From: pebenito@ieee.org (Chris PeBenito)
Date: Sun, 18 Feb 2018 11:14:15 -0500
Subject: [refpolicy] [PATCH 5/5] domtrans interface for chronyc
In-Reply-To: <MWHPR15MB185362521AA0182EEA93E466B9CB0@MWHPR15MB1853.namprd15.prod.outlook.com>
References: <MWHPR15MB185362521AA0182EEA93E466B9CB0@MWHPR15MB1853.namprd15.prod.outlook.com>
Message-ID: <86b7e0be-6481-bf9b-fad0-8915cdd929f7@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 02/16/2018 02:08 PM, David Sugar via refpolicy wrote:
> With the previous patch moving chronyc into a separate domain this adds 
> interfaces to execute chronyc from the command line and have it run in 
> the chronyc domain.
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>  ?chronyd.if | 46 ++++++++++++++++++++++++++++++++++++++++++++++
>  ?chronyd.te |? 4 ++++
>  ?2 files changed, 50 insertions(+)
> 
> diff --git a/chronyd.if b/chronyd.if
> index 02a1d81..4f302e8 100644
> --- a/chronyd.if
> +++ b/chronyd.if
> @@ -19,6 +19,25 @@ interface(`chronyd_domtrans',`
>  ???????? domtrans_pattern($1, chronyd_exec_t, chronyd_t)
>  ?')
> 
> +#####################################
> +## <summary>
> +##???? Execute chronyc in the chronyc domain.
> +## </summary>
> +## <param name="domain">
> +##???? <summary>
> +##???? Domain allowed to transition.
> +##???? </summary>
> +## </param>
> +#
> +interface(`chronyc_domtrans',`
> +?????? gen_require(`
> +?????????????? type chronyc_t, chronyc_exec_t;
> +?????? ')
> +
> +?????? corecmd_search_bin($1)
> +?????? domtrans_pattern($1, chronyc_exec_t, chronyc_t)
> +')
> +
>  ?########################################
>  ?## <summary>
>  ?##????? Execute chronyd server in the
> @@ -57,6 +76,33 @@ interface(`chronyd_exec',`
>  ???????? can_exec($1, chronyd_exec_t)
>  ?')
> 
> +########################################
> +## <summary>
> +##???? Execute chronyc in the chronyc domain,
> +##???? and allow the specified roles the
> +##???? chronyc domain.
> +## </summary>
> +## <param name="domain">
> +##???? <summary>
> +##???? Domain allowed to transition.
> +##???? </summary>
> +## </param>
> +## <param name="role">
> +##???? <summary>
> +##???? Role allowed access.
> +##???? </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`chronyc_run',`
> +?????? gen_require(`
> +?????????????? attribute_role chronyc_roles;
> +?????? ')
> +
> +?????? chronyc_domtrans($1)
> +?????? roleattribute $2 chronyc_roles;
> +')
> +

These would have to be similar to the dgram_send interface in the other 
patch.  chronyd_run_cli, chronyd_run_client, or something similar.


-- 
Chris PeBenito