policy_module(gnomeclock, 1.3.1) ######################################## # # Declarations # attribute_role gnomeclock_roles; type gnomeclock_t; type gnomeclock_exec_t; init_system_domain(gnomeclock_t, gnomeclock_exec_t) role gnomeclock_roles types gnomeclock_t; ######################################## # # Local policy # allow gnomeclock_t self:capability { sys_nice sys_time }; allow gnomeclock_t self:process { getattr getsched signal }; allow gnomeclock_t self:fifo_file rw_fifo_file_perms; allow gnomeclock_t self:unix_stream_socket { accept listen }; kernel_read_system_state(gnomeclock_t) corecmd_exec_bin(gnomeclock_t) corecmd_exec_shell(gnomeclock_t) corenet_all_recvfrom_netlabel(gnomeclock_t) corenet_tcp_sendrecv_generic_if(gnomeclock_t) corenet_tcp_sendrecv_generic_node(gnomeclock_t) # tcp:37 (time) corenet_sendrecv_inetd_child_client_packets(gnomeclock_t) corenet_tcp_connect_inetd_child_port(gnomeclock_t) dev_read_sysfs(gnomeclock_t) dev_read_urand(gnomeclock_t) dev_rw_realtime_clock(gnomeclock_t) files_read_usr_files(gnomeclock_t) fs_getattr_xattr_fs(gnomeclock_t) auth_use_nsswitch(gnomeclock_t) logging_send_syslog_msg(gnomeclock_t) miscfiles_etc_filetrans_localization(gnomeclock_t) miscfiles_manage_localization(gnomeclock_t) miscfiles_read_localization(gnomeclock_t) userdom_read_all_users_state(gnomeclock_t) optional_policy(` chronyd_initrc_domtrans(gnomeclock_t) ') optional_policy(` clock_domtrans(gnomeclock_t) ') optional_policy(` dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) optional_policy(` policykit_dbus_chat(gnomeclock_t) ') ') optional_policy(` ntp_domtrans_ntpdate(gnomeclock_t) ntp_initrc_domtrans(gnomeclock_t) ') optional_policy(` policykit_domtrans_auth(gnomeclock_t) policykit_read_lib(gnomeclock_t) policykit_read_reload(gnomeclock_t) ')