From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id C081F1382C5 for ; Sun, 25 Mar 2018 10:29:23 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id B5BCCE07DB; Sun, 25 Mar 2018 10:29:22 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 918B4E07DB for ; Sun, 25 Mar 2018 10:29:22 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 52A19335C36 for ; Sun, 25 Mar 2018 10:29:21 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 9D4D4269 for ; Sun, 25 Mar 2018 10:29:19 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1521970230.30f047c074b82fddea4cd78aab1e2935733d29ef.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/ntp.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 30f047c074b82fddea4cd78aab1e2935733d29ef X-VCS-Branch: master Date: Sun, 25 Mar 2018 10:29:19 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: ca852a2a-3db4-4fa5-b31d-6a79bce12b00 X-Archives-Hash: 30df6dbcf8e5728bfd5d64c87cc75b50 commit: 30f047c074b82fddea4cd78aab1e2935733d29ef Author: David Sugar tresys com> AuthorDate: Sat Feb 24 14:52:17 2018 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Sun Mar 25 09:30:30 2018 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=30f047c0 ntp only uses UDP, remove TCP permissions The NTP protocol states it only used UDP for network communication. Remove currently allowed access to TCP that should not be needed. Signed-off-by: Dave Sugar tresys.com> policy/modules/contrib/ntp.te | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te index 66c8eaa9..50d54178 100644 --- a/policy/modules/contrib/ntp.te +++ b/policy/modules/contrib/ntp.te @@ -59,7 +59,6 @@ allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit }; allow ntpd_t self:fifo_file rw_fifo_file_perms; allow ntpd_t self:shm create_shm_perms; allow ntpd_t self:socket create; -allow ntpd_t self:tcp_socket { accept listen }; allow ntpd_t self:unix_dgram_socket sendto; allow ntpd_t ntp_conf_t:file read_file_perms; @@ -101,20 +100,15 @@ kernel_request_load_module(ntpd_t) corenet_all_recvfrom_unlabeled(ntpd_t) corenet_all_recvfrom_netlabel(ntpd_t) -corenet_tcp_sendrecv_generic_if(ntpd_t) corenet_udp_sendrecv_generic_if(ntpd_t) -corenet_tcp_sendrecv_generic_node(ntpd_t) corenet_udp_sendrecv_generic_node(ntpd_t) corenet_udp_bind_generic_node(ntpd_t) +corenet_sendrecv_ntp_client_packets(ntpd_t) corenet_sendrecv_ntp_server_packets(ntpd_t) corenet_udp_bind_ntp_port(ntpd_t) corenet_udp_sendrecv_ntp_port(ntpd_t) -corenet_sendrecv_ntp_client_packets(ntpd_t) -corenet_tcp_connect_ntp_port(ntpd_t) -corenet_tcp_sendrecv_ntp_port(ntpd_t) - corecmd_exec_bin(ntpd_t) corecmd_exec_shell(ntpd_t)