[refpolicy] [PATCH v2] Add filetrans for ntp-kod file

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [PATCH v2] Add filetrans for ntp-kod file
@ 2014-06-23 18:41 Jason Zaman
  2014-06-25 16:01 ` Christopher J. PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Jason Zaman @ 2014-06-23 18:41 UTC (permalink / raw)
  To: refpolicy

sntp has a file used to persist the history of KoD responses
received from servers.  The  default  is /var/db/ntp-kod.

This patch adds the fcontext and a filetrans so it can be created.

Changes from v1:
* use files_var_filetrans instead of filetrans_pattern

Signed-off-by: Jason Zaman <jason@perfinion.com>
---
 ntp.fc | 1 +
 ntp.te | 1 +
 2 files changed, 2 insertions(+)

diff --git a/ntp.fc b/ntp.fc
index 147e480..89b9cb1 100644
--- a/ntp.fc
+++ b/ntp.fc
@@ -17,6 +17,7 @@
 
 /var/lib/ntp(/.*)?		gen_context(system_u:object_r:ntp_drift_t,s0)
 /var/lib/sntp-kod(/.*)?		gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/db/ntp-kod		--	gen_context(system_u:object_r:ntp_drift_t,s0)
 
 /var/log/ntp.*		--	gen_context(system_u:object_r:ntpd_log_t,s0)
 /var/log/ntpstats(/.*)?		gen_context(system_u:object_r:ntpd_log_t,s0)
diff --git a/ntp.te b/ntp.te
index c37385e..37d974a 100644
--- a/ntp.te
+++ b/ntp.te
@@ -53,6 +53,7 @@ allow ntpd_t self:tcp_socket { accept listen };
 
 manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
 manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
+files_var_filetrans(ntpd_t, ntp_drift_t, file, "ntp-kod")
 
 allow ntpd_t ntp_conf_t:file read_file_perms;
 
-- 
1.8.5.5

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* [refpolicy] [PATCH v2] Add filetrans for ntp-kod file
  2014-06-23 18:41 [refpolicy] [PATCH v2] Add filetrans for ntp-kod file Jason Zaman
@ 2014-06-25 16:01 ` Christopher J. PeBenito
  0 siblings, 0 replies; 2+ messages in thread
From: Christopher J. PeBenito @ 2014-06-25 16:01 UTC (permalink / raw)
  To: refpolicy

On 6/23/2014 2:41 PM, Jason Zaman wrote:
> sntp has a file used to persist the history of KoD responses
> received from servers.  The  default  is /var/db/ntp-kod.
> 
> This patch adds the fcontext and a filetrans so it can be created.
> 
> Changes from v1:
> * use files_var_filetrans instead of filetrans_pattern

Merged, though I removed the name portion of the filetrans.  I think
this makes the policy more brittle than it needs to be.


> Signed-off-by: Jason Zaman <jason@perfinion.com>
> ---
>  ntp.fc | 1 +
>  ntp.te | 1 +
>  2 files changed, 2 insertions(+)
> 
> diff --git a/ntp.fc b/ntp.fc
> index 147e480..89b9cb1 100644
> --- a/ntp.fc
> +++ b/ntp.fc
> @@ -17,6 +17,7 @@
>  
>  /var/lib/ntp(/.*)?		gen_context(system_u:object_r:ntp_drift_t,s0)
>  /var/lib/sntp-kod(/.*)?		gen_context(system_u:object_r:ntp_drift_t,s0)
> +/var/db/ntp-kod		--	gen_context(system_u:object_r:ntp_drift_t,s0)
>  
>  /var/log/ntp.*		--	gen_context(system_u:object_r:ntpd_log_t,s0)
>  /var/log/ntpstats(/.*)?		gen_context(system_u:object_r:ntpd_log_t,s0)
> diff --git a/ntp.te b/ntp.te
> index c37385e..37d974a 100644
> --- a/ntp.te
> +++ b/ntp.te
> @@ -53,6 +53,7 @@ allow ntpd_t self:tcp_socket { accept listen };
>  
>  manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
>  manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
> +files_var_filetrans(ntpd_t, ntp_drift_t, file, "ntp-kod")
>  
>  allow ntpd_t ntp_conf_t:file read_file_perms;
>  
> 

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2014-06-25 16:01 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-06-23 18:41 [refpolicy] [PATCH v2] Add filetrans for ntp-kod file Jason Zaman
2014-06-25 16:01 ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.