From: dsugar@tresys.com (Dave Sugar) Date: Mon, 5 Mar 2018 09:02:59 -0500 Subject: [refpolicy] [PATCH 2/5-v4] Add interface to start/stop/enable/disable/status of chronyd service In-Reply-To: <20180305140302.31341-1-dsugar@tresys.com> References: <20180305140302.31341-1-dsugar@tresys.com> Message-ID: <20180305140302.31341-3-dsugar@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Add interfaces to allow process to systemctl start, stop, enable, disable, and status of chronyd.service Fix summary for chronyd_startstop from previous submission Signed-off-by: Dave Sugar --- chronyd.if | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) diff --git a/chronyd.if b/chronyd.if index e0a751a..a42bc4f 100644 --- a/chronyd.if +++ b/chronyd.if @@ -195,6 +195,63 @@ interface(`chronyd_read_key_files',` read_files_pattern($1, chronyd_keys_t, chronyd_keys_t) ') +######################################## +## +## Allow specified domain to enable and disable chronyd unit +## +## +## +## Domain allowed access. +## +## +# +interface(`chronyd_enabledisable',` + gen_require(` + type chronyd_unit_t; + class service { enable disable }; + ') + + allow $1 chronyd_unit_t:service { enable disable }; +') + +######################################## +## +## Allow specified domain to start and stop chronyd unit +## +## +## +## Domain allowed access. +## +## +# +interface(`chronyd_startstop',` + gen_require(` + type chronyd_unit_t; + class service { start stop }; + ') + + allow $1 chronyd_unit_t:service { start stop }; +') + +######################################## +## +## Allow specified domain to get status of chronyd unit +## +## +## +## Domain allowed access. +## +## +# +interface(`chronyd_status',` + gen_require(` + type chronyd_unit_t; + class service status; + ') + + allow $1 chronyd_unit_t:service status; +') + #################################### ## ## All of the rules required to -- 2.14.3