From: pebenito@ieee.org (Chris PeBenito)
Date: Thu, 6 Apr 2017 17:31:23 -0400
Subject: [refpolicy] [PATCH] systemd related changes again
In-Reply-To: <CAJ2a_DeO5OEm-2hqDV9idCWcoCMUhLX1K-Q8ij5L5=ArgLbnkg@mail.gmail.com>
References: <20170405045106.5r3a24caq6p353ui@athena.coker.com.au>
	<CAJ2a_DeO5OEm-2hqDV9idCWcoCMUhLX1K-Q8ij5L5=ArgLbnkg@mail.gmail.com>
Message-ID: <afb9703c-fc51-611a-5f77-335a73fc2d70@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 04/05/2017 02:33 PM, cgzones via refpolicy wrote:
> 2017-04-05 6:51 GMT+02:00 Russell Coker via refpolicy
>> --- refpolicy-2.20170402.orig/policy/modules/contrib/ntp.fc
>> +++ refpolicy-2.20170402/policy/modules/contrib/ntp.fc
>> @@ -15,6 +15,8 @@
>>
>>  /usr/lib/systemd/ntp-units\.d/.*       --      gen_context(system_u:object_r:ntpd_unit_t,s0)
>>  /usr/lib/systemd/system/ntpd.*\.service        --      gen_context(system_u:object_r:ntpd_unit_t,s0)
>> +/usr/lib/systemd/systemd-timedated     --      gen_context(system_u:object_r:ntpd_exec_t,s0)
>> +/usr/lib/systemd/systemd-timesyncd     --      gen_context(system_u:object_r:ntpd_exec_t,s0)
>
> in the longrun i'd like to run systemd-timesyncd in a seperate domain,
> cause it's onyl a ntp client, which should require less permissions
> than the ntp server

I agree.

-- 
Chris PeBenito