From: dsugar@tresys.com (Dave Sugar) Date: Mon, 5 Mar 2018 09:02:58 -0500 Subject: [refpolicy] [PATCH 1/5-v4] Separate type for chronyd config file. In-Reply-To: <20180305140302.31341-1-dsugar@tresys.com> References: <20180305140302.31341-1-dsugar@tresys.com> Message-ID: <20180305140302.31341-2-dsugar@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Separate label for /etc/chrony.conf (chronyd_conf_t) with interfaces to allow read-only or read/write access. Needed as I have a process that alters chrony.conf but I didn't want this process to have access to write all etc_t files. Fixed summary for chronyd_rw_config interface from previous submission. Signed-off-by: Dave Sugar --- chronyd.fc | 1 + chronyd.if | 38 ++++++++++++++++++++++++++++++++++++++ chronyd.te | 5 +++++ 3 files changed, 44 insertions(+) diff --git a/chronyd.fc b/chronyd.fc index 5ee3551..3a5dad7 100644 --- a/chronyd.fc +++ b/chronyd.fc @@ -1,3 +1,4 @@ +/etc/chrony\.conf -- gen_context(system_u:object_r:chronyd_conf_t,s0) /etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0) /etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0) diff --git a/chronyd.if b/chronyd.if index 3d45be4..e0a751a 100644 --- a/chronyd.if +++ b/chronyd.if @@ -76,6 +76,44 @@ interface(`chronyd_read_log',` read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t) ') +##################################### +## +## Read chronyd config file. +## +## +## +## Domain allowed access. +## +## +# +interface(`chronyd_read_config',` + gen_require(` + type chronyd_conf_t; + ') + + files_search_etc($1) + allow $1 chronyd_conf_t:file read_file_perms; +') + +##################################### +## +## Read and write chronyd config file. +## +## +## +## Domain allowed access. +## +## +# +interface(`chronyd_rw_config',` + gen_require(` + type chronyd_conf_t; + ') + + files_search_etc($1) + allow $1 chronyd_conf_t:file rw_file_perms; +') + ######################################## ## ## Read and write chronyd shared memory. diff --git a/chronyd.te b/chronyd.te index 0de7b52..09d7f83 100644 --- a/chronyd.te +++ b/chronyd.te @@ -9,6 +9,9 @@ type chronyd_t; type chronyd_exec_t; init_daemon_domain(chronyd_t, chronyd_exec_t) +type chronyd_conf_t; +files_config_file(chronyd_conf_t) + type chronyd_initrc_exec_t; init_script_file(chronyd_initrc_exec_t) @@ -87,6 +90,8 @@ logging_send_syslog_msg(chronyd_t) miscfiles_read_localization(chronyd_t) +chronyd_read_config(chronyd_t) + optional_policy(` gpsd_rw_shm(chronyd_t) ') -- 2.14.3