1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
|
policy_module(ntp, 1.20.1)
########################################
#
# Declarations
#
attribute_role ntpd_roles;
type ntp_conf_t;
files_config_file(ntp_conf_t)
type ntp_drift_t;
files_type(ntp_drift_t)
type ntpd_t;
type ntpd_exec_t;
init_daemon_domain(ntpd_t, ntpd_exec_t)
role ntpd_roles types ntpd_t;
type ntpd_initrc_exec_t;
init_script_file(ntpd_initrc_exec_t)
type ntpd_key_t;
files_type(ntpd_key_t)
type ntpd_lock_t;
files_lock_file(ntpd_lock_t)
init_daemon_lock_file(ntpd_lock_t, file, "ntpdate")
type ntpd_log_t;
logging_log_file(ntpd_log_t)
type ntpd_pid_t;
files_pid_file(ntpd_pid_t)
type ntpd_tmp_t;
files_tmp_file(ntpd_tmp_t)
type ntpd_tmpfs_t;
files_tmpfs_file(ntpd_tmpfs_t)
type ntpd_unit_t;
init_unit_file(ntpd_unit_t)
type ntpdate_exec_t;
init_system_domain(ntpd_t, ntpdate_exec_t)
########################################
#
# Local policy
#
# sys_time : modify system time
allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice };
dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice sys_resource };
allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };
allow ntpd_t self:fifo_file rw_fifo_file_perms;
allow ntpd_t self:shm create_shm_perms;
allow ntpd_t self:socket create;
allow ntpd_t self:unix_dgram_socket sendto;
allow ntpd_t ntp_conf_t:file read_file_perms;
manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
files_etc_filetrans(ntpd_t, ntp_drift_t, file)
files_var_filetrans(ntpd_t, ntp_drift_t, file)
read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
allow ntpd_t ntpd_lock_t:file rw_file_perms;
allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
manage_dirs_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
manage_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir })
manage_files_pattern(ntpd_t, ntpd_pid_t, ntpd_pid_t)
manage_sock_files_pattern(ntpd_t, ntpd_pid_t, ntpd_pid_t)
files_pid_filetrans(ntpd_t, ntpd_pid_t, { file sock_file })
manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
manage_files_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
files_tmp_filetrans(ntpd_t, ntpd_tmp_t, { file dir })
manage_dirs_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t)
manage_files_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t)
fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file })
can_exec(ntpd_t, ntpd_exec_t)
kernel_read_kernel_sysctls(ntpd_t)
kernel_read_system_state(ntpd_t)
kernel_read_network_state(ntpd_t)
kernel_request_load_module(ntpd_t)
corenet_all_recvfrom_unlabeled(ntpd_t)
corenet_all_recvfrom_netlabel(ntpd_t)
corenet_udp_sendrecv_generic_if(ntpd_t)
corenet_udp_sendrecv_generic_node(ntpd_t)
corenet_udp_bind_generic_node(ntpd_t)
corenet_sendrecv_ntp_client_packets(ntpd_t)
corenet_sendrecv_ntp_server_packets(ntpd_t)
corenet_udp_bind_ntp_port(ntpd_t)
corenet_udp_sendrecv_ntp_port(ntpd_t)
corecmd_exec_bin(ntpd_t)
corecmd_exec_shell(ntpd_t)
dev_read_sysfs(ntpd_t)
dev_read_urand(ntpd_t)
dev_rw_realtime_clock(ntpd_t)
domain_use_interactive_fds(ntpd_t)
domain_dontaudit_list_all_domains_state(ntpd_t)
files_manage_etc_symlinks(ntpd_t)
files_read_etc_runtime_files(ntpd_t)
files_read_usr_files(ntpd_t)
files_list_var_lib(ntpd_t)
fs_getattr_all_fs(ntpd_t)
fs_search_auto_mountpoints(ntpd_t)
term_use_ptmx(ntpd_t)
auth_use_nsswitch(ntpd_t)
init_exec_script_files(ntpd_t)
logging_send_syslog_msg(ntpd_t)
miscfiles_read_localization(ntpd_t)
userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
userdom_list_user_home_dirs(ntpd_t)
ifdef(`init_systemd',`
allow ntpd_t ntpd_unit_t:file read_file_perms;
dbus_system_bus_client(ntpd_t)
dbus_connect_system_bus(ntpd_t)
init_dbus_chat(ntpd_t)
init_get_system_status(ntpd_t)
init_list_unit_dirs(ntpd_t)
# for /var/lib/systemd/timesync
init_read_var_lib_links(ntpd_t)
allow ntpd_t self:capability { fowner setpcap };
init_read_state(ntpd_t)
init_reload(ntpd_t)
# for /var/lib/systemd/clock
init_list_var_lib_dirs(ntpd_t)
# for /run/systemd/netif/links
systemd_list_networkd_runtime(ntpd_t)
# for /run/systemd/netif/state
systemd_read_networkd_runtime(ntpd_t)
optional_policy(`
chronyd_enabledisable(ntpd_t)
chronyd_startstop(ntpd_t)
')
optional_policy(`
unconfined_dbus_send(ntpd_t)
')
')
optional_policy(`
clock_read_adjtime(ntpd_t)
')
optional_policy(`
cron_system_entry(ntpd_t, ntpdate_exec_t)
')
optional_policy(`
gpsd_rw_shm(ntpd_t)
')
optional_policy(`
firstboot_dontaudit_use_fds(ntpd_t)
firstboot_dontaudit_rw_pipes(ntpd_t)
firstboot_dontaudit_rw_stream_sockets(ntpd_t)
')
optional_policy(`
hal_dontaudit_write_log(ntpd_t)
')
optional_policy(`
logrotate_exec(ntpd_t)
')
optional_policy(`
seutil_sigchld_newrole(ntpd_t)
')
optional_policy(`
udev_read_db(ntpd_t)
')
|
GitWeb