From: mgrepl@redhat.com (Miroslav Grepl)
Date: Tue, 20 Jul 2010 08:49:54 +0200
Subject: [refpolicy] apps_gpg.patch
In-Reply-To: <4C44930D.4030305@redhat.com>
References: <4C06B97E.30807@redhat.com> <4C3344D3.9060808@tresys.com>
	<4C3C58F5.9040700@redhat.com> <4C448F2E.2000907@tresys.com>
	<4C44930D.4030305@redhat.com>
Message-ID: <4C454712.2090700@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 07/19/2010 08:01 PM, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 07/19/2010 01:45 PM, Christopher J. PeBenito wrote:
>    
>> On 07/13/10 08:15, Daniel J Walsh wrote:
>>      
>>> On 07/06/2010 10:59 AM, Christopher J. PeBenito wrote:
>>>        
>>>> On 06/02/10 16:05, Daniel J Walsh wrote:
>>>>          
>>>>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_gpg.patch
>>>>>
>>>>> gpg dontaudit leaks.
>>>>>            
>>>> Merged.
>>>>
>>>>          
>>>>> Added policy so apache can execute gpg
>>>>>            
>>>> I don't understand this part.  It seems more like it should be a domain
>>>> in the apache module instead.
>>>>
>>>>          
>>> I guess we could go that way, but you need interfaces including
>>> gpg_exec_t.
>>>        
>> How is this used?  Is it run from a CGI script to check the signature or
>> (en|de)crypt a file?
>>
>>      
Yes, it is run from a CGI script to check the signature or (en|de)crypt 
a file. Related bug #562083.

We also added the following change

  optional_policy(`
      tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
-        gpg_domtrans(httpd_t)
+       gpg_domtrans_web(httpd_t)
      ')
  ')

Regards,
Miroslav
> Yes and Yes, I think.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkxEkw0ACgkQrlYvE4MpobP5PQCghfRZmBU9jAJKqInOupTCscKj
> QbkAoNE0YRTo7HSdry4fyyIG+JGlg+3r
> =ObBx
> -----END PGP SIGNATURE-----
>