The ntp_run() interface is modified so that it also allows
to run ntpdate and not just ntpd.
The comment in the ntpdate is changed to reflect the fact
that ntpdate is a client and not a server.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/ntp.if | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff -pru a/policy/modules/contrib/ntp.if b/policy/modules/contrib/ntp.if
--- a/policy/modules/contrib/ntp.if 2017-09-29 19:01:55.171455647 +0200
+++ b/policy/modules/contrib/ntp.if 2018-04-14 18:14:18.537666188 +0200
@@ -55,8 +55,8 @@ interface(`ntp_domtrans',`
########################################
## <summary>
-## Execute ntp in the ntp domain, and
-## allow the specified role the ntp domain.
+## Execute ntp or ntpdate in the ntp domain,
+## and allow the specified role the ntp domain.
## </summary>
## <param name="domain">
## <summary>
@@ -76,12 +76,13 @@ interface(`ntp_run',`
')
ntp_domtrans($1)
+ ntp_domtrans_ntpdate($1)
roleattribute $2 ntpd_roles;
')
########################################
## <summary>
-## Execute ntpdate server in the ntpd domain.
+## Execute ntpdate client in the ntpd domain.
## </summary>
## <param name="domain">
## <summary>
On 04/14/2018 12:36 PM, Guido Trentalancia via refpolicy wrote:
> The ntp_run() interface is modified so that it also allows
> to run ntpdate and not just ntpd.
>
> The comment in the ntpdate is changed to reflect the fact
> that ntpdate is a client and not a server.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/ntp.if | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff -pru a/policy/modules/contrib/ntp.if b/policy/modules/contrib/ntp.if
> --- a/policy/modules/contrib/ntp.if 2017-09-29 19:01:55.171455647 +0200
> +++ b/policy/modules/contrib/ntp.if 2018-04-14 18:14:18.537666188 +0200
> @@ -55,8 +55,8 @@ interface(`ntp_domtrans',`
>
> ########################################
> ## <summary>
> -## Execute ntp in the ntp domain, and
> -## allow the specified role the ntp domain.
> +## Execute ntp or ntpdate in the ntp domain,
> +## and allow the specified role the ntp domain.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> @@ -76,12 +76,13 @@ interface(`ntp_run',`
> ')
>
> ntp_domtrans($1)
> + ntp_domtrans_ntpdate($1)
> roleattribute $2 ntpd_roles;
> ')
>
This definitely needs to be in a separate interface, ntp_run_ntpdate().
--
Chris PeBenito
That's fine to me, I was undecided...
Regards,
Guido
On the 15th of april 2018 23:24:19 CEST, Chris PeBenito <[email protected]> wrote:
>On 04/14/2018 12:36 PM, Guido Trentalancia via refpolicy wrote:
>> The ntp_run() interface is modified so that it also allows
>> to run ntpdate and not just ntpd.
>>
>> The comment in the ntpdate is changed to reflect the fact
>> that ntpdate is a client and not a server.
>>
>> Signed-off-by: Guido Trentalancia <[email protected]>
>> ---
>> policy/modules/contrib/ntp.if | 7 ++++---
>> 1 file changed, 4 insertions(+), 3 deletions(-)
>>
>> diff -pru a/policy/modules/contrib/ntp.if
>b/policy/modules/contrib/ntp.if
>> --- a/policy/modules/contrib/ntp.if 2017-09-29 19:01:55.171455647
>+0200
>> +++ b/policy/modules/contrib/ntp.if 2018-04-14 18:14:18.537666188
>+0200
>> @@ -55,8 +55,8 @@ interface(`ntp_domtrans',`
>>
>> ########################################
>> ## <summary>
>> -## Execute ntp in the ntp domain, and
>> -## allow the specified role the ntp domain.
>> +## Execute ntp or ntpdate in the ntp domain,
>> +## and allow the specified role the ntp domain.
>> ## </summary>
>> ## <param name="domain">
>> ## <summary>
>> @@ -76,12 +76,13 @@ interface(`ntp_run',`
>> ')
>>
>> ntp_domtrans($1)
>> + ntp_domtrans_ntpdate($1)
>> roleattribute $2 ntpd_roles;
>> ')
>>
>
>This definitely needs to be in a separate interface, ntp_run_ntpdate().
A new ntp_run_ntpdate() interface is added so that it is possible
to run ntpdate with a domain transition and not just ntpd.
The comment in the ntpdate is changed to reflect the fact
that ntpdate is a client and not a server.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/ntp.if | 28 +++++++++++++++++++++++++++-
1 file changed, 27 insertions(+), 1 deletion(-)
--- a/policy/modules/contrib/ntp.if 2017-09-29 19:01:55.171455647 +0200
+++ b/policy/modules/contrib/ntp.if 2018-04-16 11:31:12.058684850 +0200
@@ -81,7 +81,7 @@ interface(`ntp_run',`
########################################
## <summary>
-## Execute ntpdate server in the ntpd domain.
+## Execute ntpdate client in the ntpd domain.
## </summary>
## <param name="domain">
## <summary>
@@ -99,6 +99,32 @@ interface(`ntp_domtrans_ntpdate',`
')
########################################
+## <summary>
+## Execute ntpdate in the ntp domain, and
+## allow the specified role the ntp domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ntp_run_ntpdate',`
+ gen_require(`
+ attribute_role ntpd_roles;
+ ')
+
+ ntp_domtrans_ntpdate($1)
+ roleattribute $2 ntpd_roles;
+')
+
+########################################
## <summary>
## Execute ntpd init scripts in
## the init script domain.