sntp has a file used to persist the history of KoD responses
received from servers. The default is /var/db/ntp-kod.
This patch adds the fcontext and a filetrans so it can be created.
Changes from v1:
* use files_var_filetrans instead of filetrans_pattern
Signed-off-by: Jason Zaman <[email protected]>
---
ntp.fc | 1 +
ntp.te | 1 +
2 files changed, 2 insertions(+)
diff --git a/ntp.fc b/ntp.fc
index 147e480..89b9cb1 100644
--- a/ntp.fc
+++ b/ntp.fc
@@ -17,6 +17,7 @@
/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/db/ntp-kod -- gen_context(system_u:object_r:ntp_drift_t,s0)
/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0)
diff --git a/ntp.te b/ntp.te
index c37385e..37d974a 100644
--- a/ntp.te
+++ b/ntp.te
@@ -53,6 +53,7 @@ allow ntpd_t self:tcp_socket { accept listen };
manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
+files_var_filetrans(ntpd_t, ntp_drift_t, file, "ntp-kod")
allow ntpd_t ntp_conf_t:file read_file_perms;
--
1.8.5.5
On 6/23/2014 2:41 PM, Jason Zaman wrote:
> sntp has a file used to persist the history of KoD responses
> received from servers. The default is /var/db/ntp-kod.
>
> This patch adds the fcontext and a filetrans so it can be created.
>
> Changes from v1:
> * use files_var_filetrans instead of filetrans_pattern
Merged, though I removed the name portion of the filetrans. I think
this makes the policy more brittle than it needs to be.
> Signed-off-by: Jason Zaman <[email protected]>
> ---
> ntp.fc | 1 +
> ntp.te | 1 +
> 2 files changed, 2 insertions(+)
>
> diff --git a/ntp.fc b/ntp.fc
> index 147e480..89b9cb1 100644
> --- a/ntp.fc
> +++ b/ntp.fc
> @@ -17,6 +17,7 @@
>
> /var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
> /var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
> +/var/db/ntp-kod -- gen_context(system_u:object_r:ntp_drift_t,s0)
>
> /var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
> /var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0)
> diff --git a/ntp.te b/ntp.te
> index c37385e..37d974a 100644
> --- a/ntp.te
> +++ b/ntp.te
> @@ -53,6 +53,7 @@ allow ntpd_t self:tcp_socket { accept listen };
>
> manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
> manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
> +files_var_filetrans(ntpd_t, ntp_drift_t, file, "ntp-kod")
>
> allow ntpd_t ntp_conf_t:file read_file_perms;
>
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com