[selinux-policy: 1429/3172] add clockspeed from petre rodan

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:08:53 UTC 2010 

commit 46bec43425a70aacfe70e2a035001887a7a3461a
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon May 8 14:16:10 2006 +0000

    add clockspeed from petre rodan

 refpolicy/Changelog                             |    1 +
 refpolicy/policy/modules/services/clockspeed.fc |   14 ++++
 refpolicy/policy/modules/services/clockspeed.if |   53 ++++++++++++++++
 refpolicy/policy/modules/services/clockspeed.te |   75 +++++++++++++++++++++++
 refpolicy/policy/modules/system/userdomain.te   |    4 +
 5 files changed, 147 insertions(+), 0 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 682a419..6225edb 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -46,6 +46,7 @@
 	calamaris
 	cipe
 	clamav (Erich Schubert)
+	clockspeed (Petre Rodan)
 	courier
 	dante
 	dcc
diff --git a/refpolicy/policy/modules/services/clockspeed.fc b/refpolicy/policy/modules/services/clockspeed.fc
new file mode 100644
index 0000000..a7aa385
--- /dev/null
+++ b/refpolicy/policy/modules/services/clockspeed.fc
@@ -0,0 +1,14 @@
+
+#
+# /usr
+#
+/usr/bin/clockadd	--	gen_context(system_u:object_r:clockspeed_cli_exec_t,s0)
+/usr/bin/clockspeed	--	gen_context(system_u:object_r:clockspeed_srv_exec_t,s0)
+/usr/bin/sntpclock	--	gen_context(system_u:object_r:clockspeed_cli_exec_t,s0)
+/usr/bin/taiclock	--	gen_context(system_u:object_r:clockspeed_cli_exec_t,s0)
+/usr/bin/taiclockd	--	gen_context(system_u:object_r:clockspeed_srv_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/clockspeed(/.*)?	gen_context(system_u:object_r:clockspeed_var_lib_t,s0)
diff --git a/refpolicy/policy/modules/services/clockspeed.if b/refpolicy/policy/modules/services/clockspeed.if
new file mode 100644
index 0000000..9d4c892
--- /dev/null
+++ b/refpolicy/policy/modules/services/clockspeed.if
@@ -0,0 +1,53 @@
+## <summary>Clockspeed simple network time protocol client</summary>
+
+########################################
+## <summary>
+##      Execute clockspeed utilities in the clockspeed_cli domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`clockspeed_domtrans_cli',`
+        gen_require(`
+                type clockspeed_cli_t, clockspeed_cli_exec_t;
+        ')
+
+	domain_auto_trans($1, clockspeed_cli_exec_t, clockspeed_cli_t)
+	allow clockspeed_cli_t $1:fd use;
+	allow clockspeed_cli_t $1:fifo_file { read write };
+	allow clockspeed_cli_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Allow the specified role the clockspeed_cli domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the clockspeed_cli domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the clockspeed_cli domain to use.
+##	</summary>
+## </param>
+#
+template(`clockspeed_run_cli',`
+	gen_require(`
+		type clockspeed_cli_t;
+	')
+
+	role $2 types clockspeed_cli_t;
+	clockspeed_domtrans_cli($1)
+	allow clockspeed_cli_t $3:chr_file { getattr read write ioctl };
+
+')
diff --git a/refpolicy/policy/modules/services/clockspeed.te b/refpolicy/policy/modules/services/clockspeed.te
new file mode 100644
index 0000000..b06c5ea
--- /dev/null
+++ b/refpolicy/policy/modules/services/clockspeed.te
@@ -0,0 +1,75 @@
+
+policy_module(clockspeed,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type clockspeed_cli_t;
+type clockspeed_cli_exec_t;
+domain_type(clockspeed_cli_t)
+domain_entry_file(clockspeed_cli_t,clockspeed_cli_exec_t)
+
+type clockspeed_srv_t;
+type clockspeed_srv_exec_t;
+init_daemon_domain(clockspeed_srv_t, clockspeed_srv_exec_t)
+
+type clockspeed_var_lib_t;
+files_type(clockspeed_var_lib_t)
+
+########################################
+#
+# Client local policy
+#
+
+allow clockspeed_cli_t self:capability sys_time;
+allow clockspeed_cli_t self:udp_socket create_socket_perms;
+allow clockspeed_cli_t clockspeed_var_lib_t:dir search;
+allow clockspeed_cli_t clockspeed_var_lib_t:file { getattr read };
+
+corenet_non_ipsec_sendrecv(clockspeed_cli_t)
+corenet_udp_sendrecv_generic_if(clockspeed_cli_t)
+corenet_udp_sendrecv_generic_node(clockspeed_cli_t)
+corenet_udp_sendrecv_ntp_port(clockspeed_cli_t)
+
+files_list_var_lib(clockspeed_cli_t)
+files_read_etc_files(clockspeed_cli_t)
+
+libs_use_ld_so(clockspeed_cli_t)
+libs_use_shared_libs(clockspeed_cli_t)
+
+miscfiles_read_localization(clockspeed_cli_t)
+
+########################################
+#
+# Server local policy
+#
+
+allow clockspeed_srv_t self:capability { sys_time net_bind_service };
+allow clockspeed_srv_t self:udp_socket create_socket_perms;
+allow clockspeed_srv_t self:unix_dgram_socket create_socket_perms;
+allow clockspeed_srv_t self:unix_stream_socket create_socket_perms;
+
+allow clockspeed_srv_t clockspeed_var_lib_t:dir rw_dir_perms;
+allow clockspeed_srv_t clockspeed_var_lib_t:file create_file_perms;
+allow clockspeed_srv_t clockspeed_var_lib_t:fifo_file create_file_perms;
+
+corenet_non_ipsec_sendrecv(clockspeed_srv_t)
+corenet_udp_sendrecv_generic_if(clockspeed_srv_t)
+corenet_udp_sendrecv_generic_node(clockspeed_srv_t)
+corenet_udp_sendrecv_ntp_port(clockspeed_srv_t)
+corenet_udp_bind_inaddr_any_node(clockspeed_srv_t)
+corenet_udp_bind_clockspeed_port(clockspeed_srv_t)
+
+files_read_etc_files(clockspeed_srv_t)
+files_list_var_lib(clockspeed_srv_t)
+
+libs_use_ld_so(clockspeed_srv_t)
+libs_use_shared_libs(clockspeed_srv_t)
+
+miscfiles_read_localization(clockspeed_srv_t)
+
+optional_policy(`
+	daemontools_service_domain(clockspeed_srv_t,clockspeed_srv_exec_t)
+')
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 6d9e126..1829821 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -232,6 +232,10 @@ ifdef(`targeted_policy',`
 	')
 
 	optional_policy(`
+		clockspeed_run_cli(sysadm_t,sysadm_r,admin_terminal)
+	')
+
+	optional_policy(`
 		certwatach_run(sysadm_t,sysadm_r,admin_terminal)
 	')

More information about the scm-commits mailing list