Update the staff role policy so that it allows to run
ntpd and ntpdate.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/roles/staff.te | 4 ++++
1 file changed, 4 insertions(+)
diff -pru a/policy/modules/roles/staff.te
b/policy/modules/roles/staff.te
--- a/policy/modules/roles/staff.te 2017-09-29
19:01:27.985455758 +0200
+++ b/policy/modules/roles/staff.te 2018-04-14
18:14:52.850666408 +0200
@@ -32,6 +32,10 @@ optional_policy(`
')
optional_policy(`
+ ntp_run(staff_t, staff_r)
+')
+
+optional_policy(`
postgresql_role(staff_r, staff_t)
')
On 04/14/2018 12:27 PM, Guido Trentalancia via refpolicy wrote:
> Update the staff role policy so that it allows to run
> ntpd and ntpdate.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/roles/staff.te | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff -pru a/policy/modules/roles/staff.te
> b/policy/modules/roles/staff.te
> --- a/policy/modules/roles/staff.te 2017-09-29
> 19:01:27.985455758 +0200
> +++ b/policy/modules/roles/staff.te 2018-04-14
> 18:14:52.850666408 +0200
> @@ -32,6 +32,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + ntp_run(staff_t, staff_r)
> +')
> +
> +optional_policy(`
> postgresql_role(staff_r, staff_t)
> ')
What is the reasoning for this? Staff_t is supposed to be unprivileged,
so this doesn't seem allowable.
--
Chris PeBenito
It is intended to aid running ntpdate from the crontab.
Regards,
Guido
On the 15th of april 2018 23:23:11 CEST, Chris PeBenito <[email protected]> wrote:
>On 04/14/2018 12:27 PM, Guido Trentalancia via refpolicy wrote:
>> Update the staff role policy so that it allows to run
>> ntpd and ntpdate.
>>
>> Signed-off-by: Guido Trentalancia <[email protected]>
>> ---
>> policy/modules/roles/staff.te | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>> diff -pru a/policy/modules/roles/staff.te
>> b/policy/modules/roles/staff.te
>> --- a/policy/modules/roles/staff.te 2017-09-29
>> 19:01:27.985455758 +0200
>> +++ b/policy/modules/roles/staff.te 2018-04-14
>> 18:14:52.850666408 +0200
>> @@ -32,6 +32,10 @@ optional_policy(`
>> ')
>>
>> optional_policy(`
>> + ntp_run(staff_t, staff_r)
>> +')
>> +
>> +optional_policy(`
>> postgresql_role(staff_r, staff_t)
>> ')
>
>What is the reasoning for this? Staff_t is supposed to be
>unprivileged,
>so this doesn't seem allowable.
Update the staff role policy so that it allows to run
ntpdate. This is needed for example to start ntpdate
from the crontab.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/roles/staff.te | 4 ++++
1 file changed, 4 insertions(+)
diff -pru a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
--- a/policy/modules/roles/staff.te 2017-09-29 19:01:27.985455758 +0200
+++ b/policy/modules/roles/staff.te 2018-04-14 18:14:52.850666408 +0200
@@ -32,6 +32,10 @@ optional_policy(`
')
optional_policy(`
+ ntp_run_ntpdate(staff_t, staff_r)
+')
+
+optional_policy(`
postgresql_role(staff_r, staff_t)
')
On 04/15/2018 05:45 PM, Guido Trentalancia via refpolicy wrote:
> It is intended to aid running ntpdate from the crontab.
I don't agree with this being run from the staff role.
> On the 15th of april 2018 23:23:11 CEST, Chris PeBenito <[email protected]> wrote:
>> On 04/14/2018 12:27 PM, Guido Trentalancia via refpolicy wrote:
>>> Update the staff role policy so that it allows to run
>>> ntpd and ntpdate.
>>>
>>> Signed-off-by: Guido Trentalancia <[email protected]>
>>> ---
>>> policy/modules/roles/staff.te | 4 ++++
>>> 1 file changed, 4 insertions(+)
>>>
>>> diff -pru a/policy/modules/roles/staff.te
>>> b/policy/modules/roles/staff.te
>>> --- a/policy/modules/roles/staff.te 2017-09-29
>>> 19:01:27.985455758 +0200
>>> +++ b/policy/modules/roles/staff.te 2018-04-14
>>> 18:14:52.850666408 +0200
>>> @@ -32,6 +32,10 @@ optional_policy(`
>>> ')
>>>
>>> optional_policy(`
>>> + ntp_run(staff_t, staff_r)
>>> +')
>>> +
>>> +optional_policy(`
>>> postgresql_role(staff_r, staff_t)
>>> ')
>>
>> What is the reasoning for this? Staff_t is supposed to be
>> unprivileged,
>> so this doesn't seem allowable.
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Chris PeBenito