From: pebenito@ieee.org (Chris PeBenito) Date: Sat, 16 Jun 2018 07:46:15 -0400 Subject: [refpolicy] cron_system_entry(gpg_t, gpg_exec_t) In-Reply-To: <2008669.eO35s5s6tf@liv> References: <2008669.eO35s5s6tf@liv> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 06/14/2018 09:01 AM, Russell Coker via refpolicy wrote: > cron_system_entry(gpg_t, gpg_exec_t) > > Why do we have this? > > gpg is run by cron jobs that write to /var/log, so if we use gpg_t for gpg > when it's run from those cron jobs we need to allow it access to var_log_t > which means that user_t can use gpg to access var_log_t. > > What benefit do we get from a domain transition when running gpg from a system > cron job? It was added back in 2009 from the Fedora policy. I can see dropping it, if there are no arguments to keep it. -- Chris PeBenito