commit: 8bfaafbdc8b78591c80c31a16ee2475fb7170c63
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Tue Sep 12 09:54:23 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Sep 14 19:34:44 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8bfaafbd
fakehwclock: update
- add initrc filecontext
- deprecate domtrans/run interface in favor of new admin interface
v2:
- deprecate interfaces instead of dropping
policy/modules/contrib/fakehwclock.fc | 6 ++++--
policy/modules/contrib/fakehwclock.if | 34 ++++++++++++++++++++++++++++++++++
policy/modules/contrib/fakehwclock.te | 3 +++
3 files changed, 41 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/fakehwclock.fc
b/policy/modules/contrib/fakehwclock.fc
index 0ab3bd87..85ea9317 100644
--- a/policy/modules/contrib/fakehwclock.fc
+++ b/policy/modules/contrib/fakehwclock.fc
@@ -1,7 +1,9 @@
/etc/fake-hwclock\.data --
gen_context(system_u:object_r:fakehwclock_backup_t,s0)
-/usr/bin/fake-hwclock --
gen_context(system_u:object_r:fakehwclock_exec_t,s0)
+/etc/rc\.d/init\.d/fake-hwclock --
gen_context(system_u:object_r:fakehwclock_initrc_exec_t,s0)
-/usr/sbin/fake-hwclock --
gen_context(system_u:object_r:fakehwclock_exec_t,s0)
+/usr/bin/fake-hwclock --
gen_context(system_u:object_r:fakehwclock_exec_t,s0)
/usr/lib/systemd/system/fake-hwclock\.service --
gen_context(system_u:object_r:fakehwclock_unit_t,s0)
+
+/usr/sbin/fake-hwclock --
gen_context(system_u:object_r:fakehwclock_exec_t,s0)
diff --git a/policy/modules/contrib/fakehwclock.if
b/policy/modules/contrib/fakehwclock.if
index 24cc7d1f..3e5afb14 100644
--- a/policy/modules/contrib/fakehwclock.if
+++ b/policy/modules/contrib/fakehwclock.if
@@ -11,6 +11,8 @@
## </param>
#
interface(`fakehwclock_domtrans',`
+ refpolicywarn(`$0($*) has been deprecated')
+
gen_require(`
type fakehwclock_t, fakehwclock_exec_t;
')
@@ -37,6 +39,8 @@ interface(`fakehwclock_domtrans',`
## </param>
#
interface(`fakehwclock_run',`
+ refpolicywarn(`$0($*) has been deprecated')
+
gen_require(`
attribute_role fakehwclock_roles;
')
@@ -44,3 +48,33 @@ interface(`fakehwclock_run',`
fakehwclock_domtrans($1)
roleattribute $2 fakehwclock_roles;
')
+
+########################################
+## <summary>
+## All the rules required to
+## administrate an fake-hwclock environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`fakehwclock_admin',`
+ gen_require(`
+ type fakehwclock_t, fakehwclock_exec_t, fakehwclock_backup_t;
+ type fakehwclock_initrc_exec_t, fakehwclock_unit_t;
+ ')
+
+ admin_process_pattern($1, fakehwclock_t)
+
+ init_startstop_service($1, $2, fakehwclock_t,
fakehwclock_initrc_exec_t, fakehwclock_unit_t)
+
+ files_search_etc($1)
+ admin_pattern($1, fakehwclock_backup_t)
+')
diff --git a/policy/modules/contrib/fakehwclock.te
b/policy/modules/contrib/fakehwclock.te
index 0a896a38..20bc5a01 100644
--- a/policy/modules/contrib/fakehwclock.te
+++ b/policy/modules/contrib/fakehwclock.te
@@ -15,6 +15,9 @@ role fakehwclock_roles types fakehwclock_t;
type fakehwclock_backup_t;
files_type(fakehwclock_backup_t)
+type fakehwclock_initrc_exec_t;
+init_script_file(fakehwclock_initrc_exec_t)
+
type fakehwclock_unit_t;
init_unit_file(fakehwclock_unit_t)
