From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1012179-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 22499138332
	for <garchives@archives.gentoo.org>; Sun, 25 Mar 2018 10:29:24 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 0EF7CE07ED;
	Sun, 25 Mar 2018 10:29:23 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id CC6E6E07ED
	for <gentoo-commits@lists.gentoo.org>; Sun, 25 Mar 2018 10:29:22 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 707D8335C61
	for <gentoo-commits@lists.gentoo.org>; Sun, 25 Mar 2018 10:29:21 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id C276326B
	for <gentoo-commits@lists.gentoo.org>; Sun, 25 Mar 2018 10:29:19 +0000 (UTC)
From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <swift@gentoo.org>
Message-ID: <1521970241.a70aa3e3b948e30a7ed01a9d09b762419fa76d48.swift@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/chronyd.fc policy/modules/contrib/chronyd.if policy/modules/contrib/chronyd.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: swift
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: a70aa3e3b948e30a7ed01a9d09b762419fa76d48
X-VCS-Branch: master
Date: Sun, 25 Mar 2018 10:29:19 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: c7574b16-0302-4a53-ae99-2463231b6449
X-Archives-Hash: 3f19ad22259fad6685944e778e6e343d

commit:     a70aa3e3b948e30a7ed01a9d09b762419fa76d48
Author:     Dave Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Mon Mar  5 14:02:58 2018 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Mar 25 09:30:41 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a70aa3e3

Separate type for chronyd config file.

Separate label for /etc/chrony.conf (chronyd_conf_t) with interfaces to allow read-only or read/write access.  Needed as I have a process that alters chrony.conf but I didn't want this process to have access to write all etc_t files.

Fixed summary for chronyd_rw_config interface from previous submission.

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>

 policy/modules/contrib/chronyd.fc |  1 +
 policy/modules/contrib/chronyd.if | 38 ++++++++++++++++++++++++++++++++++++++
 policy/modules/contrib/chronyd.te |  5 +++++
 3 files changed, 44 insertions(+)

diff --git a/policy/modules/contrib/chronyd.fc b/policy/modules/contrib/chronyd.fc
index ca2747e7..445f3749 100644
--- a/policy/modules/contrib/chronyd.fc
+++ b/policy/modules/contrib/chronyd.fc
@@ -1,3 +1,4 @@
+/etc/chrony\.conf			--	gen_context(system_u:object_r:chronyd_conf_t,s0)
 /etc/chrony\.keys			--	gen_context(system_u:object_r:chronyd_keys_t,s0)
 
 /etc/rc\.d/init\.d/chronyd		--	gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)

diff --git a/policy/modules/contrib/chronyd.if b/policy/modules/contrib/chronyd.if
index 3d45be4c..e0a751ac 100644
--- a/policy/modules/contrib/chronyd.if
+++ b/policy/modules/contrib/chronyd.if
@@ -76,6 +76,44 @@ interface(`chronyd_read_log',`
 	read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t)
 ')
 
+#####################################
+## <summary>
+##	Read chronyd config file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`chronyd_read_config',`
+	gen_require(`
+		type chronyd_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 chronyd_conf_t:file read_file_perms;
+')
+
+#####################################
+## <summary>
+##	Read and write chronyd config file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`chronyd_rw_config',`
+	gen_require(`
+		type chronyd_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 chronyd_conf_t:file rw_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read and write chronyd shared memory.

diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
index 0de7b520..09d7f834 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -9,6 +9,9 @@ type chronyd_t;
 type chronyd_exec_t;
 init_daemon_domain(chronyd_t, chronyd_exec_t)
 
+type chronyd_conf_t;
+files_config_file(chronyd_conf_t)
+
 type chronyd_initrc_exec_t;
 init_script_file(chronyd_initrc_exec_t)
 
@@ -87,6 +90,8 @@ logging_send_syslog_msg(chronyd_t)
 
 miscfiles_read_localization(chronyd_t)
 
+chronyd_read_config(chronyd_t)
+
 optional_policy(`
 	gpsd_rw_shm(chronyd_t)
 ')