From: guido@trentalancia.com (Guido Trentalancia)
Date: Wed, 16 Feb 2011 07:17:04 +0100
Subject: [refpolicy] [PATCH 15/34]: patch to allow the ntp module to work
	with dbus
Message-ID: <1297837024.3205.62.camel@tesla.lan>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

This patch adds two new interfaces to the ntp module. The first
interface can be used to allow dbus chat and the second interface
allows to connect to dbus using a unix domain stream socket.
Both interfaces are used to allow dbus chat between ntpd and
dbus and to allow ntpd to connect to dbus using a unix domain
stream socket.

diff -pruN refpolicy-git-02022011-test-apply/policy/modules/services/dbus.te refpolicy-git-02022011-test-apply2/policy/modules/services/dbus.te
--- refpolicy-git-02022011-test-apply/policy/modules/services/dbus.te	2011-02-07 01:57:28.517803483 +0100
+++ refpolicy-git-02022011-test-apply2/policy/modules/services/dbus.te	2011-02-07 02:07:54.389747263 +0100
@@ -160,6 +160,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	ntp_dbus_chat(system_dbusd_t)
+')
+
+optional_policy(`
 	policykit_dbus_chat(system_dbusd_t)
 	policykit_domtrans_auth(system_dbusd_t)
 	policykit_search_lib(system_dbusd_t)
diff -pruN refpolicy-git-02022011-test-apply/policy/modules/services/ntp.if refpolicy-git-02022011-test-apply2/policy/modules/services/ntp.if
--- refpolicy-git-02022011-test-apply/policy/modules/services/ntp.if	2011-01-08 19:07:21.272746092 +0100
+++ refpolicy-git-02022011-test-apply2/policy/modules/services/ntp.if	2011-02-07 02:05:17.879861318 +0100
@@ -163,3 +163,43 @@ interface(`ntp_admin',`
 	files_list_pids($1)
 	admin_pattern($1, ntpd_var_run_t)
 ')
+
+########################################
+## <summary>
+##      Send and receive messages from
+##      ntpd over dbus.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`ntp_dbus_chat',`
+        gen_require(`
+                type ntpd_t;
+                class dbus send_msg;
+        ')
+
+        allow $1 ntpd_t:dbus send_msg;
+        allow ntpd_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##      Connect to dbus using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`ntp_dbus_stream_connect',`
+        gen_require(`
+                type system_dbusd_t, system_dbusd_var_run_t;
+        ')
+
+        files_search_pids($1)
+        stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
+')
diff -pruN refpolicy-git-02022011-test-apply/policy/modules/services/ntp.te refpolicy-git-02022011-test-apply2/policy/modules/services/ntp.te
--- refpolicy-git-02022011-test-apply/policy/modules/services/ntp.te	2011-02-07 02:03:04.389680812 +0100
+++ refpolicy-git-02022011-test-apply2/policy/modules/services/ntp.te	2011-02-07 02:06:54.181383927 +0100
@@ -152,6 +152,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	ntp_dbus_stream_connect(ntpd_t)
+')
+
+optional_policy(`
 	seutil_sigchld_newrole(ntpd_t)
 ')