From: dominick.grift@gmail.com (Dominick Grift) Date: Mon, 13 Aug 2012 13:00:51 +0200 Subject: [refpolicy] [PATCH] NTP fixes In-Reply-To: <1344620638-23574-1-git-send-email-dominick.grift@gmail.com> References: <1344620638-23574-1-git-send-email-dominick.grift@gmail.com> Message-ID: <1344855651.11236.3.camel@d30.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Ignore this one. It has a bug. I am having issues testing my patches without Eclipse-Slide. I got used to slide and i miss using it. On Fri, 2012-08-10 at 19:43 +0200, Dominick Grift wrote: > Use ntp_conf_t instead of net_conf_t > Permission getattr on process is not needed > Use "Role allowed access" in ntp_admin() XML > Allow ntp_admin to manage ntp drift files > Use setattr_dir_perms for compatibility > > Signed-off-by: Dominick Grift > diff --git a/ntp.fc b/ntp.fc > index e79dccc..05fa48d 100644 > --- a/ntp.fc > +++ b/ntp.fc > @@ -2,11 +2,11 @@ > /etc/cron\.(daily|weekly)/ntp-simple -- gen_context(system_u:object_r:ntpd_exec_t,s0) > /etc/cron\.(daily|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0) > > -/etc/ntpd?\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) > +/etc/ntpd?\.conf.* -- gen_context(system_u:object_r:ntp_conf_t,s0) > /etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0) > /etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) > /etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0) > -/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:net_conf_t,s0) > +/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:ntp_conf_t,s0) > > /etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0) > > diff --git a/ntp.if b/ntp.if > index e80f8c0..16e8a93 100644 > --- a/ntp.if > +++ b/ntp.if > @@ -132,7 +132,7 @@ > ## > ## > ## > -## The role to be allowed to manage the ntp domain. > +## Role allowed access. > ## > ## > ## > @@ -140,11 +140,11 @@ > interface(`ntp_admin',` > gen_require(` > type ntpd_t, ntpd_tmp_t, ntpd_log_t; > - type ntpd_key_t, ntpd_var_run_t; > - type ntpd_initrc_exec_t; > + type ntpd_key_t, ntpd_var_run_t, ntp_drift_t; > + type ntpd_initrc_exec_t, ntp_conf_t; > ') > > - allow $1 ntpd_t:process { ptrace signal_perms getattr }; > + allow $1 ntpd_t:process { ptrace signal_perms }; > ps_process_pattern($1, ntpd_t) > > init_labeled_script_domtrans($1, ntpd_initrc_exec_t) > @@ -152,7 +152,8 @@ > role_transition $2 ntpd_initrc_exec_t system_r; > allow $2 system_r; > > - admin_pattern($1, ntpd_key_t) > + files_list_etc($1) > + admin_pattern($1, { ntpd_key_t ntp_conf_t ntp_drift_t }) > > logging_list_logs($1) > admin_pattern($1, ntpd_log_t) > diff --git a/ntp.te b/ntp.te > index c61adc8..2f50998 100644 > --- a/ntp.te > +++ b/ntp.te > @@ -15,6 +15,9 @@ > type ntpd_initrc_exec_t; > init_script_file(ntpd_initrc_exec_t) > > +type ntp_conf_t > +files_config_file(ntp_conf_t) > + > type ntpd_key_t; > files_type(ntpd_key_t) > > @@ -54,10 +57,12 @@ > > can_exec(ntpd_t, ntpd_exec_t) > > +allow ntpd_t ntp_conf_t:file read_file_perms; > + > read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) > read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) > > -allow ntpd_t ntpd_log_t:dir setattr; > +allow ntpd_t ntpd_log_t:dir setattr_dir_perms; > manage_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t) > logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir }) >