commit: 714f365c85547fffafb54431ac41927d3b9c3710 Author: cgzones <cgzones <AT> googlemail <DOT> com> AuthorDate: Thu Jan 5 19:24:04 2017 +0000 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> CommitDate: Fri Jan 13 18:40:54 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=714f365c
add fakehwclock module fakehwclock.fc | 5 +++++ fakehwclock.if | 46 ++++++++++++++++++++++++++++++++++++++++++++++ fakehwclock.te | 39 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 90 insertions(+) diff --git a/fakehwclock.fc b/fakehwclock.fc new file mode 100644 index 0000000..d83c628 --- /dev/null +++ b/fakehwclock.fc @@ -0,0 +1,5 @@ +/etc/fake-hwclock\.data -- gen_context(system_u:object_r:fakehwclock_backup_t,s0) + +/sbin/fake-hwclock -- gen_context(system_u:object_r:fakehwclock_exec_t,s0) + +/usr/lib/systemd/system/fake-hwclock\.service -- gen_context(system_u:object_r:fakehwclock_unit_t,s0) diff --git a/fakehwclock.if b/fakehwclock.if new file mode 100644 index 0000000..24cc7d1 --- /dev/null +++ b/fakehwclock.if @@ -0,0 +1,46 @@ +## <summary>fake-hwclock - Control fake hardware clock.</summary> + +######################################## +## <summary> +## Execute a domain transition to run fake-hwclock. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`fakehwclock_domtrans',` + gen_require(` + type fakehwclock_t, fakehwclock_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, fakehwclock_exec_t, fakehwclock_t) +') + +######################################## +## <summary> +## Execute fake-hwclock in the fake-hwclock domain, +## and allow the specified role +## the fake-hwclock domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`fakehwclock_run',` + gen_require(` + attribute_role fakehwclock_roles; + ') + + fakehwclock_domtrans($1) + roleattribute $2 fakehwclock_roles; +') diff --git a/fakehwclock.te b/fakehwclock.te new file mode 100644 index 0000000..6f2958f --- /dev/null +++ b/fakehwclock.te @@ -0,0 +1,39 @@ +policy_module(fakehwclock, 0.0.1) + +######################################## +# +# Declarations +# + +attribute_role fakehwclock_roles; + +type fakehwclock_t; +type fakehwclock_exec_t; +init_system_domain(fakehwclock_t, fakehwclock_exec_t) +role fakehwclock_roles types fakehwclock_t; + +type fakehwclock_backup_t; +files_type(fakehwclock_backup_t) + +type fakehwclock_unit_t; +init_unit_file(fakehwclock_unit_t) + +######################################## +# +# policy +# + +# sys_time : set system time +allow fakehwclock_t self:capability sys_time; +allow fakehwclock_t self:fifo_file rw_fifo_file_perms; + +allow fakehwclock_t fakehwclock_backup_t:file manage_file_perms; + +corecmd_exec_bin(fakehwclock_t) +corecmd_exec_shell(fakehwclock_t) + +miscfiles_read_localization(fakehwclock_t) + +optional_policy(` + cron_system_entry(fakehwclock_t, fakehwclock_exec_t) +')
