From: dsugar@tresys.com (David Sugar) Date: Tue, 20 Feb 2018 13:33:32 +0000 Subject: [refpolicy] [PATCH 2/5-v2] Add interface to start/stop/enable/disable/status of chronyd service Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Add interfaces to allow process to systemctl start, stop, enable, disable, and status of chronyd.service Fix summary for chronyd_startstop from previous submission Signed-off-by: Dave Sugar --- chronyd.if | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) diff --git a/chronyd.if b/chronyd.if index e0a751a..a42bc4f 100644 --- a/chronyd.if +++ b/chronyd.if @@ -195,6 +195,63 @@ interface(`chronyd_read_key_files',` read_files_pattern($1, chronyd_keys_t, chronyd_keys_t) ') +######################################## +## +## Allow specified domain to enable and disable chronyd unit +## +## +## +## Domain allowed access. +## +## +# +interface(`chronyd_enabledisable',` + gen_require(` + type chronyd_unit_t; + class service { enable disable }; + ') + + allow $1 chronyd_unit_t:service { enable disable }; +') + +######################################## +## +## Allow specified domain to start and stop chronyd unit +## +## +## +## Domain allowed access. +## +## +# +interface(`chronyd_startstop',` + gen_require(` + type chronyd_unit_t; + class service { start stop }; + ') + + allow $1 chronyd_unit_t:service { start stop }; +') + +######################################## +## +## Allow specified domain to get status of chronyd unit +## +## +## +## Domain allowed access. +## +## +# +interface(`chronyd_status',` + gen_require(` + type chronyd_unit_t; + class service status; + ') + + allow $1 chronyd_unit_t:service status; +') + #################################### ## ## All of the rules required to -- 2.14.3 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20180220/1cbb1d1d/attachment-0001.html