From: dsugar@tresys.com (David Sugar) Date: Fri, 16 Feb 2018 18:22:43 +0000 Subject: [refpolicy] [PATCH 2/5] Add interface to start/stop/enable/disable/status of chronyd service Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Add interfaces to allow process to systemctl start, stop, enable, disable, and status of chronyd.service Signed-off-by: Dave Sugar --- chronyd.if | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) diff --git a/chronyd.if b/chronyd.if index 6fabfa9..45863dc 100644 --- a/chronyd.if +++ b/chronyd.if @@ -195,6 +195,63 @@ interface(`chronyd_read_key_files',` read_files_pattern($1, chronyd_keys_t, chronyd_keys_t) ') +######################################## +## +## Allow specified domain to enable and disable chronyd unit +## +## +## +## Domain allowed access. +## +## +# +interface(`chronyd_enabledisable',` + gen_require(` + type chronyd_unit_t; + class service { enable disable }; + ') + + allow $1 chronyd_unit_t:service { enable disable }; +') + +######################################## +## +## Allow specified domain to start chronyd unit +## +## +## +## Domain allowed access. +## +## +# +interface(`chronyd_startstop',` + gen_require(` + type chronyd_unit_t; + class service { start stop }; + ') + + allow $1 chronyd_unit_t:service { start stop }; +') + +######################################## +## +## Allow specified domain to get status of chronyd unit +## +## +## +## Domain allowed access. +## +## +# +interface(`chronyd_status',` + gen_require(` + type chronyd_unit_t; + class service status; + ') + + allow $1 chronyd_unit_t:service status; +') + #################################### ## ## All of the rules required to -- 2.14.3