cron_system_entry(gpg_t, gpg_exec_t)
Why do we have this?
gpg is run by cron jobs that write to /var/log, so if we use gpg_t for gpg
when it's run from those cron jobs we need to allow it access to var_log_t
which means that user_t can use gpg to access var_log_t.
What benefit do we get from a domain transition when running gpg from a system
cron job?
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
On 06/14/2018 09:01 AM, Russell Coker via refpolicy wrote:
> cron_system_entry(gpg_t, gpg_exec_t)
>
> Why do we have this?
>
> gpg is run by cron jobs that write to /var/log, so if we use gpg_t for gpg
> when it's run from those cron jobs we need to allow it access to var_log_t
> which means that user_t can use gpg to access var_log_t.
>
> What benefit do we get from a domain transition when running gpg from a system
> cron job?
It was added back in 2009 from the Fedora policy. I can see dropping
it, if there are no arguments to keep it.
--
Chris PeBenito
On Thu, Jun 14, 2018 at 11:01:58PM +1000, Russell Coker via refpolicy wrote:
> cron_system_entry(gpg_t, gpg_exec_t)
>
> Why do we have this?
My bad. Got it from Fedora probably. Was a bad idea and not something I would do today.
Remove it please.
>
> gpg is run by cron jobs that write to /var/log, so if we use gpg_t for gpg
> when it's run from those cron jobs we need to allow it access to var_log_t
> which means that user_t can use gpg to access var_log_t.
>
> What benefit do we get from a domain transition when running gpg from a system
> cron job?
>
> --
> My Main Blog http://etbe.coker.com.au/
> My Documents Blog http://doc.coker.com.au/
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20180616/8cab9c04/attachment.bin