From: pebenito@ieee.org (Chris PeBenito) Date: Thu, 6 Apr 2017 17:31:23 -0400 Subject: [refpolicy] [PATCH] systemd related changes again In-Reply-To: References: <20170405045106.5r3a24caq6p353ui@athena.coker.com.au> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 04/05/2017 02:33 PM, cgzones via refpolicy wrote: > 2017-04-05 6:51 GMT+02:00 Russell Coker via refpolicy >> --- refpolicy-2.20170402.orig/policy/modules/contrib/ntp.fc >> +++ refpolicy-2.20170402/policy/modules/contrib/ntp.fc >> @@ -15,6 +15,8 @@ >> >> /usr/lib/systemd/ntp-units\.d/.* -- gen_context(system_u:object_r:ntpd_unit_t,s0) >> /usr/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_t,s0) >> +/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:ntpd_exec_t,s0) >> +/usr/lib/systemd/systemd-timesyncd -- gen_context(system_u:object_r:ntpd_exec_t,s0) > > in the longrun i'd like to run systemd-timesyncd in a seperate domain, > cause it's onyl a ntp client, which should require less permissions > than the ntp server I agree. -- Chris PeBenito