[refpolicy] [PATCH 1/5-v3] Separate type for chronyd config file with interfaces to edit.

All the mail mirrored from lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [PATCH 1/5-v3] Separate type for chronyd config file with interfaces to edit.
@ 2018-02-24 14:39 David Sugar
  0 siblings, 0 replies; only message in thread
From: David Sugar @ 2018-02-24 14:39 UTC (permalink / raw
  To: refpolicy

Separate label for /etc/chrony.conf (chronyd_conf_t) with interfaces to allow read-only or read/write access.  Needed as I have a process that alters chrony.conf but I didn't want this process to have access to write all etc_t files.

Fixed summary for chronyd_rw_config interface from previous submission.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 chronyd.fc |  1 +
 chronyd.if | 38 ++++++++++++++++++++++++++++++++++++++
 chronyd.te |  5 +++++
 3 files changed, 44 insertions(+)

diff --git a/chronyd.fc b/chronyd.fc
index 5ee3551..3a5dad7 100644
--- a/chronyd.fc
+++ b/chronyd.fc
@@ -1,3 +1,4 @@
+/etc/chrony\.conf                      --      gen_context(system_u:object_r:chronyd_conf_t,s0)
 /etc/chrony\.keys                       --      gen_context(system_u:object_r:chronyd_keys_t,s0)
 
 /etc/rc\.d/init\.d/chronyd              --      gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
diff --git a/chronyd.if b/chronyd.if
index 3d45be4..e0a751a 100644
--- a/chronyd.if
+++ b/chronyd.if
@@ -76,6 +76,44 @@ interface(`chronyd_read_log',`
         read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t)
 ')
 
+#####################################
+## <summary>
+##     Read chronyd config file.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`chronyd_read_config',`
+       gen_require(`
+               type chronyd_conf_t;
+       ')
+
+       files_search_etc($1)
+       allow $1 chronyd_conf_t:file read_file_perms;
+')
+
+#####################################
+## <summary>
+##     Read and write chronyd config file.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`chronyd_rw_config',`
+       gen_require(`
+               type chronyd_conf_t;
+       ')
+
+       files_search_etc($1)
+       allow $1 chronyd_conf_t:file rw_file_perms;
+')
+
 ########################################
 ## <summary>
 ##      Read and write chronyd shared memory.
diff --git a/chronyd.te b/chronyd.te
index 0de7b52..09d7f83 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -9,6 +9,9 @@ type chronyd_t;
 type chronyd_exec_t;
 init_daemon_domain(chronyd_t, chronyd_exec_t)
 
+type chronyd_conf_t;
+files_config_file(chronyd_conf_t)
+
 type chronyd_initrc_exec_t;
 init_script_file(chronyd_initrc_exec_t)
 
@@ -87,6 +90,8 @@ logging_send_syslog_msg(chronyd_t)
 
 miscfiles_read_localization(chronyd_t)
 
+chronyd_read_config(chronyd_t)
+
 optional_policy(`
         gpsd_rw_shm(chronyd_t)
 ')
-- 
2.14.3

^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2018-02-24 14:39 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-02-24 14:39 [refpolicy] [PATCH 1/5-v3] Separate type for chronyd config file with interfaces to edit David Sugar

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.