From: dominick.grift@gmail.com (Dominick Grift) Date: Wed, 15 Aug 2012 12:11:35 +0200 Subject: [refpolicy] [PATCH] NTP fixes In-Reply-To: <502B5954.7040400@trentalancia.com> References: <1344620638-23574-1-git-send-email-dominick.grift@gmail.com> <502B5954.7040400@trentalancia.com> Message-ID: <1345025495.2349.15.camel@d30.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 2012-08-15 at 10:09 +0200, Guido Trentalancia wrote: > On 10/08/2012 19:43, Dominick Grift wrote: > > > > Use ntp_conf_t instead of net_conf_t > > Permission getattr on process is not needed > > Use "Role allowed access" in ntp_admin() XML > > Allow ntp_admin to manage ntp drift files > > Use setattr_dir_perms for compatibility > > > > Signed-off-by: Dominick Grift > > diff --git a/ntp.fc b/ntp.fc > > index e79dccc..05fa48d 100644 > > --- a/ntp.fc > > +++ b/ntp.fc > > @@ -2,11 +2,11 @@ > > /etc/cron\.(daily|weekly)/ntp-simple -- gen_context(system_u:object_r:ntpd_exec_t,s0) > > /etc/cron\.(daily|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0) > > > > -/etc/ntpd?\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) > > +/etc/ntpd?\.conf.* -- gen_context(system_u:object_r:ntp_conf_t,s0) > > I would suggest ntpd_conf_t instead of ntp_conf_t, so that ntp_conf_t > can be left available for clients. I considered that but decided to go with ntp instead of ntpd. One reason is because maintainer suggested i use that type. Another because drift file is also ntp prefixed. The file itself is also called ntp.conf rather than ntpd.conf. Anyways its committed now so we will just have to make due. Can always change it later if needed i guess.