From: jason@perfinion.com (Jason Zaman)
Date: Tue, 20 Feb 2018 14:44:16 +0800
Subject: [refpolicy] Question: NTP allowed TCP access?
In-Reply-To: <MWHPR15MB1853C06D0049D762EFEF3588B9CB0@MWHPR15MB1853.namprd15.prod.outlook.com>
References: <MWHPR15MB1853C06D0049D762EFEF3588B9CB0@MWHPR15MB1853.namprd15.prod.outlook.com>
Message-ID: <20180220064407.GA32497@baraddur.perfinion.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Fri, Feb 16, 2018 at 07:19:34PM +0000, David Sugar via refpolicy wrote:
> As I was getting my chronyd patches ready to submit I noticed I had some rules allowing tcp access.  I initially copied these from ntp.te.  I went back and removed them before submitting my chronyd patches but in ntp.te lines 113 and 114 and maybe lines 102 and 104 also should probably be removed.
> 
> I'm happy to submit a patch to remove this access. 
> I know that ntp should be only using udp.  
> Does someone know why these might be important?

I know some ntp implementations (the openntpd maybe?) can connect over
HTTPS to do an initial time check too.
corenet_tcp_connect_ntp_port() is probably not needed, but we may want to
add the https ports?

-- Jason