From: dac.override@gmail.com (Dominick Grift) Date: Mon, 10 Aug 2015 09:27:18 +0200 Subject: [refpolicy] [PATCH 2/2] gpg 2.1 places gpg-agent sockets in ~/.gnupg/ In-Reply-To: <1439154658-18322-2-git-send-email-aranea@aixah.de> References: <1439154658-18322-1-git-send-email-aranea@aixah.de> <1439154658-18322-2-git-send-email-aranea@aixah.de> Message-ID: <20150810072718.GB3707@x250> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sun, Aug 09, 2015 at 11:10:58PM +0200, Luis Ressel wrote: > --- > gpg.if | 3 ++- > gpg.te | 3 +++ > 2 files changed, 5 insertions(+), 1 deletion(-) > > diff --git a/gpg.if b/gpg.if > index 13149ca..4141add 100644 > --- a/gpg.if > +++ b/gpg.if > @@ -205,10 +205,11 @@ interface(`gpg_rw_agent_pipes',` > # > interface(`gpg_stream_connect_agent',` > gen_require(` > - type gpg_agent_t, gpg_agent_tmp_t; > + type gpg_agent_t, gpg_agent_tmp_t, gpg_secret_t; > ') > > stream_connect_pattern($1, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t) > + stream_connect_pattern($1, gpg_secret_t, gpg_agent_tmp_t, gpg_agent_t) > ') > > ######################################## > diff --git a/gpg.te b/gpg.te > index a40ac69..edf238a 100644 > --- a/gpg.te > +++ b/gpg.te > @@ -241,6 +241,9 @@ manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) > files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir }) > > filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket") > +filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent") > +filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh") > +filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.scdaemon") I would probably instead confine scdaemon ( i have confined scdaemon in my personal policy) > > domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t) > > -- > 2.5.0 > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 648 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150810/993d1cc1/attachment.bin