192 lines
5 KiB
Text
192 lines
5 KiB
Text
policy_module(linuxptp, 1.0.0)
|
|
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type timemaster_t;
|
|
type timemaster_exec_t;
|
|
init_daemon_domain(timemaster_t, timemaster_exec_t)
|
|
|
|
type timemaster_var_run_t;
|
|
files_pid_file(timemaster_var_run_t)
|
|
|
|
type timemaster_tmpfs_t;
|
|
files_tmpfs_file(timemaster_tmpfs_t)
|
|
|
|
type timemaster_unit_file_t;
|
|
systemd_unit_file(timemaster_unit_file_t)
|
|
|
|
type phc2sys_t;
|
|
type phc2sys_exec_t;
|
|
init_daemon_domain(phc2sys_t, phc2sys_exec_t)
|
|
|
|
type phc2sys_unit_file_t;
|
|
systemd_unit_file(phc2sys_unit_file_t)
|
|
|
|
type ptp4l_t;
|
|
type ptp4l_exec_t;
|
|
init_daemon_domain(ptp4l_t, ptp4l_exec_t)
|
|
|
|
type ptp4l_unit_file_t;
|
|
systemd_unit_file(ptp4l_unit_file_t)
|
|
|
|
########################################
|
|
#
|
|
# timemaster local policy
|
|
#
|
|
|
|
allow timemaster_t self:process { signal_perms setcap};
|
|
allow timemaster_t self:fifo_file rw_fifo_file_perms;
|
|
allow timemaster_t self:capability { setuid sys_time kill setgid };
|
|
allow timemaster_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow timemaster_t self:shm create_shm_perms;
|
|
allow timemaster_t self:udp_socket create_socket_perms;
|
|
|
|
allow timemaster_t ptp4l_t:process signal;
|
|
allow timemaster_t phc2sys_t:process signal;
|
|
|
|
allow timemaster_t ptp4l_t:shm rw_shm_perms;
|
|
|
|
manage_dirs_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t)
|
|
manage_files_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t)
|
|
manage_sock_files_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t)
|
|
files_pid_filetrans(timemaster_t, timemaster_var_run_t, { dir file sock_file })
|
|
|
|
manage_dirs_pattern(timemaster_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
|
|
manage_files_pattern(timemaster_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
|
|
fs_tmpfs_filetrans(timemaster_t, timemaster_tmpfs_t, { dir file })
|
|
|
|
kernel_read_network_state(timemaster_t)
|
|
|
|
auth_use_nsswitch(timemaster_t)
|
|
|
|
corenet_udp_bind_generic_node(timemaster_t)
|
|
corenet_udp_bind_ntp_port(timemaster_t)
|
|
|
|
dev_read_urand(timemaster_t)
|
|
|
|
logging_send_syslog_msg(timemaster_t)
|
|
|
|
sysnet_read_config(timemaster_t)
|
|
|
|
optional_policy(`
|
|
ntp_domtrans(timemaster_t)
|
|
ntp_signal(timemaster_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
chronyd_domtrans(timemaster_t)
|
|
chronyd_rw_shm(timemaster_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
gpsd_rw_shm(timemaster_t)
|
|
')
|
|
|
|
|
|
optional_policy(`
|
|
chronyd_signal(timemaster_t)
|
|
')
|
|
|
|
|
|
optional_policy(`
|
|
linuxptp_domtrans_ptp4l(timemaster_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
linuxptp_domtrans_phc2sys(timemaster_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# phc2sys local policy
|
|
#
|
|
|
|
allow phc2sys_t self:capability sys_time;
|
|
allow phc2sys_t self:fifo_file rw_fifo_file_perms;
|
|
allow phc2sys_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow phc2sys_t self:shm create_shm_perms;
|
|
allow phc2sys_t self:udp_socket create_socket_perms;
|
|
|
|
allow phc2sys_t ptp4l_t:unix_dgram_socket sendto;
|
|
|
|
allow phc2sys_t timemaster_t:shm rw_shm_perms;
|
|
|
|
manage_dirs_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t)
|
|
manage_files_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t)
|
|
manage_sock_files_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t)
|
|
files_pid_filetrans(phc2sys_t, timemaster_var_run_t, { dir file sock_file })
|
|
|
|
manage_dirs_pattern(phc2sys_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
|
|
manage_files_pattern(phc2sys_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
|
|
fs_tmpfs_filetrans(phc2sys_t, timemaster_tmpfs_t, { dir file })
|
|
|
|
dev_rw_realtime_clock(phc2sys_t)
|
|
|
|
logging_send_syslog_msg(phc2sys_t)
|
|
|
|
optional_policy(`
|
|
chronyd_rw_shm(phc2sys_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
gpsd_rw_shm(phc2sys_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
ntp_rw_shm(phc2sys_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
ptp4l_rw_shm(phc2sys_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# ptp4l local policy
|
|
#
|
|
|
|
allow ptp4l_t self:fifo_file rw_fifo_file_perms;
|
|
allow ptp4l_t self:packet_socket create_socket_perms;
|
|
allow ptp4l_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow ptp4l_t self:shm create_shm_perms;
|
|
allow ptp4l_t self:udp_socket create_socket_perms;
|
|
allow ptp4l_t self:capability { net_admin net_raw sys_time };
|
|
allow ptp4l_t self:capability2 { bpf wake_alarm };
|
|
allow ptp4l_t self:netlink_route_socket rw_netlink_socket_perms;
|
|
|
|
allow ptp4l_t phc2sys_t:unix_dgram_socket sendto;
|
|
|
|
manage_dirs_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t)
|
|
manage_files_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t)
|
|
manage_sock_files_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t)
|
|
files_pid_filetrans(ptp4l_t, timemaster_var_run_t, { dir file sock_file })
|
|
|
|
manage_dirs_pattern(ptp4l_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
|
|
manage_files_pattern(ptp4l_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
|
|
fs_tmpfs_filetrans(ptp4l_t, timemaster_tmpfs_t, { dir file })
|
|
|
|
corenet_udp_bind_generic_node(ptp4l_t)
|
|
corenet_udp_bind_ptp_event_port(ptp4l_t)
|
|
corenet_udp_bind_reserved_port(ptp4l_t)
|
|
|
|
kernel_read_network_state(ptp4l_t)
|
|
|
|
dev_rw_realtime_clock(ptp4l_t)
|
|
|
|
files_write_generic_pid_sockets(ptp4l_t)
|
|
|
|
logging_send_syslog_msg(ptp4l_t)
|
|
|
|
userdom_users_dgram_send(ptp4l_t)
|
|
|
|
optional_policy(`
|
|
chronyd_rw_shm(ptp4l_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
gpsd_rw_shm(ptp4l_t)
|
|
')
|