policy_module(linuxptp, 1.0.0)


########################################
#
# Declarations
#

type timemaster_t;
type timemaster_exec_t;
init_daemon_domain(timemaster_t, timemaster_exec_t)

type timemaster_var_run_t;
files_pid_file(timemaster_var_run_t)

type timemaster_tmpfs_t;
files_tmpfs_file(timemaster_tmpfs_t)

type timemaster_unit_file_t;
systemd_unit_file(timemaster_unit_file_t)

type phc2sys_t;
type phc2sys_exec_t;
init_daemon_domain(phc2sys_t, phc2sys_exec_t)

type phc2sys_unit_file_t;
systemd_unit_file(phc2sys_unit_file_t)

type ptp4l_t;
type ptp4l_exec_t;
init_daemon_domain(ptp4l_t, ptp4l_exec_t)

type ptp4l_unit_file_t;
systemd_unit_file(ptp4l_unit_file_t)

########################################
#
# timemaster local policy
#

allow timemaster_t self:process { signal_perms setcap};
allow timemaster_t self:fifo_file rw_fifo_file_perms;
allow timemaster_t self:capability { setuid sys_time kill setgid };
allow timemaster_t self:unix_stream_socket create_stream_socket_perms;
allow timemaster_t self:shm create_shm_perms;
allow timemaster_t self:udp_socket create_socket_perms;

allow timemaster_t ptp4l_t:process signal;
allow timemaster_t phc2sys_t:process signal;

allow timemaster_t ptp4l_t:shm rw_shm_perms;

manage_dirs_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t)
manage_files_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t)
manage_sock_files_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t)
files_pid_filetrans(timemaster_t, timemaster_var_run_t, { dir file sock_file })

manage_dirs_pattern(timemaster_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
manage_files_pattern(timemaster_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
fs_tmpfs_filetrans(timemaster_t, timemaster_tmpfs_t, { dir file })

kernel_read_network_state(timemaster_t)

auth_use_nsswitch(timemaster_t)

corenet_udp_bind_generic_node(timemaster_t)
corenet_udp_bind_ntp_port(timemaster_t)

dev_read_urand(timemaster_t)

logging_send_syslog_msg(timemaster_t)

sysnet_read_config(timemaster_t)

optional_policy(`
	ntp_domtrans(timemaster_t)
    ntp_signal(timemaster_t)
')

optional_policy(`
	chronyd_domtrans(timemaster_t)
	chronyd_rw_shm(timemaster_t)
')

optional_policy(`
	gpsd_rw_shm(timemaster_t)
')


optional_policy(`
	chronyd_signal(timemaster_t)
')


optional_policy(`
	linuxptp_domtrans_ptp4l(timemaster_t)
')

optional_policy(`
	linuxptp_domtrans_phc2sys(timemaster_t)
')

########################################
#
# phc2sys local policy
#

allow phc2sys_t self:capability sys_time;
allow phc2sys_t self:fifo_file rw_fifo_file_perms;
allow phc2sys_t self:unix_stream_socket create_stream_socket_perms;
allow phc2sys_t self:shm create_shm_perms;
allow phc2sys_t self:udp_socket create_socket_perms;

allow phc2sys_t ptp4l_t:unix_dgram_socket sendto;

allow phc2sys_t timemaster_t:shm rw_shm_perms;

manage_dirs_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t)
manage_files_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t)
manage_sock_files_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t)
files_pid_filetrans(phc2sys_t, timemaster_var_run_t, { dir file sock_file })

manage_dirs_pattern(phc2sys_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
manage_files_pattern(phc2sys_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
fs_tmpfs_filetrans(phc2sys_t, timemaster_tmpfs_t, { dir file })

dev_rw_realtime_clock(phc2sys_t)

logging_send_syslog_msg(phc2sys_t)

optional_policy(`
	chronyd_rw_shm(phc2sys_t)
')

optional_policy(`
	gpsd_rw_shm(phc2sys_t)
')

optional_policy(`
	ntp_rw_shm(phc2sys_t)
')

optional_policy(`
	ptp4l_rw_shm(phc2sys_t)
')

########################################
#
# ptp4l local policy
#

allow ptp4l_t self:fifo_file rw_fifo_file_perms;
allow ptp4l_t self:packet_socket create_socket_perms;
allow ptp4l_t self:unix_stream_socket create_stream_socket_perms;
allow ptp4l_t self:shm create_shm_perms;
allow ptp4l_t self:udp_socket create_socket_perms;
allow ptp4l_t self:capability { net_admin net_raw sys_time };
allow ptp4l_t self:capability2 { bpf wake_alarm };
allow ptp4l_t self:netlink_route_socket rw_netlink_socket_perms;

allow ptp4l_t phc2sys_t:unix_dgram_socket sendto;

manage_dirs_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t)
manage_files_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t)
manage_sock_files_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t)
files_pid_filetrans(ptp4l_t, timemaster_var_run_t, { dir file sock_file })

manage_dirs_pattern(ptp4l_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
manage_files_pattern(ptp4l_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
fs_tmpfs_filetrans(ptp4l_t, timemaster_tmpfs_t, { dir file })

corenet_udp_bind_generic_node(ptp4l_t)
corenet_udp_bind_ptp_event_port(ptp4l_t)
corenet_udp_bind_reserved_port(ptp4l_t)

kernel_read_network_state(ptp4l_t)

dev_rw_realtime_clock(ptp4l_t)

files_write_generic_pid_sockets(ptp4l_t)

logging_send_syslog_msg(ptp4l_t)

userdom_users_dgram_send(ptp4l_t)

optional_policy(`
	chronyd_rw_shm(ptp4l_t)
')

optional_policy(`
	gpsd_rw_shm(ptp4l_t)
')