8f6f0cf0e2
This patch is slightly more involved than just running sed. It also adds typealias rules and doesn't change the FC entries. The /dev/apm_bios device doesn't exist on modern systems. I have left that policy in for the moment on the principle of making one change per patch. But I might send another patch to remove that as it won't exist with modern kernels.
82 lines
1.7 KiB
Plaintext
82 lines
1.7 KiB
Plaintext
policy_module(clock, 1.9.1)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type adjtime_t;
|
|
files_type(adjtime_t)
|
|
|
|
type hwclock_t;
|
|
type hwclock_exec_t;
|
|
init_system_domain(hwclock_t, hwclock_exec_t)
|
|
role system_r types hwclock_t;
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
# Give hwclock the capabilities it requires. dac_override is a surprise,
|
|
# but hwclock does require it.
|
|
allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config };
|
|
dontaudit hwclock_t self:capability sys_tty_config;
|
|
allow hwclock_t self:process signal_perms;
|
|
allow hwclock_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
# Allow hwclock to store & retrieve correction factors.
|
|
allow hwclock_t adjtime_t:file { rw_file_perms setattr };
|
|
|
|
kernel_read_kernel_sysctls(hwclock_t)
|
|
kernel_read_system_state(hwclock_t)
|
|
# for when /usr is not mounted:
|
|
kernel_dontaudit_search_unlabeled(hwclock_t)
|
|
|
|
corecmd_exec_bin(hwclock_t)
|
|
corecmd_exec_shell(hwclock_t)
|
|
|
|
dev_read_sysfs(hwclock_t)
|
|
dev_rw_realtime_clock(hwclock_t)
|
|
|
|
files_read_etc_files(hwclock_t)
|
|
|
|
fs_getattr_xattr_fs(hwclock_t)
|
|
fs_search_auto_mountpoints(hwclock_t)
|
|
|
|
term_dontaudit_use_console(hwclock_t)
|
|
term_use_unallocated_ttys(hwclock_t)
|
|
term_use_all_ttys(hwclock_t)
|
|
term_use_all_ptys(hwclock_t)
|
|
|
|
domain_use_interactive_fds(hwclock_t)
|
|
|
|
init_use_fds(hwclock_t)
|
|
init_use_script_ptys(hwclock_t)
|
|
|
|
logging_send_audit_msgs(hwclock_t)
|
|
logging_send_syslog_msg(hwclock_t)
|
|
|
|
miscfiles_read_localization(hwclock_t)
|
|
|
|
optional_policy(`
|
|
acpi_append_log(hwclock_t)
|
|
acpi_rw_stream_sockets(hwclock_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nscd_use(hwclock_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(hwclock_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(hwclock_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
userdom_dontaudit_use_unpriv_user_fds(hwclock_t)
|
|
')
|