From: guido@trentalancia.com (Guido Trentalancia)
Date: Sun, 15 Apr 2018 23:45:57 +0200
Subject: [refpolicy] [PATCH 1/2] base: staff role runs ntp
In-Reply-To: <8b73f7c2-e089-f351-3e60-77a78d399afe@ieee.org>
References: <1523723263.3462.3.camel@trentalancia.com>
	<8b73f7c2-e089-f351-3e60-77a78d399afe@ieee.org>
Message-ID: <64319E5A-A94E-447C-85AF-32DD0CDD28AA@trentalancia.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

It is intended to aid running ntpdate from the crontab.

Regards,

Guido

On the 15th of april 2018 23:23:11 CEST, Chris PeBenito <pebenito@ieee.org> wrote:
>On 04/14/2018 12:27 PM, Guido Trentalancia via refpolicy wrote:
>> Update the staff role policy so that it allows to run
>> ntpd and ntpdate.
>> 
>> Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
>> ---
>>   policy/modules/roles/staff.te |    4 ++++
>>   1 file changed, 4 insertions(+)
>> 
>> diff -pru a/policy/modules/roles/staff.te
>> b/policy/modules/roles/staff.te
>> --- a/policy/modules/roles/staff.te	2017-09-29
>> 19:01:27.985455758 +0200
>> +++ b/policy/modules/roles/staff.te	2018-04-14
>> 18:14:52.850666408 +0200
>> @@ -32,6 +32,10 @@ optional_policy(`
>>   ')
>>   
>>   optional_policy(`
>> +	ntp_run(staff_t, staff_r)
>> +')
>> +
>> +optional_policy(`
>>   	postgresql_role(staff_r, staff_t)
>>   ')
>
>What is the reasoning for this?  Staff_t is supposed to be
>unprivileged, 
>so this doesn't seem allowable.