From: aranea@aixah.de (Luis Ressel)
Date: Mon, 10 Aug 2015 15:15:26 +0200
Subject: [refpolicy] [PATCH 2/2] gpg 2.1 places gpg-agent sockets in
 ~/.gnupg/
In-Reply-To: <20150810072718.GB3707@x250>
References: <1439154658-18322-1-git-send-email-aranea@aixah.de>
	<1439154658-18322-2-git-send-email-aranea@aixah.de>
	<20150810072718.GB3707@x250>
Message-ID: <20150810151526.2bccf6d0@gentp.lnet>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, 10 Aug 2015 09:27:18 +0200
Dominick Grift <dac.override@gmail.com> wrote:

> On Sun, Aug 09, 2015 at 11:10:58PM +0200, Luis Ressel wrote:
> > ---
> >  gpg.if | 3 ++-
> >  gpg.te | 3 +++
> >  2 files changed, 5 insertions(+), 1 deletion(-)
> > 
> > diff --git a/gpg.if b/gpg.if
> > index 13149ca..4141add 100644
> > --- a/gpg.if
> > +++ b/gpg.if
> > @@ -205,10 +205,11 @@ interface(`gpg_rw_agent_pipes',`
> >  #
> >  interface(`gpg_stream_connect_agent',`
> >  	gen_require(`
> > -		type gpg_agent_t, gpg_agent_tmp_t;
> > +		type gpg_agent_t, gpg_agent_tmp_t, gpg_secret_t;
> >  	')
> >  
> >  	stream_connect_pattern($1, gpg_agent_tmp_t,
> > gpg_agent_tmp_t, gpg_agent_t)
> > +	stream_connect_pattern($1, gpg_secret_t, gpg_agent_tmp_t,
> > gpg_agent_t) ')
> >  
> >  ########################################
> > diff --git a/gpg.te b/gpg.te
> > index a40ac69..edf238a 100644
> > --- a/gpg.te
> > +++ b/gpg.te
> > @@ -241,6 +241,9 @@ manage_sock_files_pattern(gpg_agent_t,
> > gpg_agent_tmp_t, gpg_agent_tmp_t) files_tmp_filetrans(gpg_agent_t,
> > gpg_agent_tmp_t, { file sock_file dir }) 
> >  filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t,
> > sock_file, "log-socket") +filetrans_pattern(gpg_agent_t,
> > gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent")
> > +filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t,
> > sock_file, "S.gpg-agent.ssh") +filetrans_pattern(gpg_agent_t,
> > gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.scdaemon")
> 
> I would probably instead confine scdaemon ( i have confined scdaemon
> in my personal policy)

I'll have a look into confining scdaemon. But for now, it's running as
gpg_agent_t, so we should label its socket accordingly.

-- 
Luis Ressel