2016-10-26 17:19:18

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/4] pcscd: dbus and domain lookup

Allow dbus chat to policykit.
pcscd needs to lookup the domain that connects to the socket.

type=AVC msg=audit(1477409841.224:12512): avc: denied { open } for pid=16611 comm="pcscd" path="/proc/10610/stat" dev="proc" ino=29254 scontext=system_u:system_r:pcscd_t:s0 tcontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tclass=file permissive=1
type=AVC msg=audit(1477409841.224:12513): avc: denied { getattr } for pid=16611 comm="pcscd" path="/proc/10610/stat" dev="proc" ino=29254 scontext=system_u:system_r:pcscd_t:s0 tcontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tclass=file permissive=1
---
pcscd.if | 3 +++
pcscd.te | 4 ++++
2 files changed, 7 insertions(+)

diff --git a/pcscd.if b/pcscd.if
index ac7e60c..b5c522d 100644
--- a/pcscd.if
+++ b/pcscd.if
@@ -101,6 +101,9 @@ interface(`pcscd_stream_connect',`

files_search_pids($1)
stream_connect_pattern($1, pcscd_var_run_t, pcscd_var_run_t, pcscd_t)
+
+ allow pcscd_t $1:dir list_dir_perms;
+ allow pcscd_t $1:file read_file_perms;
')

########################################
diff --git a/pcscd.te b/pcscd.te
index 1828900..bcc863c 100644
--- a/pcscd.te
+++ b/pcscd.te
@@ -73,6 +73,10 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(pcscd_t)
')
+
+ optional_policy(`
+ policykit_dbus_chat(pcscd_t)
+ ')
')

optional_policy(`
--
2.7.3


2016-10-26 17:19:19

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH 2/4] gpg: add new socket paths

GPG 2.1 has sockets in /run/user/UID/gnupg/ and
~/.gnupg/S.gpg-agent{,.ssh}.

also allow pinentry to dbus chat gkeyring
---
gpg.fc | 4 ++++
gpg.if | 4 ++++
gpg.te | 8 ++++++++
3 files changed, 16 insertions(+)

diff --git a/gpg.fc b/gpg.fc
index 888cd2c..dcd6a16 100644
--- a/gpg.fc
+++ b/gpg.fc
@@ -1,5 +1,7 @@
HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+HOME_DIR/\.gnupg/S.gpg-agent -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+HOME_DIR/\.gnupg/S.gpg-agent.ssh -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)

/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0)
@@ -8,3 +10,5 @@ HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)

/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
+
+/var/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
diff --git a/gpg.if b/gpg.if
index 0370dd1..5f4cefc 100644
--- a/gpg.if
+++ b/gpg.if
@@ -205,9 +205,13 @@ interface(`gpg_rw_agent_pipes',`
interface(`gpg_stream_connect_agent',`
gen_require(`
type gpg_agent_t, gpg_agent_tmp_t;
+ type gpg_secret_t;
')

stream_connect_pattern($1, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
+ allow $1 gpg_secret_t:dir search_dir_perms;
+ userdom_search_user_runtime($1)
+ userdom_search_user_home_dirs($1)
')

########################################
diff --git a/gpg.te b/gpg.te
index 7b4ba9d..61da3a7 100644
--- a/gpg.te
+++ b/gpg.te
@@ -229,6 +229,8 @@ manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })

filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket")
+filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent")
+filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh")

domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)

@@ -250,6 +252,8 @@ miscfiles_read_localization(gpg_agent_t)

userdom_use_user_terminals(gpg_agent_t)
userdom_search_user_home_dirs(gpg_agent_t)
+userdom_search_user_runtime(gpg_agent_t)
+userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir)

ifdef(`hide_broken_symptoms',`
userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
@@ -339,6 +343,10 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_all_session_bus_client(gpg_pinentry_t)
dbus_system_bus_client(gpg_pinentry_t)
+
+ optional_policy(`
+ gnome_dbus_chat_all_gkeyringd(gpg_pinentry_t)
+ ')
')

optional_policy(`
--
2.7.3

2016-10-26 17:19:20

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH 3/4] devicekit: fcontext for udisks2

---
devicekit.fc | 1 +
1 file changed, 1 insertion(+)

diff --git a/devicekit.fc b/devicekit.fc
index ae49c9d..8908ab6 100644
--- a/devicekit.fc
+++ b/devicekit.fc
@@ -10,6 +10,7 @@
/usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
/usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
+/usr/libexec/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
/usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)

/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)
--
2.7.3

2016-10-26 17:19:21

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH 4/4] gnome: add gkeyring rules and fcontext

---
gnome.fc | 1 +
gnome.if | 2 ++
gnome.te | 4 +++-
3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/gnome.fc b/gnome.fc
index 230ee6c..43c0ed2 100644
--- a/gnome.fc
+++ b/gnome.fc
@@ -17,5 +17,6 @@ HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)

+/var/run/user/%{USERID}/keyring(/.*)? gen_context(system_u:object_r:gnome_keyring_tmp_t,s0)
/var/run/user/[^/]*/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
/var/run/user/%{USERID}/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
diff --git a/gnome.if b/gnome.if
index 838be50..640aeea 100644
--- a/gnome.if
+++ b/gnome.if
@@ -772,6 +772,7 @@ interface(`gnome_stream_connect_gkeyringd',`
')

files_search_tmp($2)
+ userdom_search_user_runtime($2)
stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t)
')

@@ -793,6 +794,7 @@ interface(`gnome_stream_connect_all_gkeyringd',`
')

files_search_tmp($1)
+ userdom_search_user_runtime($1)
stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
')

diff --git a/gnome.te b/gnome.te
index bf48475..9c792fd 100644
--- a/gnome.te
+++ b/gnome.te
@@ -123,9 +123,11 @@ gnome_home_filetrans(gkeyringd_domain, gnome_keyring_home_t, dir, "keyrings")
manage_dirs_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
manage_sock_files_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
files_tmp_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir)
+userdom_user_runtime_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir)

-kernel_read_system_state(gkeyringd_domain)
kernel_read_crypto_sysctls(gkeyringd_domain)
+kernel_read_kernel_sysctls(gkeyringd_domain)
+kernel_read_system_state(gkeyringd_domain)

dev_read_rand(gkeyringd_domain)
dev_read_sysfs(gkeyringd_domain)
--
2.7.3

2016-10-26 22:53:36

by guido

[permalink] [raw]
Subject: [refpolicy] [PATCH 4/4] gnome: add gkeyring rules and fcontext

Hello!

I am using the latest version of Gnome and it works fine without the changes that you are proposing, therefore I suspect that they are distribution-specific...

Can you please confirm?

If so, they should be included within appropriate "ifdef" statements so that they only get compiled on that specific distribution.

Otherwise, how can I reproduce it?

Regards,

Guido

On the 26th of October 2016 19:19:21 CEST, Jason Zaman via refpolicy <[email protected]> wrote:
>---
> gnome.fc | 1 +
> gnome.if | 2 ++
> gnome.te | 4 +++-
> 3 files changed, 6 insertions(+), 1 deletion(-)
>
>diff --git a/gnome.fc b/gnome.fc
>index 230ee6c..43c0ed2 100644
>--- a/gnome.fc
>+++ b/gnome.fc
>@@ -17,5 +17,6 @@
>HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
>/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
>/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
>
>+/var/run/user/%{USERID}/keyring(/.*)? gen_context(system_u:object_r:gnome_keyring_tmp_t,s0)
>/var/run/user/[^/]*/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
>/var/run/user/%{USERID}/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
>diff --git a/gnome.if b/gnome.if
>index 838be50..640aeea 100644
>--- a/gnome.if
>+++ b/gnome.if
>@@ -772,6 +772,7 @@ interface(`gnome_stream_connect_gkeyringd',`
> ')
>
> files_search_tmp($2)
>+ userdom_search_user_runtime($2)
> stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t,
>$1_gkeyringd_t)
> ')
>
>@@ -793,6 +794,7 @@ interface(`gnome_stream_connect_all_gkeyringd',`
> ')
>
> files_search_tmp($1)
>+ userdom_search_user_runtime($1)
> stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t,
>gkeyringd_domain)
> ')
>
>diff --git a/gnome.te b/gnome.te
>index bf48475..9c792fd 100644
>--- a/gnome.te
>+++ b/gnome.te
>@@ -123,9 +123,11 @@ gnome_home_filetrans(gkeyringd_domain,
>gnome_keyring_home_t, dir, "keyrings")
>manage_dirs_pattern(gkeyringd_domain, gnome_keyring_tmp_t,
>gnome_keyring_tmp_t)
>manage_sock_files_pattern(gkeyringd_domain, gnome_keyring_tmp_t,
>gnome_keyring_tmp_t)
> files_tmp_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir)
>+userdom_user_runtime_filetrans(gkeyringd_domain, gnome_keyring_tmp_t,
>dir)
>
>-kernel_read_system_state(gkeyringd_domain)
> kernel_read_crypto_sysctls(gkeyringd_domain)
>+kernel_read_kernel_sysctls(gkeyringd_domain)
>+kernel_read_system_state(gkeyringd_domain)
>
> dev_read_rand(gkeyringd_domain)
> dev_read_sysfs(gkeyringd_domain)

2016-10-27 03:25:29

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH 4/4] gnome: add gkeyring rules and fcontext

On Thu, Oct 27, 2016 at 12:53:36AM +0200, Guido Trentalancia wrote:
> Hello!
>
> I am using the latest version of Gnome and it works fine without the changes that you are proposing, therefore I suspect that they are distribution-specific...
>
> Can you please confirm?
It is definitely not distro-specific. It's been in the code for years already.
https://git.gnome.org/browse/gnome-keyring/tree/daemon/gkd-util.c?h=3.20.0#n121
gnome-keyring will use $XDG_RUNTIME_DIR if your env specifies it. Maybe
you need to setup your login stuff differently?

-- Jason

> If so, they should be included within appropriate "ifdef" statements so that they only get compiled on that specific distribution.
>
> Otherwise, how can I reproduce it?
>
> Regards,
>
> Guido
>
> On the 26th of October 2016 19:19:21 CEST, Jason Zaman via refpolicy <[email protected]> wrote:
> >---
> > gnome.fc | 1 +
> > gnome.if | 2 ++
> > gnome.te | 4 +++-
> > 3 files changed, 6 insertions(+), 1 deletion(-)
> >
> >diff --git a/gnome.fc b/gnome.fc
> >index 230ee6c..43c0ed2 100644
> >--- a/gnome.fc
> >+++ b/gnome.fc
> >@@ -17,5 +17,6 @@
> >HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
> >/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
> >/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
> >
> >+/var/run/user/%{USERID}/keyring(/.*)? gen_context(system_u:object_r:gnome_keyring_tmp_t,s0)
> >/var/run/user/[^/]*/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
> >/var/run/user/%{USERID}/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
> >diff --git a/gnome.if b/gnome.if
> >index 838be50..640aeea 100644
> >--- a/gnome.if
> >+++ b/gnome.if
> >@@ -772,6 +772,7 @@ interface(`gnome_stream_connect_gkeyringd',`
> > ')
> >
> > files_search_tmp($2)
> >+ userdom_search_user_runtime($2)
> > stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t,
> >$1_gkeyringd_t)
> > ')
> >
> >@@ -793,6 +794,7 @@ interface(`gnome_stream_connect_all_gkeyringd',`
> > ')
> >
> > files_search_tmp($1)
> >+ userdom_search_user_runtime($1)
> > stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t,
> >gkeyringd_domain)
> > ')
> >
> >diff --git a/gnome.te b/gnome.te
> >index bf48475..9c792fd 100644
> >--- a/gnome.te
> >+++ b/gnome.te
> >@@ -123,9 +123,11 @@ gnome_home_filetrans(gkeyringd_domain,
> >gnome_keyring_home_t, dir, "keyrings")
> >manage_dirs_pattern(gkeyringd_domain, gnome_keyring_tmp_t,
> >gnome_keyring_tmp_t)
> >manage_sock_files_pattern(gkeyringd_domain, gnome_keyring_tmp_t,
> >gnome_keyring_tmp_t)
> > files_tmp_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir)
> >+userdom_user_runtime_filetrans(gkeyringd_domain, gnome_keyring_tmp_t,
> >dir)
> >
> >-kernel_read_system_state(gkeyringd_domain)
> > kernel_read_crypto_sysctls(gkeyringd_domain)
> >+kernel_read_kernel_sysctls(gkeyringd_domain)
> >+kernel_read_system_state(gkeyringd_domain)
> >
> > dev_read_rand(gkeyringd_domain)
> > dev_read_sysfs(gkeyringd_domain)
>

2016-10-27 07:59:53

by Nicolas Iooss

[permalink] [raw]
Subject: [refpolicy] [PATCH 2/4] gpg: add new socket paths

On Wed, Oct 26, 2016 at 7:19 PM, Jason Zaman via refpolicy <
[email protected]> wrote:

> GPG 2.1 has sockets in /run/user/UID/gnupg/ and
> ~/.gnupg/S.gpg-agent{,.ssh}.
>
> also allow pinentry to dbus chat gkeyring
> ---
> gpg.fc | 4 ++++
> gpg.if | 4 ++++
> gpg.te | 8 ++++++++
> 3 files changed, 16 insertions(+)
>
> diff --git a/gpg.fc b/gpg.fc
> index 888cd2c..dcd6a16 100644
> --- a/gpg.fc
> +++ b/gpg.fc
> @@ -1,5 +1,7 @@
> HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
> HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:
> gpg_agent_tmp_t,s0)
> +HOME_DIR/\.gnupg/S.gpg-agent -s gen_context(system_u:object_r:
> gpg_agent_tmp_t,s0)
> +HOME_DIR/\.gnupg/S.gpg-agent.ssh -s gen_context(system_u:object_r:
> gpg_agent_tmp_t,s0)
>

Hi,
In these file patterns you might want to escape the dots with backslashes
so that they only match S.gpg-agent{,.ssh} and not files which have any
character where the dots are in the pattern.

Otherwise the patches look good to me.
Nicolas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20161027/4b546832/attachment.html

2016-10-30 18:21:07

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/4] pcscd: dbus and domain lookup

On 10/26/16 13:19, Jason Zaman wrote:
> Allow dbus chat to policykit.
> pcscd needs to lookup the domain that connects to the socket.
>
> type=AVC msg=audit(1477409841.224:12512): avc: denied { open } for pid=16611 comm="pcscd" path="/proc/10610/stat" dev="proc" ino=29254 scontext=system_u:system_r:pcscd_t:s0 tcontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tclass=file permissive=1
> type=AVC msg=audit(1477409841.224:12513): avc: denied { getattr } for pid=16611 comm="pcscd" path="/proc/10610/stat" dev="proc" ino=29254 scontext=system_u:system_r:pcscd_t:s0 tcontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tclass=file permissive=1
> ---
> pcscd.if | 3 +++
> pcscd.te | 4 ++++
> 2 files changed, 7 insertions(+)
>
> diff --git a/pcscd.if b/pcscd.if
> index ac7e60c..b5c522d 100644
> --- a/pcscd.if
> +++ b/pcscd.if
> @@ -101,6 +101,9 @@ interface(`pcscd_stream_connect',`
>
> files_search_pids($1)
> stream_connect_pattern($1, pcscd_var_run_t, pcscd_var_run_t, pcscd_t)
> +
> + allow pcscd_t $1:dir list_dir_perms;
> + allow pcscd_t $1:file read_file_perms;
> ')
>
> ########################################
> diff --git a/pcscd.te b/pcscd.te
> index 1828900..bcc863c 100644
> --- a/pcscd.te
> +++ b/pcscd.te
> @@ -73,6 +73,10 @@ optional_policy(`
> optional_policy(`
> hal_dbus_chat(pcscd_t)
> ')
> +
> + optional_policy(`
> + policykit_dbus_chat(pcscd_t)
> + ')
> ')
>
> optional_policy(`

Merged.

--
Chris PeBenito

2016-10-30 18:21:14

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 3/4] devicekit: fcontext for udisks2

On 10/26/16 13:19, Jason Zaman wrote:
> ---
> devicekit.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/devicekit.fc b/devicekit.fc
> index ae49c9d..8908ab6 100644
> --- a/devicekit.fc
> +++ b/devicekit.fc
> @@ -10,6 +10,7 @@
> /usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
> /usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
> /usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
> +/usr/libexec/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
> /usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
>
> /var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)

Merged.

--
Chris PeBenito

2016-10-30 18:21:17

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 4/4] gnome: add gkeyring rules and fcontext

On 10/26/16 13:19, Jason Zaman wrote:
> ---
> gnome.fc | 1 +
> gnome.if | 2 ++
> gnome.te | 4 +++-
> 3 files changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/gnome.fc b/gnome.fc
> index 230ee6c..43c0ed2 100644
> --- a/gnome.fc
> +++ b/gnome.fc
> @@ -17,5 +17,6 @@ HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
> /usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
> /usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
>
> +/var/run/user/%{USERID}/keyring(/.*)? gen_context(system_u:object_r:gnome_keyring_tmp_t,s0)
> /var/run/user/[^/]*/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
> /var/run/user/%{USERID}/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
> diff --git a/gnome.if b/gnome.if
> index 838be50..640aeea 100644
> --- a/gnome.if
> +++ b/gnome.if
> @@ -772,6 +772,7 @@ interface(`gnome_stream_connect_gkeyringd',`
> ')
>
> files_search_tmp($2)
> + userdom_search_user_runtime($2)
> stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t)
> ')
>
> @@ -793,6 +794,7 @@ interface(`gnome_stream_connect_all_gkeyringd',`
> ')
>
> files_search_tmp($1)
> + userdom_search_user_runtime($1)
> stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
> ')
>
> diff --git a/gnome.te b/gnome.te
> index bf48475..9c792fd 100644
> --- a/gnome.te
> +++ b/gnome.te
> @@ -123,9 +123,11 @@ gnome_home_filetrans(gkeyringd_domain, gnome_keyring_home_t, dir, "keyrings")
> manage_dirs_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
> manage_sock_files_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
> files_tmp_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir)
> +userdom_user_runtime_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir)
>
> -kernel_read_system_state(gkeyringd_domain)
> kernel_read_crypto_sysctls(gkeyringd_domain)
> +kernel_read_kernel_sysctls(gkeyringd_domain)
> +kernel_read_system_state(gkeyringd_domain)
>
> dev_read_rand(gkeyringd_domain)
> dev_read_sysfs(gkeyringd_domain)

Merged.

--
Chris PeBenito