From mboxrd@z Thu Jan  1 00:00:00 1970
From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 14 Aug 2012 09:38:08 -0400
Subject: [refpolicy] [PATCH v1 2/6] Remove getattr permision from
	ntp_admin()
In-Reply-To: <1344950105.2349.0.camel@d30.localdomain>
References: <1344855134-32212-1-git-send-email-dominick.grift@gmail.com>
	<1344855134-32212-3-git-send-email-dominick.grift@gmail.com>
	<502A473A.4090105@tresys.com>
	<1344950105.2349.0.camel@d30.localdomain>
Message-ID: <502A54C0.6080000@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/14/12 09:15, Dominick Grift wrote:
> 
> 
> On Tue, 2012-08-14 at 08:40 -0400, Christopher J. PeBenito wrote:
>> On 08/13/12 06:52, Dominick Grift wrote:
>>> There is no need for ntp_admin() to be able to get
>>> attributes of the ntpd process.
>>>
>>> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
>>> ---
>>>  ntp.if | 2 +-
>>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/ntp.if b/ntp.if
>>> index d56b635..b47bc35 100644
>>> --- a/ntp.if
>>> +++ b/ntp.if
>>> @@ -144,7 +144,7 @@ interface(`ntp_admin',`
>>>  		type ntpd_initrc_exec_t;
>>>  	')
>>>  
>>> -	allow $1 ntpd_t:process { ptrace signal_perms getattr };
>>> +	allow $1 ntpd_t:process { ptrace signal_perms };
>>>  	ps_process_pattern($1, ntpd_t)
>>>  
>>>  	init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
>>  
>> I disagree, its reasonable to make sure its running in the right domain, which requires this permission to read /proc/pid/attr/current.
>>
> 
> Its already allowed with
> 
> ps_process_pattern($1, ntpd_t)
 
My mistake. Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com