From: jason@perfinion.com (Jason Zaman) Date: Tue, 20 Feb 2018 14:44:16 +0800 Subject: [refpolicy] Question: NTP allowed TCP access? In-Reply-To: References: Message-ID: <20180220064407.GA32497@baraddur.perfinion.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, Feb 16, 2018 at 07:19:34PM +0000, David Sugar via refpolicy wrote: > As I was getting my chronyd patches ready to submit I noticed I had some rules allowing tcp access. I initially copied these from ntp.te. I went back and removed them before submitting my chronyd patches but in ntp.te lines 113 and 114 and maybe lines 102 and 104 also should probably be removed. > > I'm happy to submit a patch to remove this access. > I know that ntp should be only using udp. > Does someone know why these might be important? I know some ntp implementations (the openntpd maybe?) can connect over HTTPS to do an initial time check too. corenet_tcp_connect_ntp_port() is probably not needed, but we may want to add the https ports? -- Jason