commit: 35bc01e881f75e092a6cf668400407d73081f8fc
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Jan 5 18:59:45 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:50:52 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=35bc01e8
update ntp module
* add private lock type
* dontaudit sys_resource
policy/modules/contrib/ntp.fc | 47 ++++++++++++++++++++++---------------------
policy/modules/contrib/ntp.if | 7 ++++---
policy/modules/contrib/ntp.te | 37 +++++++++++++++++++++-------------
3 files changed, 51 insertions(+), 40 deletions(-)
diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
index 16428bc2..756241da 100644
--- a/policy/modules/contrib/ntp.fc
+++ b/policy/modules/contrib/ntp.fc
@@ -1,33 +1,34 @@
-/etc/cron\.daily/ntp -- gen_context(system_u:object_r:ntpd_exec_t,s0)
-/etc/cron\.(daily|weekly)/ntp-simple --
gen_context(system_u:object_r:ntpd_exec_t,s0)
-/etc/cron\.(daily|weekly)/ntp-server --
gen_context(system_u:object_r:ntpd_exec_t,s0)
+/etc/cron\.daily/ntp --
gen_context(system_u:object_r:ntpd_exec_t,s0)
+/etc/cron\.(daily|weekly)/ntp-simple --
gen_context(system_u:object_r:ntpd_exec_t,s0)
+/etc/cron\.(daily|weekly)/ntp-server --
gen_context(system_u:object_r:ntpd_exec_t,s0)
-/etc/ntp\.conf -- gen_context(system_u:object_r:ntp_conf_t,s0)
-/etc/ntpd.*\.conf.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
-/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0)
-/etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
-/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0)
-/etc/ntp/step-tickers.* --
gen_context(system_u:object_r:ntp_conf_t,s0)
+/etc/ntp\.conf --
gen_context(system_u:object_r:ntp_conf_t,s0)
+/etc/ntpd.*\.conf.* --
gen_context(system_u:object_r:ntp_conf_t,s0)
+/etc/ntp/crypto(/.*)?
gen_context(system_u:object_r:ntpd_key_t,s0)
+/etc/ntp/data(/.*)?
gen_context(system_u:object_r:ntp_drift_t,s0)
+/etc/ntp/keys --
gen_context(system_u:object_r:ntpd_key_t,s0)
+/etc/ntp/step-tickers.* --
gen_context(system_u:object_r:ntp_conf_t,s0)
-/etc/rc\.d/init\.d/ntpd? --
gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ntpd? --
gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
-# Systemd unit file
-/usr/lib/systemd/ntp-units\.d/.* --
gen_context(system_u:object_r:ntpd_unit_t,s0)
-/usr/lib/systemd/system/ntpd.*\.service --
gen_context(system_u:object_r:ntpd_unit_t,s0)
+/run/ntpd\.pid --
gen_context(system_u:object_r:ntpd_pid_t,s0)
-/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
-/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
-/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+/usr/lib/systemd/ntp-units\.d/.* --
gen_context(system_u:object_r:ntpd_unit_t,s0)
+/usr/lib/systemd/system/ntpd.*\.service --
gen_context(system_u:object_r:ntpd_unit_t,s0)
-/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
-/var/lib/sntp-kod(/.*)?
gen_context(system_u:object_r:ntp_drift_t,s0)
-/var/db/ntp-kod --
gen_context(system_u:object_r:ntp_drift_t,s0)
+/usr/sbin/ntpd --
gen_context(system_u:object_r:ntpd_exec_t,s0)
+/usr/sbin/ntpdate --
gen_context(system_u:object_r:ntpdate_exec_t,s0)
+/usr/sbin/sntp --
gen_context(system_u:object_r:ntpdate_exec_t,s0)
-/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
-/var/log/ntpstats(/.*)?
gen_context(system_u:object_r:ntpd_log_t,s0)
-/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
+/var/db/ntp-kod --
gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/ntp(/.*)?
gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/sntp-kod(/.*)?
gen_context(system_u:object_r:ntp_drift_t,s0)
-/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
+/var/lock/ntpdate --
gen_context(system_u:object_r:ntpd_lock_t,s0)
+
+/var/log/ntp.* --
gen_context(system_u:object_r:ntpd_log_t,s0)
+/var/log/ntpstats(/.*)?
gen_context(system_u:object_r:ntpd_log_t,s0)
+/var/log/xntpd.* --
gen_context(system_u:object_r:ntpd_log_t,s0)
/run/ntpd\.sock -s gen_context(system_u:object_r:ntpd_var_run_t,s0)
ifdef(`distro_gentoo',`
diff --git a/policy/modules/contrib/ntp.if b/policy/modules/contrib/ntp.if
index f8534c6b..fa0a1839 100644
--- a/policy/modules/contrib/ntp.if
+++ b/policy/modules/contrib/ntp.if
@@ -179,14 +179,15 @@ interface(`ntp_rw_shm',`
interface(`ntp_admin',`
gen_require(`
type ntpd_t, ntpd_tmp_t, ntpd_log_t;
- type ntpd_key_t, ntpd_var_run_t, ntp_conf_t;
+ type ntpd_key_t, ntpd_pid_t, ntp_conf_t;
type ntpd_initrc_exec_t, ntp_drift_t;
+ type ntpd_unit_t;
')
allow $1 ntpd_t:process { ptrace signal_perms };
ps_process_pattern($1, ntpd_t)
- init_startstop_service($1, $2, ntpd_t, ntpd_initrc_exec_t)
+ init_startstop_service($1, $2, ntpd_t, ntpd_initrc_exec_t, ntpd_unit_t)
files_list_etc($1)
admin_pattern($1, { ntpd_key_t ntp_conf_t })
@@ -201,7 +202,7 @@ interface(`ntp_admin',`
admin_pattern($1, ntp_drift_t)
files_list_pids($1)
- admin_pattern($1, ntpd_var_run_t)
+ admin_pattern($1, ntpd_pid_t)
ntp_run($1, $2)
')
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 2fcf0a40..208bd66e 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -7,6 +7,9 @@ policy_module(ntp, 1.16.0)
attribute_role ntpd_roles;
+type ntp_conf_t;
+files_config_file(ntp_conf_t)
+
type ntp_drift_t;
files_type(ntp_drift_t)
@@ -18,15 +21,20 @@ role ntpd_roles types ntpd_t;
type ntpd_initrc_exec_t;
init_script_file(ntpd_initrc_exec_t)
-type ntp_conf_t;
-files_config_file(ntp_conf_t)
-
type ntpd_key_t;
files_type(ntpd_key_t)
+type ntpd_lock_t;
+files_lock_file(ntpd_lock_t)
+init_daemon_lock_file(ntpd_lock_t, file, "ntpdate")
+
type ntpd_log_t;
logging_log_file(ntpd_log_t)
+type ntpd_pid_t;
+typealias ntpd_pid_t alias ntpd_var_run_t;
+files_pid_file(ntpd_pid_t)
+
type ntpd_tmp_t;
files_tmp_file(ntpd_tmp_t)
@@ -36,9 +44,6 @@ files_tmpfs_file(ntpd_tmpfs_t)
type ntpd_unit_t;
init_unit_file(ntpd_unit_t)
-type ntpd_var_run_t;
-files_pid_file(ntpd_var_run_t)
-
type ntpdate_exec_t;
init_system_domain(ntpd_t, ntpdate_exec_t)
@@ -47,28 +52,36 @@ init_system_domain(ntpd_t, ntpdate_exec_t)
# Local policy
#
-allow ntpd_t self:capability { chown dac_override ipc_lock ipc_owner kill
setgid setuid sys_chroot sys_nice sys_resource sys_time };
-dontaudit ntpd_t self:capability { fsetid net_admin sys_nice sys_tty_config };
+# sys_time : modify system time
+allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time
ipc_lock ipc_owner sys_chroot sys_nice };
+dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice
sys_resource };
allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };
allow ntpd_t self:fifo_file rw_fifo_file_perms;
allow ntpd_t self:shm create_shm_perms;
+allow ntpd_t self:socket create;
allow ntpd_t self:tcp_socket { accept listen };
+allow ntpd_t ntp_conf_t:file read_file_perms;
+
manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
files_var_filetrans(ntpd_t, ntp_drift_t, file)
-allow ntpd_t ntp_conf_t:file read_file_perms;
-
read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
+allow ntpd_t ntpd_lock_t:file write_file_perms;
+
allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
append_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
create_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
setattr_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir })
+manage_files_pattern(ntpd_t, ntpd_pid_t, ntpd_pid_t)
+manage_sock_files_pattern(ntpd_t, ntpd_pid_t, ntpd_pid_t)
+files_pid_filetrans(ntpd_t, ntpd_pid_t, { file sock_file })
+
manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
manage_files_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
files_tmp_filetrans(ntpd_t, ntpd_tmp_t, { file dir })
@@ -77,10 +90,6 @@ manage_dirs_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t)
manage_files_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t)
fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file })
-manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
-manage_sock_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
-files_pid_filetrans(ntpd_t, ntpd_var_run_t, { file sock_file })
-
can_exec(ntpd_t, ntpd_exec_t)
kernel_read_kernel_sysctls(ntpd_t)
