From: guido@trentalancia.com (Guido Trentalancia) Date: Sun, 15 Apr 2018 23:45:57 +0200 Subject: [refpolicy] [PATCH 1/2] base: staff role runs ntp In-Reply-To: <8b73f7c2-e089-f351-3e60-77a78d399afe@ieee.org> References: <1523723263.3462.3.camel@trentalancia.com> <8b73f7c2-e089-f351-3e60-77a78d399afe@ieee.org> Message-ID: <64319E5A-A94E-447C-85AF-32DD0CDD28AA@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com It is intended to aid running ntpdate from the crontab. Regards, Guido On the 15th of april 2018 23:23:11 CEST, Chris PeBenito wrote: >On 04/14/2018 12:27 PM, Guido Trentalancia via refpolicy wrote: >> Update the staff role policy so that it allows to run >> ntpd and ntpdate. >> >> Signed-off-by: Guido Trentalancia >> --- >> policy/modules/roles/staff.te | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> diff -pru a/policy/modules/roles/staff.te >> b/policy/modules/roles/staff.te >> --- a/policy/modules/roles/staff.te 2017-09-29 >> 19:01:27.985455758 +0200 >> +++ b/policy/modules/roles/staff.te 2018-04-14 >> 18:14:52.850666408 +0200 >> @@ -32,6 +32,10 @@ optional_policy(` >> ') >> >> optional_policy(` >> + ntp_run(staff_t, staff_r) >> +') >> + >> +optional_policy(` >> postgresql_role(staff_r, staff_t) >> ') > >What is the reasoning for this? Staff_t is supposed to be >unprivileged, >so this doesn't seem allowable.