All of lore.kernel.org
 help / color / mirror / Atom feed
* [refpolicy] [PATCH 1/2] base: staff role runs ntp
@ 2018-04-14 16:27 Guido Trentalancia
  2018-04-15 21:23 ` Chris PeBenito
  0 siblings, 1 reply; 5+ messages in thread
From: Guido Trentalancia @ 2018-04-14 16:27 UTC (permalink / raw)
  To: refpolicy

Update the staff role policy so that it allows to run
ntpd and ntpdate.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/roles/staff.te |    4 ++++
 1 file changed, 4 insertions(+)

diff -pru a/policy/modules/roles/staff.te
b/policy/modules/roles/staff.te
--- a/policy/modules/roles/staff.te	2017-09-29
19:01:27.985455758 +0200
+++ b/policy/modules/roles/staff.te	2018-04-14
18:14:52.850666408 +0200
@@ -32,6 +32,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	ntp_run(staff_t, staff_r)
+')
+
+optional_policy(`
 	postgresql_role(staff_r, staff_t)
 ')
 

^ permalink raw reply	[flat|nested] 5+ messages in thread
* [refpolicy] [PATCH 1/2] base: staff role runs ntp
  2018-04-14 16:27 [refpolicy] [PATCH 1/2] base: staff role runs ntp Guido Trentalancia
@ 2018-04-15 21:23 ` Chris PeBenito
  2018-04-15 21:45   ` Guido Trentalancia
  2018-04-16  9:39   ` [refpolicy] [PATCH 1/2 v2] " Guido Trentalancia
  0 siblings, 2 replies; 5+ messages in thread
From: Chris PeBenito @ 2018-04-15 21:23 UTC (permalink / raw)
  To: refpolicy

On 04/14/2018 12:27 PM, Guido Trentalancia via refpolicy wrote:
> Update the staff role policy so that it allows to run
> ntpd and ntpdate.
> 
> Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
> ---
>   policy/modules/roles/staff.te |    4 ++++
>   1 file changed, 4 insertions(+)
> 
> diff -pru a/policy/modules/roles/staff.te
> b/policy/modules/roles/staff.te
> --- a/policy/modules/roles/staff.te	2017-09-29
> 19:01:27.985455758 +0200
> +++ b/policy/modules/roles/staff.te	2018-04-14
> 18:14:52.850666408 +0200
> @@ -32,6 +32,10 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> +	ntp_run(staff_t, staff_r)
> +')
> +
> +optional_policy(`
>   	postgresql_role(staff_r, staff_t)
>   ')

What is the reasoning for this?  Staff_t is supposed to be unprivileged, 
so this doesn't seem allowable.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 5+ messages in thread
* [refpolicy] [PATCH 1/2] base: staff role runs ntp
  2018-04-15 21:23 ` Chris PeBenito
@ 2018-04-15 21:45   ` Guido Trentalancia
  2018-04-18  0:13     ` Chris PeBenito
  2018-04-16  9:39   ` [refpolicy] [PATCH 1/2 v2] " Guido Trentalancia
  1 sibling, 1 reply; 5+ messages in thread
From: Guido Trentalancia @ 2018-04-15 21:45 UTC (permalink / raw)
  To: refpolicy

It is intended to aid running ntpdate from the crontab.

Regards,

Guido

On the 15th of april 2018 23:23:11 CEST, Chris PeBenito <pebenito@ieee.org> wrote:
>On 04/14/2018 12:27 PM, Guido Trentalancia via refpolicy wrote:
>> Update the staff role policy so that it allows to run
>> ntpd and ntpdate.
>> 
>> Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
>> ---
>>   policy/modules/roles/staff.te |    4 ++++
>>   1 file changed, 4 insertions(+)
>> 
>> diff -pru a/policy/modules/roles/staff.te
>> b/policy/modules/roles/staff.te
>> --- a/policy/modules/roles/staff.te	2017-09-29
>> 19:01:27.985455758 +0200
>> +++ b/policy/modules/roles/staff.te	2018-04-14
>> 18:14:52.850666408 +0200
>> @@ -32,6 +32,10 @@ optional_policy(`
>>   ')
>>   
>>   optional_policy(`
>> +	ntp_run(staff_t, staff_r)
>> +')
>> +
>> +optional_policy(`
>>   	postgresql_role(staff_r, staff_t)
>>   ')
>
>What is the reasoning for this?  Staff_t is supposed to be
>unprivileged, 
>so this doesn't seem allowable.

^ permalink raw reply	[flat|nested] 5+ messages in thread
* [refpolicy] [PATCH 1/2 v2] base: staff role runs ntp
  2018-04-15 21:23 ` Chris PeBenito
  2018-04-15 21:45   ` Guido Trentalancia
@ 2018-04-16  9:39   ` Guido Trentalancia
  1 sibling, 0 replies; 5+ messages in thread
From: Guido Trentalancia @ 2018-04-16  9:39 UTC (permalink / raw)
  To: refpolicy

Update the staff role policy so that it allows to run
ntpdate. This is needed for example to start ntpdate
from the crontab.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/roles/staff.te |    4 ++++
 1 file changed, 4 insertions(+)

diff -pru a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
--- a/policy/modules/roles/staff.te	2017-09-29 19:01:27.985455758 +0200
+++ b/policy/modules/roles/staff.te	2018-04-14 18:14:52.850666408 +0200
@@ -32,6 +32,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	ntp_run_ntpdate(staff_t, staff_r)
+')
+
+optional_policy(`
 	postgresql_role(staff_r, staff_t)
 ')
 

^ permalink raw reply	[flat|nested] 5+ messages in thread
* [refpolicy] [PATCH 1/2] base: staff role runs ntp
  2018-04-15 21:45   ` Guido Trentalancia
@ 2018-04-18  0:13     ` Chris PeBenito
  0 siblings, 0 replies; 5+ messages in thread
From: Chris PeBenito @ 2018-04-18  0:13 UTC (permalink / raw)
  To: refpolicy

On 04/15/2018 05:45 PM, Guido Trentalancia via refpolicy wrote:
> It is intended to aid running ntpdate from the crontab.

I don't agree with this being run from the staff role.

> On the 15th of april 2018 23:23:11 CEST, Chris PeBenito <pebenito@ieee.org> wrote:
>> On 04/14/2018 12:27 PM, Guido Trentalancia via refpolicy wrote:
>>> Update the staff role policy so that it allows to run
>>> ntpd and ntpdate.
>>>
>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
>>> ---
>>>    policy/modules/roles/staff.te |    4 ++++
>>>    1 file changed, 4 insertions(+)
>>>
>>> diff -pru a/policy/modules/roles/staff.te
>>> b/policy/modules/roles/staff.te
>>> --- a/policy/modules/roles/staff.te	2017-09-29
>>> 19:01:27.985455758 +0200
>>> +++ b/policy/modules/roles/staff.te	2018-04-14
>>> 18:14:52.850666408 +0200
>>> @@ -32,6 +32,10 @@ optional_policy(`
>>>    ')
>>>    
>>>    optional_policy(`
>>> +	ntp_run(staff_t, staff_r)
>>> +')
>>> +
>>> +optional_policy(`
>>>    	postgresql_role(staff_r, staff_t)
>>>    ')
>>
>> What is the reasoning for this?  Staff_t is supposed to be
>> unprivileged,
>> so this doesn't seem allowable.
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
> 


-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-04-18  0:13 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-04-14 16:27 [refpolicy] [PATCH 1/2] base: staff role runs ntp Guido Trentalancia
2018-04-15 21:23 ` Chris PeBenito
2018-04-15 21:45   ` Guido Trentalancia
2018-04-18  0:13     ` Chris PeBenito
2018-04-16  9:39   ` [refpolicy] [PATCH 1/2 v2] " Guido Trentalancia

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.