From: pebenito@ieee.org (Chris PeBenito)
Date: Sat, 16 Jun 2018 07:46:15 -0400
Subject: [refpolicy] cron_system_entry(gpg_t, gpg_exec_t)
In-Reply-To: <2008669.eO35s5s6tf@liv>
References: <2008669.eO35s5s6tf@liv>
Message-ID: <aa8ed9fb-d13c-fad7-a209-4fc1290b503b@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 06/14/2018 09:01 AM, Russell Coker via refpolicy wrote:
> cron_system_entry(gpg_t, gpg_exec_t)
> 
> Why do we have this?
> 
> gpg is run by cron jobs that write to /var/log, so if we use gpg_t for gpg
> when it's run from those cron jobs we need to allow it access to var_log_t
> which means that user_t can use gpg to access var_log_t.
> 
> What benefit do we get from a domain transition when running gpg from a system
> cron job?

It was added back in 2009 from the Fedora policy.  I can see dropping 
it, if there are no arguments to keep it.

-- 
Chris PeBenito