From: dac.override@gmail.com (Dominick Grift) Date: Sat, 16 Jun 2018 13:53:52 +0200 Subject: [refpolicy] cron_system_entry(gpg_t, gpg_exec_t) In-Reply-To: <2008669.eO35s5s6tf@liv> References: <2008669.eO35s5s6tf@liv> Message-ID: <20180616115352.GA21026@julius.enp8s0.d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, Jun 14, 2018 at 11:01:58PM +1000, Russell Coker via refpolicy wrote: > cron_system_entry(gpg_t, gpg_exec_t) > > Why do we have this? My bad. Got it from Fedora probably. Was a bad idea and not something I would do today. Remove it please. > > gpg is run by cron jobs that write to /var/log, so if we use gpg_t for gpg > when it's run from those cron jobs we need to allow it access to var_log_t > which means that user_t can use gpg to access var_log_t. > > What benefit do we get from a domain transition when running gpg from a system > cron job? > > -- > My Main Blog http://etbe.coker.com.au/ > My Documents Blog http://doc.coker.com.au/ > > > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20180616/8cab9c04/attachment.bin