From: russell@coker.com.au (Russell Coker) Date: Fri, 03 Oct 2014 18:47:57 +1000 Subject: [refpolicy] gpg domains Message-ID: <1691561.ZPqvGCpHjc@russell.coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com In Debian/Testing we have the gpg-agent launching the dbus session, which then launches the user session. So we have user_t -> gpg_agent_t -> user_dbusd_t -> user_t. Making this work for multiple user domains requires having multiple gpg_agent_t domains (which we apparently used to have). Removing the multiple $1_gpg_t domains without removing the user_t/unconfined_t/staff_t split doesn't seem to be viable. Also why do we have gpg_agent_t, gpg_helper_t, and gpg_pinentry_t? What benefit does this give us over having a single domain for GPG stuff that's other than gpg_t? What is the logic behind a gpg_pinentry_t/gpg_agent_t anyway? Are those things that can even be properly split? -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/