From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 25 Jun 2014 12:01:31 -0400 Subject: [refpolicy] [PATCH v2] Add filetrans for ntp-kod file In-Reply-To: <1403548861-26249-1-git-send-email-jason@perfinion.com> References: <1403548861-26249-1-git-send-email-jason@perfinion.com> Message-ID: <53AAF25B.1080103@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 6/23/2014 2:41 PM, Jason Zaman wrote: > sntp has a file used to persist the history of KoD responses > received from servers. The default is /var/db/ntp-kod. > > This patch adds the fcontext and a filetrans so it can be created. > > Changes from v1: > * use files_var_filetrans instead of filetrans_pattern Merged, though I removed the name portion of the filetrans. I think this makes the policy more brittle than it needs to be. > Signed-off-by: Jason Zaman > --- > ntp.fc | 1 + > ntp.te | 1 + > 2 files changed, 2 insertions(+) > > diff --git a/ntp.fc b/ntp.fc > index 147e480..89b9cb1 100644 > --- a/ntp.fc > +++ b/ntp.fc > @@ -17,6 +17,7 @@ > > /var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) > /var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) > +/var/db/ntp-kod -- gen_context(system_u:object_r:ntp_drift_t,s0) > > /var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0) > /var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0) > diff --git a/ntp.te b/ntp.te > index c37385e..37d974a 100644 > --- a/ntp.te > +++ b/ntp.te > @@ -53,6 +53,7 @@ allow ntpd_t self:tcp_socket { accept listen }; > > manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t) > manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t) > +files_var_filetrans(ntpd_t, ntp_drift_t, file, "ntp-kod") > > allow ntpd_t ntp_conf_t:file read_file_perms; > > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com