From: pebenito@ieee.org (Chris PeBenito) Date: Sun, 15 Apr 2018 17:23:11 -0400 Subject: [refpolicy] [PATCH 1/2] base: staff role runs ntp In-Reply-To: <1523723263.3462.3.camel@trentalancia.com> References: <1523723263.3462.3.camel@trentalancia.com> Message-ID: <8b73f7c2-e089-f351-3e60-77a78d399afe@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 04/14/2018 12:27 PM, Guido Trentalancia via refpolicy wrote: > Update the staff role policy so that it allows to run > ntpd and ntpdate. > > Signed-off-by: Guido Trentalancia > --- > policy/modules/roles/staff.te | 4 ++++ > 1 file changed, 4 insertions(+) > > diff -pru a/policy/modules/roles/staff.te > b/policy/modules/roles/staff.te > --- a/policy/modules/roles/staff.te 2017-09-29 > 19:01:27.985455758 +0200 > +++ b/policy/modules/roles/staff.te 2018-04-14 > 18:14:52.850666408 +0200 > @@ -32,6 +32,10 @@ optional_policy(` > ') > > optional_policy(` > + ntp_run(staff_t, staff_r) > +') > + > +optional_policy(` > postgresql_role(staff_r, staff_t) > ') What is the reasoning for this? Staff_t is supposed to be unprivileged, so this doesn't seem allowable. -- Chris PeBenito