LinuxLists.cc - [refpolicy] [PATCH v2] Add filetrans for ntp-kod file

2014-06-23 18:41:01

Subject: [refpolicy] [PATCH v2] Add filetrans for ntp-kod file

sntp has a file used to persist the history of KoD responses
received from servers. The default is /var/db/ntp-kod.

This patch adds the fcontext and a filetrans so it can be created.

Changes from v1:
* use files_var_filetrans instead of filetrans_pattern

Signed-off-by: Jason Zaman <[email protected]>
---
ntp.fc | 1 +
ntp.te | 1 +
2 files changed, 2 insertions(+)

diff --git a/ntp.fc b/ntp.fc
index 147e480..89b9cb1 100644
--- a/ntp.fc
+++ b/ntp.fc
@@ -17,6 +17,7 @@

/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/db/ntp-kod -- gen_context(system_u:object_r:ntp_drift_t,s0)

/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0)
diff --git a/ntp.te b/ntp.te
index c37385e..37d974a 100644
--- a/ntp.te
+++ b/ntp.te
@@ -53,6 +53,7 @@ allow ntpd_t self:tcp_socket { accept listen };

manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
+files_var_filetrans(ntpd_t, ntp_drift_t, file, "ntp-kod")

allow ntpd_t ntp_conf_t:file read_file_perms;

--
1.8.5.5

2014-06-25 16:01:31

by cpebenito

[permalink] [raw]

Subject: [refpolicy] [PATCH v2] Add filetrans for ntp-kod file

On 6/23/2014 2:41 PM, Jason Zaman wrote:
> sntp has a file used to persist the history of KoD responses
> received from servers. The default is /var/db/ntp-kod.
>
> This patch adds the fcontext and a filetrans so it can be created.
>
> Changes from v1:
> * use files_var_filetrans instead of filetrans_pattern

Merged, though I removed the name portion of the filetrans. I think
this makes the policy more brittle than it needs to be.

> Signed-off-by: Jason Zaman <[email protected]>
> ---
> ntp.fc | 1 +
> ntp.te | 1 +
> 2 files changed, 2 insertions(+)
>
> diff --git a/ntp.fc b/ntp.fc
> index 147e480..89b9cb1 100644
> --- a/ntp.fc
> +++ b/ntp.fc
> @@ -17,6 +17,7 @@
>
> /var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
> /var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
> +/var/db/ntp-kod -- gen_context(system_u:object_r:ntp_drift_t,s0)
>
> /var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
> /var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0)
> diff --git a/ntp.te b/ntp.te
> index c37385e..37d974a 100644
> --- a/ntp.te
> +++ b/ntp.te
> @@ -53,6 +53,7 @@ allow ntpd_t self:tcp_socket { accept listen };
>
> manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
> manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
> +files_var_filetrans(ntpd_t, ntp_drift_t, file, "ntp-kod")
>
> allow ntpd_t ntp_conf_t:file read_file_perms;
>
>

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com