From: dac.override@gmail.com (Dominick Grift)
Date: Sat, 16 Jun 2018 13:53:52 +0200
Subject: [refpolicy] cron_system_entry(gpg_t, gpg_exec_t)
In-Reply-To: <2008669.eO35s5s6tf@liv>
References: <2008669.eO35s5s6tf@liv>
Message-ID: <20180616115352.GA21026@julius.enp8s0.d30>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Thu, Jun 14, 2018 at 11:01:58PM +1000, Russell Coker via refpolicy wrote:
> cron_system_entry(gpg_t, gpg_exec_t)
> 
> Why do we have this?

My bad. Got it from Fedora probably. Was a bad idea and not something I would do today.

Remove it please.

> 
> gpg is run by cron jobs that write to /var/log, so if we use gpg_t for gpg 
> when it's run from those cron jobs we need to allow it access to var_log_t 
> which means that user_t can use gpg to access var_log_t.
> 
> What benefit do we get from a domain transition when running gpg from a system 
> cron job?
> 
> -- 
> My Main Blog         http://etbe.coker.com.au/
> My Documents Blog    http://doc.coker.com.au/
> 
> 
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20180616/8cab9c04/attachment.bin