2018-02-16 19:19:34

by Sugar, David

[permalink] [raw]
Subject: [refpolicy] Question: NTP allowed TCP access?

As I was getting my chronyd patches ready to submit I noticed I had some rules allowing tcp access. I initially copied these from ntp.te. I went back and removed them before submitting my chronyd patches but in ntp.te lines 113 and 114 and maybe lines 102 and 104 also should probably be removed.

I'm happy to submit a patch to remove this access.
I know that ntp should be only using udp.
Does someone know why these might be important?

Dave Sugar
dsugar at tresys.com


2018-02-18 16:14:20

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] Question: NTP allowed TCP access?

On 02/16/2018 02:19 PM, David Sugar via refpolicy wrote:
> As I was getting my chronyd patches ready to submit I noticed I had some rules allowing tcp access. I initially copied these from ntp.te. I went back and removed them before submitting my chronyd patches but in ntp.te lines 113 and 114 and maybe lines 102 and 104 also should probably be removed.
>
> I'm happy to submit a patch to remove this access.
> I know that ntp should be only using udp.
> Does someone know why these might be important?

A quick look through the log says it came in from Fedora. I'm not sure
otherwise.

--
Chris PeBenito

2018-02-18 16:32:02

by Dac Override

[permalink] [raw]
Subject: [refpolicy] Question: NTP allowed TCP access?

On Sun, Feb 18, 2018 at 11:14:20AM -0500, Chris PeBenito via refpolicy wrote:
> On 02/16/2018 02:19 PM, David Sugar via refpolicy wrote:
> > As I was getting my chronyd patches ready to submit I noticed I had some rules allowing tcp access. I initially copied these from ntp.te. I went back and removed them before submitting my chronyd patches but in ntp.te lines 113 and 114 and maybe lines 102 and 104 also should probably be removed.
> >
> > I'm happy to submit a patch to remove this access.
> > I know that ntp should be only using udp.
> > Does someone know why these might be important?
>
> A quick look through the log says it came in from Fedora. I'm not sure
> otherwise.

Let's remove it. I does not make sense. If it does, it will re-surface
>
> --
> Chris PeBenito
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20180218/a33358f6/attachment.bin

2018-02-20 06:44:16

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] Question: NTP allowed TCP access?

On Fri, Feb 16, 2018 at 07:19:34PM +0000, David Sugar via refpolicy wrote:
> As I was getting my chronyd patches ready to submit I noticed I had some rules allowing tcp access. I initially copied these from ntp.te. I went back and removed them before submitting my chronyd patches but in ntp.te lines 113 and 114 and maybe lines 102 and 104 also should probably be removed.
>
> I'm happy to submit a patch to remove this access.
> I know that ntp should be only using udp.
> Does someone know why these might be important?

I know some ntp implementations (the openntpd maybe?) can connect over
HTTPS to do an initial time check too.
corenet_tcp_connect_ntp_port() is probably not needed, but we may want to
add the https ports?

-- Jason

2018-02-24 14:06:17

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] Question: NTP allowed TCP access?

On 02/20/2018 01:44 AM, Jason Zaman via refpolicy wrote:
> On Fri, Feb 16, 2018 at 07:19:34PM +0000, David Sugar via refpolicy wrote:
>> As I was getting my chronyd patches ready to submit I noticed I had some rules allowing tcp access. I initially copied these from ntp.te. I went back and removed them before submitting my chronyd patches but in ntp.te lines 113 and 114 and maybe lines 102 and 104 also should probably be removed.
>>
>> I'm happy to submit a patch to remove this access.
>> I know that ntp should be only using udp.
>> Does someone know why these might be important?
>
> I know some ntp implementations (the openntpd maybe?) can connect over
> HTTPS to do an initial time check too.
> corenet_tcp_connect_ntp_port() is probably not needed, but we may want to
> add the https ports?

I think I'd rather remove the access until we can reestablish what the
need is.


--
Chris PeBenito