Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Sven Vermeulen <swift@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date: Sun, 25 Mar 2018 10:29:23
Message-Id: 1521970230.30f047c074b82fddea4cd78aab1e2935733d29ef.swift@gentoo
1 commit: 30f047c074b82fddea4cd78aab1e2935733d29ef
2 Author: David Sugar <dsugar <AT> tresys <DOT> com>
3 AuthorDate: Sat Feb 24 14:52:17 2018 +0000
4 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
5 CommitDate: Sun Mar 25 09:30:30 2018 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=30f047c0
7
8 ntp only uses UDP, remove TCP permissions
9
10 The NTP protocol states it only used UDP for network communication. Remove currently allowed access to TCP that should not be needed.
11
12 Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
13
14 policy/modules/contrib/ntp.te | 8 +-------
15 1 file changed, 1 insertion(+), 7 deletions(-)
16
17 diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
18 index 66c8eaa9..50d54178 100644
19 --- a/policy/modules/contrib/ntp.te
20 +++ b/policy/modules/contrib/ntp.te
21 @@ -59,7 +59,6 @@ allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };
22 allow ntpd_t self:fifo_file rw_fifo_file_perms;
23 allow ntpd_t self:shm create_shm_perms;
24 allow ntpd_t self:socket create;
25 -allow ntpd_t self:tcp_socket { accept listen };
26 allow ntpd_t self:unix_dgram_socket sendto;
27
28 allow ntpd_t ntp_conf_t:file read_file_perms;
29 @@ -101,20 +100,15 @@ kernel_request_load_module(ntpd_t)
30
31 corenet_all_recvfrom_unlabeled(ntpd_t)
32 corenet_all_recvfrom_netlabel(ntpd_t)
33 -corenet_tcp_sendrecv_generic_if(ntpd_t)
34 corenet_udp_sendrecv_generic_if(ntpd_t)
35 -corenet_tcp_sendrecv_generic_node(ntpd_t)
36 corenet_udp_sendrecv_generic_node(ntpd_t)
37 corenet_udp_bind_generic_node(ntpd_t)
38
39 +corenet_sendrecv_ntp_client_packets(ntpd_t)
40 corenet_sendrecv_ntp_server_packets(ntpd_t)
41 corenet_udp_bind_ntp_port(ntpd_t)
42 corenet_udp_sendrecv_ntp_port(ntpd_t)
43
44 -corenet_sendrecv_ntp_client_packets(ntpd_t)
45 -corenet_tcp_connect_ntp_port(ntpd_t)
46 -corenet_tcp_sendrecv_ntp_port(ntpd_t)
47 -
48 corecmd_exec_bin(ntpd_t)
49 corecmd_exec_shell(ntpd_t)
Report Message
Find on MARC Find on Google Groups