LinuxLists.cc - [refpolicy] [PATCH 1/2] pcscd.if: Permit access to pid files inside /var/run/pcscd/.

2014-02-14 19:35:48

Subject: [refpolicy] [PATCH 1/2] pcscd.if: Permit access to pid files inside /var/run/pcscd/.

Gentoo places pcscd's pid file in /var/run/pcscd/ instead of /var/run/,
but pcscd_read_pid_files() doesn't grant enough permissions for this.
---
pcscd.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pcscd.if b/pcscd.if
index 43d50f9..7f77d32 100644
--- a/pcscd.if
+++ b/pcscd.if
@@ -50,7 +50,7 @@ interface(`pcscd_read_pid_files',`
')

files_search_pids($1)
- allow $1 pcscd_var_run_t:file read_file_perms;
+ read_files_pattern($1, pcscd_var_run_t, pcscd_var_run_t)
')

########################################
--
1.8.5.4

2014-02-14 19:35:49

by Mira Ressel

[permalink] [raw]

Subject: [refpolicy] [PATCH 2/2] Allow gpg-agent's scdaemon to connect to pcscd.

---
gpg.te | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/gpg.te b/gpg.te
index 4cfa305..06a4679 100644
--- a/gpg.te
+++ b/gpg.te
@@ -1,4 +1,4 @@
-policy_module(gpg, 2.8.2)
+policy_module(gpg, 2.8.3)

########################################
#
@@ -273,6 +273,10 @@ optional_policy(`
mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
')

+optional_policy(`
+ pcscd_stream_connect(gpg_agent_t)
+')
+
##############################
#
# Pinentry local policy
--
1.8.5.4

2014-02-15 20:36:57

by cpebenito

[permalink] [raw]

Subject: [refpolicy] [PATCH 2/2] Allow gpg-agent's scdaemon to connect to pcscd.

On 2/14/2014 2:35 PM, Luis Ressel wrote:
> ---
> gpg.te | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/gpg.te b/gpg.te
> index 4cfa305..06a4679 100644
> --- a/gpg.te
> +++ b/gpg.te
> @@ -1,4 +1,4 @@
> -policy_module(gpg, 2.8.2)
> +policy_module(gpg, 2.8.3)
>
> ########################################
> #
> @@ -273,6 +273,10 @@ optional_policy(`
> mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
> ')
>
> +optional_policy(`
> + pcscd_stream_connect(gpg_agent_t)
> +')
> +
> ##############################
> #
> # Pinentry local policy

Merged.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2014-02-15 20:37:04

by cpebenito

[permalink] [raw]

Subject: [refpolicy] [PATCH 1/2] pcscd.if: Permit access to pid files inside /var/run/pcscd/.

On 2/14/2014 2:35 PM, Luis Ressel wrote:
> Gentoo places pcscd's pid file in /var/run/pcscd/ instead of /var/run/,
> but pcscd_read_pid_files() doesn't grant enough permissions for this.
> ---
> pcscd.if | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/pcscd.if b/pcscd.if
> index 43d50f9..7f77d32 100644
> --- a/pcscd.if
> +++ b/pcscd.if
> @@ -50,7 +50,7 @@ interface(`pcscd_read_pid_files',`
> ')
>
> files_search_pids($1)
> - allow $1 pcscd_var_run_t:file read_file_perms;
> + read_files_pattern($1, pcscd_var_run_t, pcscd_var_run_t)
> ')
>
> ########################################

Merged.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com