Separate label for /etc/chrony.conf (chronyd_conf_t) with interfaces to allow read-only or read/write access. Needed as I have a process that alters chrony.conf but I didn't want this process to have access to write all etc_t files.
Fixed summary for chronyd_rw_config interface from previous submission.
Signed-off-by: Dave Sugar <[email protected]>
---
chronyd.fc | 1 +
chronyd.if | 38 ++++++++++++++++++++++++++++++++++++++
chronyd.te | 5 +++++
3 files changed, 44 insertions(+)
diff --git a/chronyd.fc b/chronyd.fc
index 5ee3551..3a5dad7 100644
--- a/chronyd.fc
+++ b/chronyd.fc
@@ -1,3 +1,4 @@
+/etc/chrony\.conf -- gen_context(system_u:object_r:chronyd_conf_t,s0)
/etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0)
/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
diff --git a/chronyd.if b/chronyd.if
index 3d45be4..e0a751a 100644
--- a/chronyd.if
+++ b/chronyd.if
@@ -76,6 +76,44 @@ interface(`chronyd_read_log',`
read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t)
')
+#####################################
+## <summary>
+## Read chronyd config file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`chronyd_read_config',`
+ gen_require(`
+ type chronyd_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 chronyd_conf_t:file read_file_perms;
+')
+
+#####################################
+## <summary>
+## Read and write chronyd config file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`chronyd_rw_config',`
+ gen_require(`
+ type chronyd_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 chronyd_conf_t:file rw_file_perms;
+')
+
########################################
## <summary>
## Read and write chronyd shared memory.
diff --git a/chronyd.te b/chronyd.te
index 0de7b52..09d7f83 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -9,6 +9,9 @@ type chronyd_t;
type chronyd_exec_t;
init_daemon_domain(chronyd_t, chronyd_exec_t)
+type chronyd_conf_t;
+files_config_file(chronyd_conf_t)
+
type chronyd_initrc_exec_t;
init_script_file(chronyd_initrc_exec_t)
@@ -87,6 +90,8 @@ logging_send_syslog_msg(chronyd_t)
miscfiles_read_localization(chronyd_t)
+chronyd_read_config(chronyd_t)
+
optional_policy(`
gpsd_rw_shm(chronyd_t)
')
--
2.14.3
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20180220/93fb4d1b/attachment.html
On 02/20/2018 08:33 AM, David Sugar via refpolicy wrote:
> Separate label for /etc/chrony.conf (chronyd_conf_t) with interfaces to
> allow read-only or read/write access.? Needed as I have a process that
> alters chrony.conf but I didn't want this process to have access to
> write all etc_t files.
>
> Fixed summary for chronyd_rw_config interface?from previous submission.
The patches are corrupted (html emails).
--
Chris PeBenito