[selinux-policy: 2359/3172] ntp patch from Dan Walsh.

[Daniel J Walsh]

commit 82cdffce58284ba51a4cdcbd6b4855e13899362c
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu Jan 7 09:00:39 2010 -0500

    ntp patch from Dan Walsh.

 policy/modules/services/ntp.if |   50 +++++++++++++++++++++++++++++++++++++--
 policy/modules/services/ntp.te |    7 ++++-
 2 files changed, 52 insertions(+), 5 deletions(-)
---
diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
index bb0089e..a09a9ae 100644
--- a/policy/modules/services/ntp.if
+++ b/policy/modules/services/ntp.if
@@ -37,6 +37,32 @@ interface(`ntp_domtrans',`
 
 ########################################
 ## <summary>
+##	Execute ntp in the ntp domain, and
+##	allow the specified role the ntp domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ntp_run',`
+	gen_require(`
+		type ntpd_t;
+	')
+
+	ntp_domtrans($1)
+	role $2 types ntpd_t;
+')
+
+########################################
+## <summary>
 ##	Execute ntp server in the ntpd domain.
 ## </summary>
 ## <param name="domain">
@@ -55,7 +81,25 @@ interface(`ntp_domtrans_ntpdate',`
 ')
 
 ########################################
-## <summary>    
+## <summary>
+##	Execute ntp server in the ntpd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`ntp_initrc_domtrans',`
+	gen_require(`
+		type ntpd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
+')
+
+########################################
+## <summary>
 ##	Read and write ntpd shared memory.
 ## </summary>
 ## <param name="domain">
@@ -64,7 +108,7 @@ interface(`ntp_domtrans_ntpdate',`
 ##	</summary>
 ## </param>
 #
-interface(`ntpd_rw_shm',`
+interface(`ntp_rw_shm',`
 	gen_require(`
 		type ntpd_t, ntpd_tmpfs_t;
 	')
@@ -78,7 +122,7 @@ interface(`ntpd_rw_shm',`
 
 ########################################
 ## <summary>
-##	All of the rules required to administrate 
+##	All of the rules required to administrate
 ##	an ntp environment
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index 330b80f..745e3a4 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -1,5 +1,5 @@
 
-policy_module(ntp, 1.9.0)
+policy_module(ntp, 1.9.1)
 
 ########################################
 #
@@ -41,10 +41,11 @@ init_system_domain(ntpd_t, ntpdate_exec_t)
 
 # sys_resource and setrlimit is for locking memory
 # ntpdate wants sys_nice
-allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock sys_chroot sys_nice sys_resource };
+allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource };
 dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
 allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };
 allow ntpd_t self:fifo_file rw_fifo_file_perms;
+allow ntpd_t self:shm create_shm_perms;
 allow ntpd_t self:unix_dgram_socket create_socket_perms;
 allow ntpd_t self:unix_stream_socket create_socket_perms;
 allow ntpd_t self:tcp_socket create_stream_socket_perms;
@@ -55,6 +56,7 @@ manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
 can_exec(ntpd_t, ntpd_exec_t)
 
 read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
+read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
 
 allow ntpd_t ntpd_log_t:dir setattr;
 manage_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
@@ -75,6 +77,7 @@ files_pid_filetrans(ntpd_t, ntpd_var_run_t, file)
 kernel_read_kernel_sysctls(ntpd_t)
 kernel_read_system_state(ntpd_t)
 kernel_read_network_state(ntpd_t)
+kernel_request_load_module(ntpd_t)
 
 corenet_all_recvfrom_unlabeled(ntpd_t)
 corenet_all_recvfrom_netlabel(ntpd_t)