From: guido@trentalancia.com (Guido Trentalancia) Date: Mon, 16 Apr 2018 11:39:11 +0200 Subject: [refpolicy] [PATCH 2/2 v2] contrib: ntp interface runs both ntpd and ntpdate In-Reply-To: References: <1523723777.4835.1.camel@trentalancia.com> Message-ID: <1523871551.10266.3.camel@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com A new ntp_run_ntpdate() interface is added so that it is possible to run ntpdate with a domain transition and not just ntpd. The comment in the ntpdate is changed to reflect the fact that ntpdate is a client and not a server. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/ntp.if | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) --- a/policy/modules/contrib/ntp.if 2017-09-29 19:01:55.171455647 +0200 +++ b/policy/modules/contrib/ntp.if 2018-04-16 11:31:12.058684850 +0200 @@ -81,7 +81,7 @@ interface(`ntp_run',` ######################################## ## -## Execute ntpdate server in the ntpd domain. +## Execute ntpdate client in the ntpd domain. ## ## ## @@ -99,6 +99,32 @@ interface(`ntp_domtrans_ntpdate',` ') ######################################## +## +## Execute ntpdate in the ntp domain, and +## allow the specified role the ntp domain. +## +## +## +## Domain allowed to transition. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`ntp_run_ntpdate',` + gen_require(` + attribute_role ntpd_roles; + ') + + ntp_domtrans_ntpdate($1) + roleattribute $2 ntpd_roles; +') + +######################################## ## ## Execute ntpd init scripts in ## the init script domain.