From: pebenito@ieee.org (Chris PeBenito)
Date: Sun, 15 Apr 2018 17:23:11 -0400
Subject: [refpolicy] [PATCH 1/2] base: staff role runs ntp
In-Reply-To: <1523723263.3462.3.camel@trentalancia.com>
References: <1523723263.3462.3.camel@trentalancia.com>
Message-ID: <8b73f7c2-e089-f351-3e60-77a78d399afe@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 04/14/2018 12:27 PM, Guido Trentalancia via refpolicy wrote:
> Update the staff role policy so that it allows to run
> ntpd and ntpdate.
> 
> Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
> ---
>   policy/modules/roles/staff.te |    4 ++++
>   1 file changed, 4 insertions(+)
> 
> diff -pru a/policy/modules/roles/staff.te
> b/policy/modules/roles/staff.te
> --- a/policy/modules/roles/staff.te	2017-09-29
> 19:01:27.985455758 +0200
> +++ b/policy/modules/roles/staff.te	2018-04-14
> 18:14:52.850666408 +0200
> @@ -32,6 +32,10 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> +	ntp_run(staff_t, staff_r)
> +')
> +
> +optional_policy(`
>   	postgresql_role(staff_r, staff_t)
>   ')

What is the reasoning for this?  Staff_t is supposed to be unprivileged, 
so this doesn't seem allowable.

-- 
Chris PeBenito