From mboxrd@z Thu Jan  1 00:00:00 1970
From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 14 Aug 2012 08:40:26 -0400
Subject: [refpolicy] [PATCH v1 2/6] Remove getattr permision from
	ntp_admin()
In-Reply-To: <1344855134-32212-3-git-send-email-dominick.grift@gmail.com>
References: <1344855134-32212-1-git-send-email-dominick.grift@gmail.com>
	<1344855134-32212-3-git-send-email-dominick.grift@gmail.com>
Message-ID: <502A473A.4090105@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/13/12 06:52, Dominick Grift wrote:
> There is no need for ntp_admin() to be able to get
> attributes of the ntpd process.
> 
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
>  ntp.if | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/ntp.if b/ntp.if
> index d56b635..b47bc35 100644
> --- a/ntp.if
> +++ b/ntp.if
> @@ -144,7 +144,7 @@ interface(`ntp_admin',`
>  		type ntpd_initrc_exec_t;
>  	')
>  
> -	allow $1 ntpd_t:process { ptrace signal_perms getattr };
> +	allow $1 ntpd_t:process { ptrace signal_perms };
>  	ps_process_pattern($1, ntpd_t)
>  
>  	init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
 
I disagree, its reasonable to make sure its running in the right domain, which requires this permission to read /proc/pid/attr/current.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com