From: guido@trentalancia.com (Guido Trentalancia)
Date: Mon, 16 Apr 2018 11:39:11 +0200
Subject: [refpolicy] [PATCH 2/2 v2] contrib: ntp interface runs both ntpd
	and ntpdate
In-Reply-To: <fe9d7f20-2ce4-268a-6ec4-cde36bf96926@ieee.org>
References: <1523723777.4835.1.camel@trentalancia.com>
	<fe9d7f20-2ce4-268a-6ec4-cde36bf96926@ieee.org>
Message-ID: <1523871551.10266.3.camel@trentalancia.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

A new ntp_run_ntpdate() interface is added so that it is possible
to run ntpdate with a domain transition and not just ntpd.

The comment in the ntpdate is changed to reflect the fact
that ntpdate is a client and not a server.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/contrib/ntp.if |   28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

--- a/policy/modules/contrib/ntp.if	2017-09-29 19:01:55.171455647 +0200
+++ b/policy/modules/contrib/ntp.if	2018-04-16 11:31:12.058684850 +0200
@@ -81,7 +81,7 @@ interface(`ntp_run',`
 
 ########################################
 ## <summary>
-##	Execute ntpdate server in the ntpd domain.
+##	Execute ntpdate client in the ntpd domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -99,6 +99,32 @@ interface(`ntp_domtrans_ntpdate',`
 ')
 
 ########################################
+## <summary>
+##	Execute ntpdate in the ntp domain, and
+##	allow the specified role the ntp domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ntp_run_ntpdate',`
+	gen_require(`
+		attribute_role ntpd_roles;
+	')
+
+	ntp_domtrans_ntpdate($1)
+	roleattribute $2 ntpd_roles;
+')
+
+########################################
 ## <summary>
 ##	Execute ntpd init scripts in
 ##	the init script domain.