[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

Sven Vermeulen Sun, 25 Mar 2018 03:30:12 -0700

commit:     7a8275937a8628ca031dddf5f47cf2b27aaf94b3
Author:     Dave Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Mon Mar  5 14:02:59 2018 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Mar 25 09:30:44 2018 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7a827593


Add interface to start/stop/enable/disable/status of chronyd service

Add interfaces to allow process to systemctl start, stop, enable, disable, and 
status of chronyd.service

Fix summary for chronyd_startstop from previous submission

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>

 policy/modules/contrib/chronyd.if | 57 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)

diff --git a/policy/modules/contrib/chronyd.if 
b/policy/modules/contrib/chronyd.if
index e0a751ac..a42bc4f4 100644
--- a/policy/modules/contrib/chronyd.if
+++ b/policy/modules/contrib/chronyd.if
@@ -195,6 +195,63 @@ interface(`chronyd_read_key_files',`
        read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
 ')
 
+########################################
+## <summary>
+##     Allow specified domain to enable and disable chronyd unit
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`chronyd_enabledisable',`
+       gen_require(`
+               type chronyd_unit_t;
+               class service { enable disable };
+       ')
+
+       allow $1 chronyd_unit_t:service { enable disable };
+')
+
+########################################
+## <summary>
+##     Allow specified domain to start and stop chronyd unit
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`chronyd_startstop',`
+       gen_require(`
+               type chronyd_unit_t;
+               class service { start stop };
+       ')
+
+       allow $1 chronyd_unit_t:service { start stop };
+')
+
+########################################
+## <summary>
+##     Allow specified domain to get status of chronyd unit
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`chronyd_status',`
+       gen_require(`
+               type chronyd_unit_t;
+               class service status;
+       ')
+
+       allow $1 chronyd_unit_t:service status;
+')
+
 ####################################
 ## <summary>
 ##     All of the rules required to

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

Reply via email to