With the previous patch moving chronyc into a separate domain this adds interfaces to execute chronyc from the command line and have it run in the chronyc_t domain.
Updated interface names based on suggestion, added missing permission to allow chronyc_t domain access to tty.
Signed-off-by: Dave Sugar <[email protected]>
---
chronyd.if | 46 ++++++++++++++++++++++++++++++++++++++++++++++
chronyd.te | 8 ++++++++
2 files changed, 54 insertions(+)
diff --git a/chronyd.if b/chronyd.if
index 3298891..bc4ba69 100644
--- a/chronyd.if
+++ b/chronyd.if
@@ -19,6 +19,25 @@ interface(`chronyd_domtrans',`
domtrans_pattern($1, chronyd_exec_t, chronyd_t)
')
+#####################################
+## <summary>
+## Execute chronyc in the chronyc_t domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`chronyd_domtrans_cli',`
+ gen_require(`
+ type chronyc_t, chronyc_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, chronyc_exec_t, chronyc_t)
+')
+
########################################
## <summary>
## Execute chronyd server in the
@@ -57,6 +76,33 @@ interface(`chronyd_exec',`
can_exec($1, chronyd_exec_t)
')
+########################################
+## <summary>
+## Execute chronyc in the chronyc_t domain,
+## and allow the specified roles the
+## chronyc_t domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`chronyd_run_cli',`
+ gen_require(`
+ attribute_role chronyc_roles;
+ ')
+
+ chronyd_domtrans_cli($1)
+ roleattribute $2 chronyc_roles;
+')
+
#####################################
## <summary>
## Read chronyd log files.
diff --git a/chronyd.te b/chronyd.te
index 0634548..8277ef8 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -5,6 +5,8 @@ policy_module(chronyd, 1.5.0)
# Declarations
#
+attribute_role chronyc_roles;
+
type chronyd_t;
type chronyd_exec_t;
init_daemon_domain(chronyd_t, chronyd_exec_t)
@@ -12,6 +14,8 @@ init_daemon_domain(chronyd_t, chronyd_exec_t)
type chronyc_t;
type chronyc_exec_t;
init_daemon_domain(chronyc_t, chronyc_exec_t)
+application_domain(chronyc_t, chronyc_exec_t)
+role chronyc_roles types chronyc_t;
type chronyd_conf_t;
files_config_file(chronyd_conf_t)
@@ -132,6 +136,8 @@ corenet_udp_sendrecv_chronyd_port(chronyc_t)
files_read_etc_files(chronyc_t)
files_read_usr_files(chronyc_t)
+locallogin_use_fds(chronyc_t)
+
logging_send_syslog_msg(chronyc_t)
sysnet_read_config(chronyc_t)
@@ -139,6 +145,8 @@ sysnet_dns_name_resolve(chronyc_t)
miscfiles_read_localization(chronyc_t)
+userdom_use_user_ttys(chronyc_t)
+
chronyd_dgram_send(chronyc_t)
chronyd_read_config(chronyc_t)
--
2.14.3
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20180220/8e159178/attachment-0001.html