Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/contrib/chronyd.te
diff options
context:
space:
mode:
Diffstat (limited to 'policy/modules/contrib/chronyd.te')
-rw-r--r--policy/modules/contrib/chronyd.te68
1 files changed, 68 insertions, 0 deletions
diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
new file mode 100644
index 000000000..fa82327a1
--- /dev/null
+++ b/policy/modules/contrib/chronyd.te
@@ -0,0 +1,68 @@
+policy_module(chronyd, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type chronyd_t;
+type chronyd_exec_t;
+init_daemon_domain(chronyd_t, chronyd_exec_t)
+
+type chronyd_initrc_exec_t;
+init_script_file(chronyd_initrc_exec_t)
+
+type chronyd_keys_t;
+files_type(chronyd_keys_t)
+
+type chronyd_var_lib_t;
+files_type(chronyd_var_lib_t)
+
+type chronyd_var_log_t;
+logging_log_file(chronyd_var_log_t)
+
+type chronyd_var_run_t;
+files_pid_file(chronyd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
+allow chronyd_t self:process { getcap setcap setrlimit };
+allow chronyd_t self:shm create_shm_perms;
+allow chronyd_t self:udp_socket create_socket_perms;
+allow chronyd_t self:unix_dgram_socket create_socket_perms;
+
+allow chronyd_t chronyd_keys_t:file read_file_perms;
+
+manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
+manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
+manage_sock_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
+files_var_lib_filetrans(chronyd_t, chronyd_var_lib_t, { file dir })
+
+manage_files_pattern(chronyd_t, chronyd_var_log_t, chronyd_var_log_t)
+manage_dirs_pattern(chronyd_t, chronyd_var_log_t, chronyd_var_log_t)
+logging_log_filetrans(chronyd_t, chronyd_var_log_t, { file dir })
+
+manage_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
+manage_dirs_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
+files_pid_filetrans(chronyd_t, chronyd_var_run_t, file)
+
+corenet_udp_bind_ntp_port(chronyd_t)
+# bind to udp/323
+corenet_udp_bind_chronyd_port(chronyd_t)
+
+# real time clock option
+dev_rw_realtime_clock(chronyd_t)
+
+auth_use_nsswitch(chronyd_t)
+
+logging_send_syslog_msg(chronyd_t)
+
+miscfiles_read_localization(chronyd_t)
+
+optional_policy(`
+ gpsd_rw_shm(chronyd_t)
+')