From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-934622-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id D2791139083
	for <garchives@archives.gentoo.org>; Sat, 25 Feb 2017 14:59:48 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 1A872E0CD5;
	Sat, 25 Feb 2017 14:59:43 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id DA2FBE0CD5
	for <gentoo-commits@lists.gentoo.org>; Sat, 25 Feb 2017 14:59:42 +0000 (UTC)
Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id D6C2F340889
	for <gentoo-commits@lists.gentoo.org>; Sat, 25 Feb 2017 14:59:41 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 14F3B5437
	for <gentoo-commits@lists.gentoo.org>; Sat, 25 Feb 2017 14:59:39 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1488034252.35bc01e881f75e092a6cf668400407d73081f8fc.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/ntp.fc policy/modules/contrib/ntp.if policy/modules/contrib/ntp.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: 35bc01e881f75e092a6cf668400407d73081f8fc
X-VCS-Branch: next
Date: Sat, 25 Feb 2017 14:59:39 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 0ab72815-9422-4865-b507-2f0ed9108853
X-Archives-Hash: 18ffb14120e90d23e99b86ab6494e1fb

commit:     35bc01e881f75e092a6cf668400407d73081f8fc
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Jan  5 18:59:45 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:50:52 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=35bc01e8

update ntp module

* add private lock type
* dontaudit sys_resource

 policy/modules/contrib/ntp.fc | 47 ++++++++++++++++++++++---------------------
 policy/modules/contrib/ntp.if |  7 ++++---
 policy/modules/contrib/ntp.te | 37 +++++++++++++++++++++-------------
 3 files changed, 51 insertions(+), 40 deletions(-)

diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
index 16428bc2..756241da 100644
--- a/policy/modules/contrib/ntp.fc
+++ b/policy/modules/contrib/ntp.fc
@@ -1,33 +1,34 @@
-/etc/cron\.daily/ntp	--	gen_context(system_u:object_r:ntpd_exec_t,s0)
-/etc/cron\.(daily|weekly)/ntp-simple -- gen_context(system_u:object_r:ntpd_exec_t,s0)
-/etc/cron\.(daily|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+/etc/cron\.daily/ntp			--	gen_context(system_u:object_r:ntpd_exec_t,s0)
+/etc/cron\.(daily|weekly)/ntp-simple	--	gen_context(system_u:object_r:ntpd_exec_t,s0)
+/etc/cron\.(daily|weekly)/ntp-server	--	gen_context(system_u:object_r:ntpd_exec_t,s0)
 
-/etc/ntp\.conf		--	gen_context(system_u:object_r:ntp_conf_t,s0)
-/etc/ntpd.*\.conf.*	--	gen_context(system_u:object_r:ntp_conf_t,s0)
-/etc/ntp/crypto(/.*)?		gen_context(system_u:object_r:ntpd_key_t,s0)
-/etc/ntp/data(/.*)?		gen_context(system_u:object_r:ntp_drift_t,s0)
-/etc/ntp/keys		--	gen_context(system_u:object_r:ntpd_key_t,s0)
-/etc/ntp/step-tickers.*	--	gen_context(system_u:object_r:ntp_conf_t,s0)
+/etc/ntp\.conf				--	gen_context(system_u:object_r:ntp_conf_t,s0)
+/etc/ntpd.*\.conf.*			--	gen_context(system_u:object_r:ntp_conf_t,s0)
+/etc/ntp/crypto(/.*)?				gen_context(system_u:object_r:ntpd_key_t,s0)
+/etc/ntp/data(/.*)?				gen_context(system_u:object_r:ntp_drift_t,s0)
+/etc/ntp/keys				--	gen_context(system_u:object_r:ntpd_key_t,s0)
+/etc/ntp/step-tickers.*			--	gen_context(system_u:object_r:ntp_conf_t,s0)
 
-/etc/rc\.d/init\.d/ntpd? --	gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ntpd? 		--	gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
 
-# Systemd unit file
-/usr/lib/systemd/ntp-units\.d/.*  --   gen_context(system_u:object_r:ntpd_unit_t,s0)
-/usr/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_t,s0)
+/run/ntpd\.pid				--	gen_context(system_u:object_r:ntpd_pid_t,s0)
 
-/usr/sbin/ntpd		--	gen_context(system_u:object_r:ntpd_exec_t,s0)
-/usr/sbin/ntpdate	--	gen_context(system_u:object_r:ntpdate_exec_t,s0)
-/usr/sbin/sntp		--	gen_context(system_u:object_r:ntpdate_exec_t,s0)
+/usr/lib/systemd/ntp-units\.d/.*  	--	gen_context(system_u:object_r:ntpd_unit_t,s0)
+/usr/lib/systemd/system/ntpd.*\.service	--	gen_context(system_u:object_r:ntpd_unit_t,s0)
 
-/var/lib/ntp(/.*)?		gen_context(system_u:object_r:ntp_drift_t,s0)
-/var/lib/sntp-kod(/.*)?		gen_context(system_u:object_r:ntp_drift_t,s0)
-/var/db/ntp-kod		--	gen_context(system_u:object_r:ntp_drift_t,s0)
+/usr/sbin/ntpd				--	gen_context(system_u:object_r:ntpd_exec_t,s0)
+/usr/sbin/ntpdate			--	gen_context(system_u:object_r:ntpdate_exec_t,s0)
+/usr/sbin/sntp				--	gen_context(system_u:object_r:ntpdate_exec_t,s0)
 
-/var/log/ntp.*		--	gen_context(system_u:object_r:ntpd_log_t,s0)
-/var/log/ntpstats(/.*)?		gen_context(system_u:object_r:ntpd_log_t,s0)
-/var/log/xntpd.*	--	gen_context(system_u:object_r:ntpd_log_t,s0)
+/var/db/ntp-kod				--	gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/ntp(/.*)?				gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/sntp-kod(/.*)?				gen_context(system_u:object_r:ntp_drift_t,s0)
 
-/run/ntpd\.pid	--	gen_context(system_u:object_r:ntpd_var_run_t,s0)
+/var/lock/ntpdate                       --      gen_context(system_u:object_r:ntpd_lock_t,s0)
+
+/var/log/ntp.*				--	gen_context(system_u:object_r:ntpd_log_t,s0)
+/var/log/ntpstats(/.*)?				gen_context(system_u:object_r:ntpd_log_t,s0)
+/var/log/xntpd.*			--	gen_context(system_u:object_r:ntpd_log_t,s0)
 /run/ntpd\.sock	-s	gen_context(system_u:object_r:ntpd_var_run_t,s0)
 
 ifdef(`distro_gentoo',`

diff --git a/policy/modules/contrib/ntp.if b/policy/modules/contrib/ntp.if
index f8534c6b..fa0a1839 100644
--- a/policy/modules/contrib/ntp.if
+++ b/policy/modules/contrib/ntp.if
@@ -179,14 +179,15 @@ interface(`ntp_rw_shm',`
 interface(`ntp_admin',`
 	gen_require(`
 		type ntpd_t, ntpd_tmp_t, ntpd_log_t;
-		type ntpd_key_t, ntpd_var_run_t, ntp_conf_t;
+		type ntpd_key_t, ntpd_pid_t, ntp_conf_t;
 		type ntpd_initrc_exec_t, ntp_drift_t;
+		type ntpd_unit_t;
 	')
 
 	allow $1 ntpd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, ntpd_t)
 
-	init_startstop_service($1, $2, ntpd_t, ntpd_initrc_exec_t)
+	init_startstop_service($1, $2, ntpd_t, ntpd_initrc_exec_t, ntpd_unit_t)
 
 	files_list_etc($1)
 	admin_pattern($1, { ntpd_key_t ntp_conf_t })
@@ -201,7 +202,7 @@ interface(`ntp_admin',`
 	admin_pattern($1, ntp_drift_t)
 
 	files_list_pids($1)
-	admin_pattern($1, ntpd_var_run_t)
+	admin_pattern($1, ntpd_pid_t)
 
 	ntp_run($1, $2)
 ')

diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 2fcf0a40..208bd66e 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -7,6 +7,9 @@ policy_module(ntp, 1.16.0)
 
 attribute_role ntpd_roles;
 
+type ntp_conf_t;
+files_config_file(ntp_conf_t)
+
 type ntp_drift_t;
 files_type(ntp_drift_t)
 
@@ -18,15 +21,20 @@ role ntpd_roles types ntpd_t;
 type ntpd_initrc_exec_t;
 init_script_file(ntpd_initrc_exec_t)
 
-type ntp_conf_t;
-files_config_file(ntp_conf_t)
-
 type ntpd_key_t;
 files_type(ntpd_key_t)
 
+type ntpd_lock_t;
+files_lock_file(ntpd_lock_t)
+init_daemon_lock_file(ntpd_lock_t, file, "ntpdate")
+
 type ntpd_log_t;
 logging_log_file(ntpd_log_t)
 
+type ntpd_pid_t;
+typealias ntpd_pid_t alias ntpd_var_run_t;
+files_pid_file(ntpd_pid_t)
+
 type ntpd_tmp_t;
 files_tmp_file(ntpd_tmp_t)
 
@@ -36,9 +44,6 @@ files_tmpfs_file(ntpd_tmpfs_t)
 type ntpd_unit_t;
 init_unit_file(ntpd_unit_t)
 
-type ntpd_var_run_t;
-files_pid_file(ntpd_var_run_t)
-
 type ntpdate_exec_t;
 init_system_domain(ntpd_t, ntpdate_exec_t)
 
@@ -47,28 +52,36 @@ init_system_domain(ntpd_t, ntpdate_exec_t)
 # Local policy
 #
 
-allow ntpd_t self:capability { chown dac_override ipc_lock ipc_owner kill setgid setuid sys_chroot sys_nice sys_resource sys_time };
-dontaudit ntpd_t self:capability { fsetid net_admin sys_nice sys_tty_config };
+# sys_time : modify system time
+allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice };
+dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice sys_resource };
 allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };
 allow ntpd_t self:fifo_file rw_fifo_file_perms;
 allow ntpd_t self:shm create_shm_perms;
+allow ntpd_t self:socket create;
 allow ntpd_t self:tcp_socket { accept listen };
 
+allow ntpd_t ntp_conf_t:file read_file_perms;
+
 manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
 manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
 files_var_filetrans(ntpd_t, ntp_drift_t, file)
 
-allow ntpd_t ntp_conf_t:file read_file_perms;
-
 read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
 read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
 
+allow ntpd_t ntpd_lock_t:file write_file_perms;
+
 allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
 append_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
 create_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
 setattr_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
 logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir })
 
+manage_files_pattern(ntpd_t, ntpd_pid_t, ntpd_pid_t)
+manage_sock_files_pattern(ntpd_t, ntpd_pid_t, ntpd_pid_t)
+files_pid_filetrans(ntpd_t, ntpd_pid_t, { file sock_file })
+
 manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
 manage_files_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
 files_tmp_filetrans(ntpd_t, ntpd_tmp_t, { file dir })
@@ -77,10 +90,6 @@ manage_dirs_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t)
 manage_files_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t)
 fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file })
 
-manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
-manage_sock_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
-files_pid_filetrans(ntpd_t, ntpd_var_run_t, { file sock_file })
-
 can_exec(ntpd_t, ntpd_exec_t)
 
 kernel_read_kernel_sysctls(ntpd_t)


From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-934611-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id DF2A5139694
	for <garchives@archives.gentoo.org>; Sat, 25 Feb 2017 14:51:55 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 5AB4DE0D20;
	Sat, 25 Feb 2017 14:51:52 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 2412EE0D14
	for <gentoo-commits@lists.gentoo.org>; Sat, 25 Feb 2017 14:51:52 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 1977734112A
	for <gentoo-commits@lists.gentoo.org>; Sat, 25 Feb 2017 14:51:46 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id EB8085436
	for <gentoo-commits@lists.gentoo.org>; Sat, 25 Feb 2017 14:51:42 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1488034252.35bc01e881f75e092a6cf668400407d73081f8fc.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/ntp.fc policy/modules/contrib/ntp.if policy/modules/contrib/ntp.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: 35bc01e881f75e092a6cf668400407d73081f8fc
X-VCS-Branch: master
Date: Sat, 25 Feb 2017 14:51:42 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 4406da76-be88-47d5-b335-813e30a4ef14
X-Archives-Hash: 24b9e56bd39bad709780f956cda4c98d
Message-ID: <20170225145142.zMd7adqQz-gL2kbPl0SuEIbLqt5BTPLWHmqhKIvvC_o@z>

commit:     35bc01e881f75e092a6cf668400407d73081f8fc
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Jan  5 18:59:45 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:50:52 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=35bc01e8

update ntp module

* add private lock type
* dontaudit sys_resource

 policy/modules/contrib/ntp.fc | 47 ++++++++++++++++++++++---------------------
 policy/modules/contrib/ntp.if |  7 ++++---
 policy/modules/contrib/ntp.te | 37 +++++++++++++++++++++-------------
 3 files changed, 51 insertions(+), 40 deletions(-)

diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
index 16428bc2..756241da 100644
--- a/policy/modules/contrib/ntp.fc
+++ b/policy/modules/contrib/ntp.fc
@@ -1,33 +1,34 @@
-/etc/cron\.daily/ntp	--	gen_context(system_u:object_r:ntpd_exec_t,s0)
-/etc/cron\.(daily|weekly)/ntp-simple -- gen_context(system_u:object_r:ntpd_exec_t,s0)
-/etc/cron\.(daily|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+/etc/cron\.daily/ntp			--	gen_context(system_u:object_r:ntpd_exec_t,s0)
+/etc/cron\.(daily|weekly)/ntp-simple	--	gen_context(system_u:object_r:ntpd_exec_t,s0)
+/etc/cron\.(daily|weekly)/ntp-server	--	gen_context(system_u:object_r:ntpd_exec_t,s0)
 
-/etc/ntp\.conf		--	gen_context(system_u:object_r:ntp_conf_t,s0)
-/etc/ntpd.*\.conf.*	--	gen_context(system_u:object_r:ntp_conf_t,s0)
-/etc/ntp/crypto(/.*)?		gen_context(system_u:object_r:ntpd_key_t,s0)
-/etc/ntp/data(/.*)?		gen_context(system_u:object_r:ntp_drift_t,s0)
-/etc/ntp/keys		--	gen_context(system_u:object_r:ntpd_key_t,s0)
-/etc/ntp/step-tickers.*	--	gen_context(system_u:object_r:ntp_conf_t,s0)
+/etc/ntp\.conf				--	gen_context(system_u:object_r:ntp_conf_t,s0)
+/etc/ntpd.*\.conf.*			--	gen_context(system_u:object_r:ntp_conf_t,s0)
+/etc/ntp/crypto(/.*)?				gen_context(system_u:object_r:ntpd_key_t,s0)
+/etc/ntp/data(/.*)?				gen_context(system_u:object_r:ntp_drift_t,s0)
+/etc/ntp/keys				--	gen_context(system_u:object_r:ntpd_key_t,s0)
+/etc/ntp/step-tickers.*			--	gen_context(system_u:object_r:ntp_conf_t,s0)
 
-/etc/rc\.d/init\.d/ntpd? --	gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ntpd? 		--	gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
 
-# Systemd unit file
-/usr/lib/systemd/ntp-units\.d/.*  --   gen_context(system_u:object_r:ntpd_unit_t,s0)
-/usr/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_t,s0)
+/run/ntpd\.pid				--	gen_context(system_u:object_r:ntpd_pid_t,s0)
 
-/usr/sbin/ntpd		--	gen_context(system_u:object_r:ntpd_exec_t,s0)
-/usr/sbin/ntpdate	--	gen_context(system_u:object_r:ntpdate_exec_t,s0)
-/usr/sbin/sntp		--	gen_context(system_u:object_r:ntpdate_exec_t,s0)
+/usr/lib/systemd/ntp-units\.d/.*  	--	gen_context(system_u:object_r:ntpd_unit_t,s0)
+/usr/lib/systemd/system/ntpd.*\.service	--	gen_context(system_u:object_r:ntpd_unit_t,s0)
 
-/var/lib/ntp(/.*)?		gen_context(system_u:object_r:ntp_drift_t,s0)
-/var/lib/sntp-kod(/.*)?		gen_context(system_u:object_r:ntp_drift_t,s0)
-/var/db/ntp-kod		--	gen_context(system_u:object_r:ntp_drift_t,s0)
+/usr/sbin/ntpd				--	gen_context(system_u:object_r:ntpd_exec_t,s0)
+/usr/sbin/ntpdate			--	gen_context(system_u:object_r:ntpdate_exec_t,s0)
+/usr/sbin/sntp				--	gen_context(system_u:object_r:ntpdate_exec_t,s0)
 
-/var/log/ntp.*		--	gen_context(system_u:object_r:ntpd_log_t,s0)
-/var/log/ntpstats(/.*)?		gen_context(system_u:object_r:ntpd_log_t,s0)
-/var/log/xntpd.*	--	gen_context(system_u:object_r:ntpd_log_t,s0)
+/var/db/ntp-kod				--	gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/ntp(/.*)?				gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/sntp-kod(/.*)?				gen_context(system_u:object_r:ntp_drift_t,s0)
 
-/run/ntpd\.pid	--	gen_context(system_u:object_r:ntpd_var_run_t,s0)
+/var/lock/ntpdate                       --      gen_context(system_u:object_r:ntpd_lock_t,s0)
+
+/var/log/ntp.*				--	gen_context(system_u:object_r:ntpd_log_t,s0)
+/var/log/ntpstats(/.*)?				gen_context(system_u:object_r:ntpd_log_t,s0)
+/var/log/xntpd.*			--	gen_context(system_u:object_r:ntpd_log_t,s0)
 /run/ntpd\.sock	-s	gen_context(system_u:object_r:ntpd_var_run_t,s0)
 
 ifdef(`distro_gentoo',`

diff --git a/policy/modules/contrib/ntp.if b/policy/modules/contrib/ntp.if
index f8534c6b..fa0a1839 100644
--- a/policy/modules/contrib/ntp.if
+++ b/policy/modules/contrib/ntp.if
@@ -179,14 +179,15 @@ interface(`ntp_rw_shm',`
 interface(`ntp_admin',`
 	gen_require(`
 		type ntpd_t, ntpd_tmp_t, ntpd_log_t;
-		type ntpd_key_t, ntpd_var_run_t, ntp_conf_t;
+		type ntpd_key_t, ntpd_pid_t, ntp_conf_t;
 		type ntpd_initrc_exec_t, ntp_drift_t;
+		type ntpd_unit_t;
 	')
 
 	allow $1 ntpd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, ntpd_t)
 
-	init_startstop_service($1, $2, ntpd_t, ntpd_initrc_exec_t)
+	init_startstop_service($1, $2, ntpd_t, ntpd_initrc_exec_t, ntpd_unit_t)
 
 	files_list_etc($1)
 	admin_pattern($1, { ntpd_key_t ntp_conf_t })
@@ -201,7 +202,7 @@ interface(`ntp_admin',`
 	admin_pattern($1, ntp_drift_t)
 
 	files_list_pids($1)
-	admin_pattern($1, ntpd_var_run_t)
+	admin_pattern($1, ntpd_pid_t)
 
 	ntp_run($1, $2)
 ')

diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 2fcf0a40..208bd66e 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -7,6 +7,9 @@ policy_module(ntp, 1.16.0)
 
 attribute_role ntpd_roles;
 
+type ntp_conf_t;
+files_config_file(ntp_conf_t)
+
 type ntp_drift_t;
 files_type(ntp_drift_t)
 
@@ -18,15 +21,20 @@ role ntpd_roles types ntpd_t;
 type ntpd_initrc_exec_t;
 init_script_file(ntpd_initrc_exec_t)
 
-type ntp_conf_t;
-files_config_file(ntp_conf_t)
-
 type ntpd_key_t;
 files_type(ntpd_key_t)
 
+type ntpd_lock_t;
+files_lock_file(ntpd_lock_t)
+init_daemon_lock_file(ntpd_lock_t, file, "ntpdate")
+
 type ntpd_log_t;
 logging_log_file(ntpd_log_t)
 
+type ntpd_pid_t;
+typealias ntpd_pid_t alias ntpd_var_run_t;
+files_pid_file(ntpd_pid_t)
+
 type ntpd_tmp_t;
 files_tmp_file(ntpd_tmp_t)
 
@@ -36,9 +44,6 @@ files_tmpfs_file(ntpd_tmpfs_t)
 type ntpd_unit_t;
 init_unit_file(ntpd_unit_t)
 
-type ntpd_var_run_t;
-files_pid_file(ntpd_var_run_t)
-
 type ntpdate_exec_t;
 init_system_domain(ntpd_t, ntpdate_exec_t)
 
@@ -47,28 +52,36 @@ init_system_domain(ntpd_t, ntpdate_exec_t)
 # Local policy
 #
 
-allow ntpd_t self:capability { chown dac_override ipc_lock ipc_owner kill setgid setuid sys_chroot sys_nice sys_resource sys_time };
-dontaudit ntpd_t self:capability { fsetid net_admin sys_nice sys_tty_config };
+# sys_time : modify system time
+allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice };
+dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice sys_resource };
 allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };
 allow ntpd_t self:fifo_file rw_fifo_file_perms;
 allow ntpd_t self:shm create_shm_perms;
+allow ntpd_t self:socket create;
 allow ntpd_t self:tcp_socket { accept listen };
 
+allow ntpd_t ntp_conf_t:file read_file_perms;
+
 manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
 manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
 files_var_filetrans(ntpd_t, ntp_drift_t, file)
 
-allow ntpd_t ntp_conf_t:file read_file_perms;
-
 read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
 read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
 
+allow ntpd_t ntpd_lock_t:file write_file_perms;
+
 allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
 append_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
 create_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
 setattr_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
 logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir })
 
+manage_files_pattern(ntpd_t, ntpd_pid_t, ntpd_pid_t)
+manage_sock_files_pattern(ntpd_t, ntpd_pid_t, ntpd_pid_t)
+files_pid_filetrans(ntpd_t, ntpd_pid_t, { file sock_file })
+
 manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
 manage_files_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
 files_tmp_filetrans(ntpd_t, ntpd_tmp_t, { file dir })
@@ -77,10 +90,6 @@ manage_dirs_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t)
 manage_files_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t)
 fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file })
 
-manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
-manage_sock_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
-files_pid_filetrans(ntpd_t, ntpd_var_run_t, { file sock_file })
-
 can_exec(ntpd_t, ntpd_exec_t)
 
 kernel_read_kernel_sysctls(ntpd_t)