policy for clockspeed

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Petre Rodan <kaiowas@gentoo.org>
To: SELinux Mail List <selinux@tycho.nsa.gov>
Cc: Chris PeBenito <pebenito@gentoo.org>
Subject: policy for clockspeed
Date: Mon, 8 May 2006 10:20:34 +0300	[thread overview]
Message-ID: <20060508072034.GA6138@peter.avira.local> (raw)


[-- Attachment #1.1: Type: text/plain, Size: 388 bytes --]


Hi,

attached you'll find a clockspeed policy.

'clockspeed uses a hardware tick counter to compensate for a persistently fast or slow system clock. given a few time measurements from a reliable source, it computes and then eliminates the clock skew.'
http://cr.yp.to/clockspeed.html

cheers,
peter

-- 
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux 

[-- Attachment #1.2: clockspeed.fc --]
[-- Type: text/plain, Size: 494 bytes --]


#
# /usr
#
/usr/bin/clockadd	--	gen_context(system_u:object_r:clockspeed_cli_exec_t,s0)
/usr/bin/clockspeed	--	gen_context(system_u:object_r:clockspeed_srv_exec_t,s0)
/usr/bin/sntpclock	--	gen_context(system_u:object_r:clockspeed_cli_exec_t,s0)
/usr/bin/taiclock	--	gen_context(system_u:object_r:clockspeed_cli_exec_t,s0)
/usr/bin/taiclockd	--	gen_context(system_u:object_r:clockspeed_srv_exec_t,s0)

#
# /var
#
/var/lib/clockspeed(/.*)?	gen_context(system_u:object_r:clockspeed_var_lib_t,s0)

[-- Attachment #1.3: clockspeed.if --]
[-- Type: text/plain, Size: 1362 bytes --]

## <summary>Clockspeed simple network time protocol client</summary>


########################################
## <summary>
##      Execute clockspeed utilities in the clockspeed_cli domain.
## </summary>
## <param name="domain">
##      <summary>
##      The type of the process performing this action.
##      </summary>
## </param>
#
interface(`clockspeed_domtrans_cli',`
        gen_require(`
                type clockspeed_cli_t, clocksped_cli_exec_t;
        ')

	domain_auto_trans($1, clockspeed_cli_exec_t, clockspeed_cli_t)
	allow $1 clockspeed_cli_t:fd use;
	allow clockspeed_cli_t $1:fd use;
	allow clockspeed_cli_t $1:fifo_file { read write };
	allow clockspeed_cli_t $1:process sigchld;

')

########################################
## <summary>
##	Allow the specified role the clockspeed_cli domain.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to be allowed the clockspeed_cli domain.
##	</summary>
## </param>
## <param name="terminal">
##	<summary>
##	The type of the terminal allow the clockspeed_cli domain to use.
##	</summary>
## </param>
#
template(`clockspeed_run_cli',`

	role $2 types clockspeed_cli_t;
	clockspeed_domtrans_cli($1)
	allow clockspeed_cli_t $3:chr_file { getattr read write ioctl };

')


[-- Attachment #1.4: clockspeed.te --]
[-- Type: text/plain, Size: 2308 bytes --]


policy_module(clockspeed,1.0.0)


########################################
#
# Declarations
#

type clockspeed_cli_t;
type clockspeed_cli_exec_t;
domain_type(clockspeed_cli_t)
domain_entry_file(clockspeed_cli_t,clockspeed_cli_exec_t)

type clockspeed_srv_t;
type clockspeed_srv_exec_t;
init_daemon_domain(clockspeed_srv_t, clockspeed_srv_exec_t)

type clockspeed_var_lib_t;
files_type(clockspeed_var_lib_t)


########################################
#
# Local policy
#

# policy for ntp clients

allow clockspeed_cli_t self:capability sys_time;
allow clockspeed_cli_t self:udp_socket create_socket_perms;
allow clockspeed_cli_t clockspeed_var_lib_t:dir search;
allow clockspeed_cli_t clockspeed_var_lib_t:file { getattr read };

corenet_non_ipsec_sendrecv(clockspeed_cli_t)
corenet_udp_receive_ntp_port(clockspeed_cli_t)
corenet_udp_send_ntp_port(clockspeed_cli_t)
corenet_udp_sendrecv_generic_if(clockspeed_cli_t)
corenet_udp_sendrecv_generic_node(clockspeed_cli_t)

files_list_var_lib(clockspeed_cli_t)
files_read_etc_files(clockspeed_cli_t)
libs_use_ld_so(clockspeed_cli_t)
libs_use_shared_libs(clockspeed_cli_t)
miscfiles_read_localization(clockspeed_cli_t)


# policy for clockspeed and taiclockd daemons

allow clockspeed_srv_t self:capability { sys_time net_bind_service };
allow clockspeed_srv_t self:udp_socket create_socket_perms;
allow clockspeed_srv_t self:unix_dgram_socket create_socket_perms;
allow clockspeed_srv_t self:unix_stream_socket create_socket_perms;

allow clockspeed_srv_t clockspeed_var_lib_t:dir rw_dir_perms;
allow clockspeed_srv_t clockspeed_var_lib_t:file create_file_perms;
allow clockspeed_srv_t clockspeed_var_lib_t:fifo_file create_file_perms;

corenet_non_ipsec_sendrecv(clockspeed_srv_t)
corenet_udp_bind_clockspeed_port(clockspeed_srv_t)
corenet_udp_bind_inaddr_any_node(clockspeed_srv_t)
corenet_udp_receive_ntp_port(clockspeed_srv_t)
corenet_udp_send_ntp_port(clockspeed_srv_t)
corenet_udp_sendrecv_generic_if(clockspeed_srv_t)
corenet_udp_sendrecv_generic_node(clockspeed_srv_t)

files_read_etc_files(clockspeed_srv_t)
files_list_var_lib(clockspeed_srv_t)
libs_use_ld_so(clockspeed_srv_t)
libs_use_shared_libs(clockspeed_srv_t)
miscfiles_read_localization(clockspeed_srv_t)

optional_policy(`
	daemontools_service_domain(clockspeed_srv_t,clockspeed_srv_exec_t)
')


[-- Attachment #1.5: userdomain.patch --]
[-- Type: text/plain, Size: 584 bytes --]

Index: policy/modules/system/userdomain.te
===================================================================
RCS file: /cvsroot/serefpolicy/refpolicy/policy/modules/system/userdomain.te,v
retrieving revision 1.84
diff -u -r1.84 userdomain.te
--- policy/modules/system/userdomain.te	4 May 2006 20:43:40 -0000	1.84
+++ policy/modules/system/userdomain.te	7 May 2006 11:10:08 -0000
@@ -228,6 +228,10 @@
 	')
 
 	optional_policy(`
+		clockspeed_run_cli(sysadm_t,sysadm_r,admin_terminal)
+	')
+
+	optional_policy(`
 		clock_run(sysadm_t,sysadm_r,admin_terminal)
 	')
 

[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]

next             reply	other threads:[~2006-05-08  7:20 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-05-08  7:20 Petre Rodan [this message]
2006-05-08 14:17 ` policy for clockspeed Christopher J. PeBenito

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20060508072034.GA6138@peter.avira.local \
    --to=kaiowas@gentoo.org \
    --cc=pebenito@gentoo.org \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.