From: russell@coker.com.au (Russell Coker)
Date: Fri, 03 Oct 2014 18:47:57 +1000
Subject: [refpolicy] gpg domains
Message-ID: <1691561.ZPqvGCpHjc@russell.coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

In Debian/Testing we have the gpg-agent launching the dbus session, which then 
launches the user session.  So we have user_t -> gpg_agent_t -> user_dbusd_t
 -> user_t.  Making this work for multiple user domains requires having 
multiple gpg_agent_t domains (which we apparently used to have).

Removing the multiple $1_gpg_t domains without removing the 
user_t/unconfined_t/staff_t split doesn't seem to be viable.

Also why do we have gpg_agent_t, gpg_helper_t, and gpg_pinentry_t?  What 
benefit does this give us over having a single domain for GPG stuff that's other 
than gpg_t?  What is the logic behind a gpg_pinentry_t/gpg_agent_t anyway?  
Are those things that can even be properly split?

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/