+)
diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
index 00c7620b..f1a90c55 100644
--- a/policy/modules/services/ntp.if
+++ b/policy/modules/services/ntp.if
@@ -177,6 +177,69 @@ interface(`ntp_rw_shm',`
fs_search_tmpfs($1)
')
+########################################
+## <summary>
+## Allow specified domain to enable/disable ntpd unit
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ntp_enabledisable',`
+ ifdef(`init_systemd',`
+ gen_require(`
+ type ntpd_unit_t;
+ class service { enable disable };
+ ')
+
+ allow $1 ntpd_unit_t:service { enable disable };
+ ')
+')
+
+########################################
+## <summary>
+## Allow specified domain to start/stop ntpd unit
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ntp_startstop',`
+ ifdef(`init_systemd',`
+ gen_require(`
+ type ntpd_unit_t;
+ class service { start stop };
+ ')
+
+ allow $1 ntpd_unit_t:service { start stop };
+ ')
+')
+
+########################################
+## <summary>
+## Allow specified domain to get status of ntpd unit
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ntp_status',`
+ ifdef(`init_systemd',`
+ gen_require(`
+ type ntpd_unit_t;
+ class service status;
+ ')
+
+ allow $1 ntpd_unit_t:service status;
+ ')
+')
+
########################################
## <summary>
## All of the rules required to
--
2.19.1
Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/system/systemd.if | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 9247924b..74f0b215 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -467,6 +467,25 @@ interface(`systemd_manage_networkd_units',`
manage_files_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
')
+########################################
+## <summary>
+## Allow specified domain to enable systemd-networkd units
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_enabledisable_networkd',`
+ gen_require(`
+ type systemd_networkd_unit_t;
+ class service { enable disable };
+ ')
+
+ allow $1 systemd_networkd_unit_t:service { enable disable };
+')
+
########################################
## <summary>
## Allow specified domain to start systemd-networkd units
--
2.19.1
On 11/16/18 11:23 PM, David Sugar wrote:
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/services/ntp.if | 63 ++++++++++++++++++++++++++++++++++
> 1 file changed, 63 insertions(+)
>
> diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
> index 00c7620b..f1a90c55 100644
> --- a/policy/modules/services/ntp.if
> +++ b/policy/modules/services/ntp.if
> @@ -177,6 +177,69 @@ interface(`ntp_rw_shm',`
> fs_search_tmpfs($1)
> ')
>
> +########################################
> +## <summary>
> +## Allow specified domain to enable/disable ntpd unit
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`ntp_enabledisable',`
> + ifdef(`init_systemd',`
> + gen_require(`
> + type ntpd_unit_t;
> + class service { enable disable };
> + ')
> +
> + allow $1 ntpd_unit_t:service { enable disable };
> + ')
> +')
> +
> +########################################
> +## <summary>
> +## Allow specified domain to start/stop ntpd unit
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`ntp_startstop',`
> + ifdef(`init_systemd',`
> + gen_require(`
> + type ntpd_unit_t;
> + class service { start stop };
> + ')
> +
> + allow $1 ntpd_unit_t:service { start stop };
> + ')
> +')
> +
> +########################################
> +## <summary>
> +## Allow specified domain to get status of ntpd unit
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`ntp_status',`
> + ifdef(`init_systemd',`
> + gen_require(`
> + type ntpd_unit_t;
> + class service status;
> + ')
> +
> + allow $1 ntpd_unit_t:service status;
> + ')
> +')
> +
> ########################################
> ## <summary>
> ## All of the rules required to
Merged.
--
Chris PeBenito
On 11/16/18 11:23 PM, David Sugar wrote:
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/system/systemd.if | 19 +++++++++++++++++++
> 1 file changed, 19 insertions(+)
>
> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
> index 9247924b..74f0b215 100644
> --- a/policy/modules/system/systemd.if
> +++ b/policy/modules/system/systemd.if
> @@ -467,6 +467,25 @@ interface(`systemd_manage_networkd_units',`
> manage_files_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
> ')
>
> +########################################
> +## <summary>
> +## Allow specified domain to enable systemd-networkd units
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_enabledisable_networkd',`
> + gen_require(`
> + type systemd_networkd_unit_t;
> + class service { enable disable };
> + ')
> +
> + allow $1 systemd_networkd_unit_t:service { enable disable };
> +')
> +
> ########################################
> ## <summary>
> ## Allow specified domain to start systemd-networkd units
Merged.
--
Chris PeBenito