From: pebenito@ieee.org (Chris PeBenito) Date: Sat, 24 Feb 2018 09:06:17 -0500 Subject: [refpolicy] Question: NTP allowed TCP access? In-Reply-To: <20180220064407.GA32497@baraddur.perfinion.com> References: <20180220064407.GA32497@baraddur.perfinion.com> Message-ID: <71092380-024b-3be8-e5a1-eb2ac70a1f30@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 02/20/2018 01:44 AM, Jason Zaman via refpolicy wrote: > On Fri, Feb 16, 2018 at 07:19:34PM +0000, David Sugar via refpolicy wrote: >> As I was getting my chronyd patches ready to submit I noticed I had some rules allowing tcp access. I initially copied these from ntp.te. I went back and removed them before submitting my chronyd patches but in ntp.te lines 113 and 114 and maybe lines 102 and 104 also should probably be removed. >> >> I'm happy to submit a patch to remove this access. >> I know that ntp should be only using udp. >> Does someone know why these might be important? > > I know some ntp implementations (the openntpd maybe?) can connect over > HTTPS to do an initial time check too. > corenet_tcp_connect_ntp_port() is probably not needed, but we may want to > add the https ports? I think I'd rather remove the access until we can reestablish what the need is. -- Chris PeBenito