From: dac.override@gmail.com (Dominick Grift) Date: Mon, 10 Aug 2015 15:33:14 +0200 Subject: [refpolicy] [PATCH 2/2] gpg 2.1 places gpg-agent sockets in ~/.gnupg/ In-Reply-To: <20150810151526.2bccf6d0@gentp.lnet> References: <1439154658-18322-1-git-send-email-aranea@aixah.de> <1439154658-18322-2-git-send-email-aranea@aixah.de> <20150810072718.GB3707@x250> <20150810151526.2bccf6d0@gentp.lnet> Message-ID: <20150810133313.GC3707@x250> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, Aug 10, 2015 at 03:15:26PM +0200, Luis Ressel wrote: > On Mon, 10 Aug 2015 09:27:18 +0200 > Dominick Grift wrote: > > > On Sun, Aug 09, 2015 at 11:10:58PM +0200, Luis Ressel wrote: > > > --- > > > gpg.if | 3 ++- > > > gpg.te | 3 +++ > > > 2 files changed, 5 insertions(+), 1 deletion(-) > > > > > > diff --git a/gpg.if b/gpg.if > > > index 13149ca..4141add 100644 > > > --- a/gpg.if > > > +++ b/gpg.if > > > @@ -205,10 +205,11 @@ interface(`gpg_rw_agent_pipes',` > > > # > > > interface(`gpg_stream_connect_agent',` > > > gen_require(` > > > - type gpg_agent_t, gpg_agent_tmp_t; > > > + type gpg_agent_t, gpg_agent_tmp_t, gpg_secret_t; > > > ') > > > > > > stream_connect_pattern($1, gpg_agent_tmp_t, > > > gpg_agent_tmp_t, gpg_agent_t) > > > + stream_connect_pattern($1, gpg_secret_t, gpg_agent_tmp_t, > > > gpg_agent_t) ') > > > > > > ######################################## > > > diff --git a/gpg.te b/gpg.te > > > index a40ac69..edf238a 100644 > > > --- a/gpg.te > > > +++ b/gpg.te > > > @@ -241,6 +241,9 @@ manage_sock_files_pattern(gpg_agent_t, > > > gpg_agent_tmp_t, gpg_agent_tmp_t) files_tmp_filetrans(gpg_agent_t, > > > gpg_agent_tmp_t, { file sock_file dir }) > > > filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, > > > sock_file, "log-socket") +filetrans_pattern(gpg_agent_t, > > > gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent") > > > +filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, > > > sock_file, "S.gpg-agent.ssh") +filetrans_pattern(gpg_agent_t, > > > gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.scdaemon") > > > > I would probably instead confine scdaemon ( i have confined scdaemon > > in my personal policy) > > I'll have a look into confining scdaemon. But for now, it's running as > gpg_agent_t, so we should label its socket accordingly. How about then just remove the names from the transitions that will make it so that if agent creates any sockfiles in ~/.gnupg theyll get automatically created with the agent type "do as i say and not as i do": we should be conservative with the use of name-based auto type transitions also this above S.scdaemon sock file has no accompanying file context specification? > > -- > Luis Ressel > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 648 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150810/af75e852/attachment.bin