From: pebenito@ieee.org (Chris PeBenito) Date: Tue, 17 Apr 2018 20:13:17 -0400 Subject: [refpolicy] [PATCH 1/2] base: staff role runs ntp In-Reply-To: <64319E5A-A94E-447C-85AF-32DD0CDD28AA@trentalancia.com> References: <1523723263.3462.3.camel@trentalancia.com> <8b73f7c2-e089-f351-3e60-77a78d399afe@ieee.org> <64319E5A-A94E-447C-85AF-32DD0CDD28AA@trentalancia.com> Message-ID: <13c4ea2a-1764-d070-765d-301ca8cd073d@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 04/15/2018 05:45 PM, Guido Trentalancia via refpolicy wrote: > It is intended to aid running ntpdate from the crontab. I don't agree with this being run from the staff role. > On the 15th of april 2018 23:23:11 CEST, Chris PeBenito wrote: >> On 04/14/2018 12:27 PM, Guido Trentalancia via refpolicy wrote: >>> Update the staff role policy so that it allows to run >>> ntpd and ntpdate. >>> >>> Signed-off-by: Guido Trentalancia >>> --- >>> policy/modules/roles/staff.te | 4 ++++ >>> 1 file changed, 4 insertions(+) >>> >>> diff -pru a/policy/modules/roles/staff.te >>> b/policy/modules/roles/staff.te >>> --- a/policy/modules/roles/staff.te 2017-09-29 >>> 19:01:27.985455758 +0200 >>> +++ b/policy/modules/roles/staff.te 2018-04-14 >>> 18:14:52.850666408 +0200 >>> @@ -32,6 +32,10 @@ optional_policy(` >>> ') >>> >>> optional_policy(` >>> + ntp_run(staff_t, staff_r) >>> +') >>> + >>> +optional_policy(` >>> postgresql_role(staff_r, staff_t) >>> ') >> >> What is the reasoning for this? Staff_t is supposed to be >> unprivileged, >> so this doesn't seem allowable. > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Chris PeBenito