From: pebenito@ieee.org (Chris PeBenito)
Date: Tue, 17 Apr 2018 20:13:17 -0400
Subject: [refpolicy] [PATCH 1/2] base: staff role runs ntp
In-Reply-To: <64319E5A-A94E-447C-85AF-32DD0CDD28AA@trentalancia.com>
References: <1523723263.3462.3.camel@trentalancia.com>
	<8b73f7c2-e089-f351-3e60-77a78d399afe@ieee.org>
	<64319E5A-A94E-447C-85AF-32DD0CDD28AA@trentalancia.com>
Message-ID: <13c4ea2a-1764-d070-765d-301ca8cd073d@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 04/15/2018 05:45 PM, Guido Trentalancia via refpolicy wrote:
> It is intended to aid running ntpdate from the crontab.

I don't agree with this being run from the staff role.

> On the 15th of april 2018 23:23:11 CEST, Chris PeBenito <pebenito@ieee.org> wrote:
>> On 04/14/2018 12:27 PM, Guido Trentalancia via refpolicy wrote:
>>> Update the staff role policy so that it allows to run
>>> ntpd and ntpdate.
>>>
>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
>>> ---
>>>    policy/modules/roles/staff.te |    4 ++++
>>>    1 file changed, 4 insertions(+)
>>>
>>> diff -pru a/policy/modules/roles/staff.te
>>> b/policy/modules/roles/staff.te
>>> --- a/policy/modules/roles/staff.te	2017-09-29
>>> 19:01:27.985455758 +0200
>>> +++ b/policy/modules/roles/staff.te	2018-04-14
>>> 18:14:52.850666408 +0200
>>> @@ -32,6 +32,10 @@ optional_policy(`
>>>    ')
>>>    
>>>    optional_policy(`
>>> +	ntp_run(staff_t, staff_r)
>>> +')
>>> +
>>> +optional_policy(`
>>>    	postgresql_role(staff_r, staff_t)
>>>    ')
>>
>> What is the reasoning for this?  Staff_t is supposed to be
>> unprivileged,
>> so this doesn't seem allowable.
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
> 


-- 
Chris PeBenito