[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

Sven Vermeulen Sun, 25 Mar 2018 03:30:13 -0700

commit:     1100fd2c68b60b6ab5eb34baedb20a63a191f057
Author:     Dave Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Mon Mar  5 14:03:02 2018 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Mar 25 09:31:12 2018 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1100fd2c


Allow execution of chronyc from commandline

 With the previous patch moving chronyc into a separate domain this adds 
interfaces to execute chronyc from the command line and have it run in the 
chronyc_t domain.

Updated interface names based on suggestion, added missing permission to allow 
chronyc_t domain access to tty.

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>

 policy/modules/contrib/chronyd.if | 46 +++++++++++++++++++++++++++++++++++++++
 policy/modules/contrib/chronyd.te |  8 +++++++
 2 files changed, 54 insertions(+)

diff --git a/policy/modules/contrib/chronyd.if 
b/policy/modules/contrib/chronyd.if
index 32988914..bc4ba691 100644
--- a/policy/modules/contrib/chronyd.if
+++ b/policy/modules/contrib/chronyd.if
@@ -19,6 +19,25 @@ interface(`chronyd_domtrans',`
        domtrans_pattern($1, chronyd_exec_t, chronyd_t)
 ')
 
+#####################################
+## <summary>
+##     Execute chronyc in the chronyc domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed to transition.
+##     </summary>
+## </param>
+#
+interface(`chronyd_domtrans_cli',`
+       gen_require(`
+               type chronyc_t, chronyc_exec_t;
+       ')
+
+       corecmd_search_bin($1)
+       domtrans_pattern($1, chronyc_exec_t, chronyc_t)
+')
+
 ########################################
 ## <summary>
 ##     Execute chronyd server in the
@@ -57,6 +76,33 @@ interface(`chronyd_exec',`
        can_exec($1, chronyd_exec_t)
 ')
 
+########################################
+## <summary>
+##     Execute chronyc in the chronyc domain,
+##     and allow the specified roles the
+##     chronyc domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed to transition.
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     Role allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`chronyd_run_cli',`
+       gen_require(`
+               attribute_role chronyc_roles;
+       ')
+
+       chronyd_domtrans_cli($1)
+       roleattribute $2 chronyc_roles;
+')
+
 #####################################
 ## <summary>
 ##     Read chronyd log files.

diff --git a/policy/modules/contrib/chronyd.te 
b/policy/modules/contrib/chronyd.te
index 0634548d..8277ef81 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -5,6 +5,8 @@ policy_module(chronyd, 1.5.0)
 # Declarations
 #
 
+attribute_role chronyc_roles;
+
 type chronyd_t;
 type chronyd_exec_t;
 init_daemon_domain(chronyd_t, chronyd_exec_t)
@@ -12,6 +14,8 @@ init_daemon_domain(chronyd_t, chronyd_exec_t)
 type chronyc_t;
 type chronyc_exec_t;
 init_daemon_domain(chronyc_t, chronyc_exec_t)
+application_domain(chronyc_t, chronyc_exec_t)
+role chronyc_roles types chronyc_t;
 
 type chronyd_conf_t;
 files_config_file(chronyd_conf_t)
@@ -132,6 +136,8 @@ corenet_udp_sendrecv_chronyd_port(chronyc_t)
 files_read_etc_files(chronyc_t)
 files_read_usr_files(chronyc_t)
 
+locallogin_use_fds(chronyc_t)
+
 logging_send_syslog_msg(chronyc_t)
 
 sysnet_read_config(chronyc_t)
@@ -139,6 +145,8 @@ sysnet_dns_name_resolve(chronyc_t)
 
 miscfiles_read_localization(chronyc_t)
 
+userdom_use_user_ttys(chronyc_t)
+
 chronyd_dgram_send(chronyc_t)
 chronyd_read_config(chronyc_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

Reply via email to