From: dominick.grift@gmail.com (Dominick Grift)
Date: Wed, 15 Aug 2012 12:02:58 +0200
Subject: [refpolicy] [PATCH] NTP fixes
In-Reply-To: <502B5954.7040400@trentalancia.com>
References: <1344620638-23574-1-git-send-email-dominick.grift@gmail.com>
	<502B5954.7040400@trentalancia.com>
Message-ID: <1345024978.2349.11.camel@d30.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com



On Wed, 2012-08-15 at 10:09 +0200, Guido Trentalancia wrote:

> >
> > -allow ntpd_t ntpd_log_t:dir setattr;
> > +allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
> 
> Since setattr_dir_perms is equal to { setattr }, it might be better to 
> leave as it is because it should be easier to read (unless the pattern 
> is widely used elsewhere).
> 

I do not agree. Using permission sets wherever possible provides a
compatibility layer. It gives us a single point of failure

Ive learned this when the open avperm was introduced a while ago.

If you use permission sets consistently then life will be easier.

Besides that, the setattr / getattr permission sets a are there so might
as well use it.