From: dsugar@tresys.com (David Sugar)
Date: Fri, 16 Feb 2018 19:08:34 +0000
Subject: [refpolicy] [PATCH 5/5] domtrans interface for chronyc
Message-ID: <MWHPR15MB185362521AA0182EEA93E466B9CB0@MWHPR15MB1853.namprd15.prod.outlook.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

With the previous patch moving chronyc into a separate domain this adds interfaces to execute chronyc from the command line and have it run in the chronyc domain.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 chronyd.if | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 chronyd.te |  4 ++++
 2 files changed, 50 insertions(+)

diff --git a/chronyd.if b/chronyd.if
index 02a1d81..4f302e8 100644
--- a/chronyd.if
+++ b/chronyd.if
@@ -19,6 +19,25 @@ interface(`chronyd_domtrans',`
         domtrans_pattern($1, chronyd_exec_t, chronyd_t)
 ')

+#####################################
+## <summary>
+##     Execute chronyc in the chronyc domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed to transition.
+##     </summary>
+## </param>
+#
+interface(`chronyc_domtrans',`
+       gen_require(`
+               type chronyc_t, chronyc_exec_t;
+       ')
+
+       corecmd_search_bin($1)
+       domtrans_pattern($1, chronyc_exec_t, chronyc_t)
+')
+
 ########################################
 ## <summary>
 ##      Execute chronyd server in the
@@ -57,6 +76,33 @@ interface(`chronyd_exec',`
         can_exec($1, chronyd_exec_t)
 ')

+########################################
+## <summary>
+##     Execute chronyc in the chronyc domain,
+##     and allow the specified roles the
+##     chronyc domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed to transition.
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     Role allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`chronyc_run',`
+       gen_require(`
+               attribute_role chronyc_roles;
+       ')
+
+       chronyc_domtrans($1)
+       roleattribute $2 chronyc_roles;
+')
+
 #####################################
 ## <summary>
 ##      Read chronyd log files.
diff --git a/chronyd.te b/chronyd.te
index a6e814d..0bdd4ef 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -5,6 +5,8 @@ policy_module(chronyd, 1.5.0)
 # Declarations
 #

+attribute_role chronyc_roles;
+
 type chronyd_t;
 type chronyd_exec_t;
 init_daemon_domain(chronyd_t, chronyd_exec_t)
@@ -12,6 +14,8 @@ init_daemon_domain(chronyd_t, chronyd_exec_t)
 type chronyc_t;
 type chronyc_exec_t;
 init_daemon_domain(chronyc_t, chronyc_exec_t)
+application_domain(chronyc_t, chronyc_exec_t)
+role chronyc_roles types chronyc_t;

 type chronyd_conf_t;
 files_config_file(chronyd_conf_t)
--
2.14.3
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20180216/03b1ac0d/attachment.html